quickintel-scan

clawhub:quickintel-scan

View source

69/100

First Seen

Feb 18, 2026

Last Scanned

Feb 22, 2026

Findings

Score

69/100

HIGH 1

MEDIUM 2

LOW 3

Findings (6)

HIGH

Read sensitive files and transmit externally EXFIL_013

exfiltration L28

Detects skills that both read sensitive credential files and send data to external services

Access your private key + POST to endpoint

FIX

Block access to git credentials, SSH keys, and repository tokens. If git operations are needed, use scoped deploy keys and restrict the tool to specific repositories.

FP?

Likely FP if the match is documentation about git configuration (e.g., setting up git credentials helper) rather than code that reads and transmits them.

MEDIUM

Benign heading "'@openai/agents:*'\n;\n// Verbose logging\n..." followed by dangerous content (category: credential_access) NLP_HEADING_MISMATCH

prompt-injection L1

Benign heading "'@openai/agents:*'\n;\n// Verbose logging\n..." followed by dangerous content (category: credential_access)

NEVER paste private keys, seed phrases, or wallet credentials into any prompt or API call. Quick Intel only needs the token's contract address and chain — it does not need YOUR wallet address.

FIX

Ensure section headings accurately reflect the content that follows. Remove headings that could mislead an LLM into treating content differently than intended.

FP?

Likely FP if the heading mismatch is due to inconsistent markdown formatting or a benign section title that happens to contain keywords like system or config.

MEDIUM

External API response drives agent behavior INDIRECT_009

indirect-injection L12

Detects skills where external API responses control agent decisions or actions

call the endpoint  + based on scan result

FIX

Do not include content from MCP tool responses verbatim in system prompts or tool descriptions. Sanitize all dynamic content before incorporating it into prompt context.

FP?

Likely FP if the match is a static tool description that mentions dynamic content handling in its documentation, not an actual injection vector.

LOW

Runtime URL controlling behavior THIRDPARTY_001

third-party-content L361

Detects URLs fetched at runtime that control or influence agent behavior without pinning

GET https:// + prompt

FIX

Avoid loading configuration or behavior-controlling content from runtime URLs. Bundle required configurations locally or pin remote config to versioned, integrity-verified endpoints.

FP?

Likely FP if the URL in the match is a documentation link or example URL (e.g., example.com) rather than an actual runtime-fetched configuration endpoint.

LOW

Non-localhost remote MCP server URL MCPCFG_004

mcp-config L741

Detects MCP server configurations connecting to non-localhost remote URLs

"url": "https://x402.quickintel.io/v1/scan/full"

FIX

Change the MCP server URL to localhost or a trusted internal endpoint. If a remote server is required, verify the domain ownership and use HTTPS with certificate validation.

FP?

Likely FP if the URL points to example.com, a documentation domain, or a well-known SaaS API endpoint (e.g., api.openai.com).

LOW

Mutable GitHub raw content reference THIRDPARTY_002

third-party-content L998

Detects references to raw.githubusercontent.com on mutable branches like main/master

github.com/coinbase/x402/blob/main/specs/schemes/exact/scheme_exact_evm.md

FIX

Replace GitHub raw.githubusercontent.com references with pinned commit SHAs instead of branch names (e.g., /commit-sha/file instead of /main/file). Branch references are mutable.

FP?

Likely FP if the raw GitHub URL points to a versioned release tag in a well-known repository, though even tags are technically mutable.