roku

clawhub:roku

View source

92/100

First Seen

Feb 18, 2026

Last Scanned

Feb 22, 2026

Findings

Score

92/100

MEDIUM 1

LOW 1

Findings (2)

MEDIUM

Localhost bypass SSRF_006

ssrf-cloud L89

Detects alternative representations of localhost used to bypass SSRF filters

curl http://127.0.0.1:

FIX

Prevent URL redirection from bypassing SSRF protections. Validate the final destination URL after following redirects and block redirect chains that resolve to internal addresses.

FP?

Likely FP if the match is documentation about redirect handling behavior without an actual open redirect vulnerability.

LOW

Global package installation EXTDL_004

external-download L16

Detects global installation of packages which affects the host system

npm install -g r

FIX

Replace npm install -g with a local install (npm install --save-dev) or use npx with a pinned version. Global installs modify the system and risk supply chain attacks.

FP?

Likely FP if the global install is for a well-known CLI tool (e.g., typescript, eslint) in setup documentation, though the supply chain risk remains real.