First Seen
Feb 18, 2026
Last Scanned
Feb 22, 2026
Findings
3
Score
85/100
Findings (3)
Detects downloading a binary file followed by making it executable
wget -O - https://apt.kitware.com/keys/kitware-archive + ./rPin the download to a specific version tag or commit hash. Verify the downloaded file's checksum before using it. Avoid piping curl output directly to a shell.
Likely FP if downloading from an official, well-known domain (e.g., deno.land, rustup.rs) with HTTPS, though this pattern remains risky even with trusted sources.
Detects URLs fetched at runtime that control or influence agent behavior without pinning
get -O - https:// + settingAvoid loading configuration or behavior-controlling content from runtime URLs. Bundle required configurations locally or pin remote config to versioned, integrity-verified endpoints.
Likely FP if the URL in the match is a documentation link or example URL (e.g., example.com) rather than an actual runtime-fetched configuration endpoint.
Detects system-level package installation via brew, apt, yum, or dnf
apt-get install -y cPin system packages to specific versions where the package manager supports it. Document the exact packages required and prefer containerized environments to avoid system-wide changes.
Likely FP if the match is standard setup documentation listing well-known system packages (e.g., apt install git curl) that are prerequisites.