First Seen
Feb 20, 2026
Last Scanned
Feb 22, 2026
Findings
7
Score
46/100
Findings (7)
Skill can read private data (credentials, SSH keys, env vars) AND write to public channels (Slack, Discord, email). This combination enables data exfiltration.
[reads_private_data] load a SAFE message, add credentials + [writes_public_output] Share message.safe via any channel (emailBreak the toxic data flow by adding validation and sanitization between the input source and the sensitive operation. Do not pass untrusted data directly to file system, network, or execution APIs.
Likely FP if the data flow involves only trusted, hardcoded values and the taint analysis over-approximated the untrusted input sources.
Detects downloading a binary file followed by making it executable
curl -sL https://thesafe.dev/download + chmod +xPin the download to a specific version tag or commit hash. Verify the downloaded file's checksum before using it. Avoid piping curl output directly to a shell.
Likely FP if downloading from an official, well-known domain (e.g., deno.land, rustup.rs) with HTTPS, though this pattern remains risky even with trusted sources.
Detects patterns where credential or secret reads are combined with external data transmission
load a SAFE message, add credential + Send button (outputPrevent credentials and sensitive data obtained by one MCP tool from being passed to other tools. Implement data isolation between tools and restrict cross-tool data flow for secrets.
Likely FP if the cross-tool data flow is intentional API authentication (e.g., a tool fetches an auth token that another tool uses for the same service).
Detects skills fetching external URLs to use as runtime instructions
curl -sL https://gist.github + GuidelinesPin the downloaded resource to a specific version or commit hash, and verify its integrity with a checksum (SHA-256). Avoid fetching scripts or binaries from arbitrary URLs at runtime.
Likely FP if the download URL points to a well-known CDN or package registry (e.g., npmjs.com, pypi.org) and is pinned to a specific version.
Detects reading files piped directly to network commands
cat > AGENTS.md << 'EOF'
# Agent Keys
This project supports encrypted agent-to-agent communication using [SAFE](https://github.com/grittygrease/safe).
## Available Agents
### Primary Agent
EOF
# A...Restrict file uploads to user-initiated actions with explicit confirmation. Block programmatic upload of sensitive files (keys, configs, credentials) to external services.
Likely FP if the skill is a file-sharing tool where uploading is the documented core feature and destinations are user-configured.
Detects URLs fetched at runtime that control or influence agent behavior without pinning
Download the prebuilt binary from [thesafe.dev/download](https:// + settingsAvoid loading configuration or behavior-controlling content from runtime URLs. Bundle required configurations locally or pin remote config to versioned, integrity-verified endpoints.
Likely FP if the URL in the match is a documentation link or example URL (e.g., example.com) rather than an actual runtime-fetched configuration endpoint.
Detects outbound connections to non-standard ports
nc termbin.com 9999Restrict network connections to standard ports (80, 443) and explicitly allowlisted service ports. Block connections to unusual ports that could indicate covert channels.
Likely FP if the non-standard port is localhost (127.0.0.1) used for local development servers (e.g., port 3000, 8080, 5432 for a local database).