schemapin

clawhub:schemapin

View source

100/100

First Seen

Feb 18, 2026

Last Scanned

Feb 22, 2026

Findings

Score

100/100

LOW 3

Findings (3)

LOW

Mutable GitHub raw content reference THIRDPARTY_002

third-party-content L5

Detects references to raw.githubusercontent.com on mutable branches like main/master

github.com/ThirdKeyAI/SchemaPin/blob/main/README.md),

FIX

Replace GitHub raw.githubusercontent.com references with pinned commit SHAs instead of branch names (e.g., /commit-sha/file instead of /main/file). Branch references are mutable.

FP?

Likely FP if the raw GitHub URL points to a versioned release tag in a well-known repository, though even tags are technically mutable.

LOW

pip install arbitrary package EXTDL_009

external-download L20

Detects pip install of arbitrary packages that modify the host environment

pip install sc

FIX

Pin all pip packages to exact versions (e.g., pip install package==1.2.3). Use a requirements.txt or pyproject.toml with pinned versions and hash verification.

FP?

Likely FP if the match is in documentation showing how to install the skill's own PyPI package.

LOW

go install from remote EXTDL_010

external-download L302

Detects go install fetching and compiling arbitrary Go packages

go install github.com/ThirdKeyAi/schemapin/go/cmd/...@

FIX

Pin Go install targets to a specific version (e.g., go install example.com/tool@v1.2.3). Avoid @latest as it fetches whatever is currently published.

FP?

Likely FP if the go install target is a well-known tool (e.g., golang.org/x/ packages) pinned to a specific version in documentation.