signet

clawhub:signet

View source

100/100

First Seen

Feb 18, 2026

Last Scanned

Feb 22, 2026

Findings

Score

100/100

LOW 6

Findings (6)

LOW

Unverified npx package execution EXTDL_008

external-download L16

Detects npx executing packages from unverified sources without pinned versions

npx @signet-base/cli

FIX

Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.

FP?

Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.

LOW

Unverified npx package execution EXTDL_008

external-download L19

Detects npx executing packages from unverified sources without pinned versions

npx @signet-base/cli

FIX

Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.

FP?

Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.

LOW

Unverified npx package execution EXTDL_008

external-download L22

Detects npx executing packages from unverified sources without pinned versions

npx @signet-base/cli

FIX

Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.

FP?

Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.

LOW

Unverified npx package execution EXTDL_008

external-download L25

Detects npx executing packages from unverified sources without pinned versions

npx @signet-base/cli

FIX

Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.

FP?

Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.

LOW

Non-localhost remote MCP server URL MCPCFG_004

mcp-config L73

Detects MCP server configurations connecting to non-localhost remote URLs

"url":"https://example.com"

FIX

Change the MCP server URL to localhost or a trusted internal endpoint. If a remote server is required, verify the domain ownership and use HTTPS with certificate validation.

FP?

Likely FP if the URL points to example.com, a documentation domain, or a well-known SaaS API endpoint (e.g., api.openai.com).

LOW

Non-localhost remote MCP server URL MCPCFG_004

mcp-config L79

Detects MCP server configurations connecting to non-localhost remote URLs

"url":"https://example.com"

FIX

Change the MCP server URL to localhost or a trusted internal endpoint. If a remote server is required, verify the domain ownership and use HTTPS with certificate validation.

FP?

Likely FP if the URL points to example.com, a documentation domain, or a well-known SaaS API endpoint (e.g., api.openai.com).