First Seen
Feb 18, 2026
Last Scanned
Feb 22, 2026
Findings
4
Score
70/100
Findings (4)
Skill can read private data (credentials, SSH keys, env vars) AND write to public channels (Slack, Discord, email). This combination enables data exfiltration.
[reads_private_data] read `~/.config/`, `~/.ssh + [writes_public_output] send messages to one provider (e.g., DiscordBreak the toxic data flow by adding validation and sanitization between the input source and the sensitive operation. Do not pass untrusted data directly to file system, network, or execution APIs.
Likely FP if the data flow involves only trusted, hardcoded values and the taint analysis over-approximated the untrusted input sources.
Detects conditional execution based on CI environment variables combined with dangerous commands
if `$GITHUB_TOKEN + subprocessPin all dependencies to exact versions with integrity hashes. Use lock files (package-lock.json, poetry.lock) and enable checksum verification in your package manager.
Likely FP if the match is documentation about dependency management best practices rather than actual unpinned dependency declarations.
Detects MCP server configurations connecting to non-localhost remote URLs
"url": "https://openai.com/blog/rss.xml"Change the MCP server URL to localhost or a trusted internal endpoint. If a remote server is required, verify the domain ownership and use HTTPS with certificate validation.
Likely FP if the URL points to example.com, a documentation domain, or a well-known SaaS API endpoint (e.g., api.openai.com).
Detects MCP server configurations connecting to non-localhost remote URLs
"url": "https://myblog.com/rss"Change the MCP server URL to localhost or a trusted internal endpoint. If a remote server is required, verify the domain ownership and use HTTPS with certificate validation.
Likely FP if the URL points to example.com, a documentation domain, or a well-known SaaS API endpoint (e.g., api.openai.com).