First Seen
Feb 18, 2026
Last Scanned
Feb 22, 2026
Findings
13
Score
0/100
Findings (13)
Detects downloading scripts piped directly to a shell interpreter
curl -fsSL https://grove.city/install-cli.sh | bashDownload the script first, inspect it, verify its checksum, then run it. Do not pipe curl/wget output directly to sh/bash. Prefer package manager installs.
Likely FP if the download is from a well-known installer domain (e.g., brew.sh, rustup.rs), though this pattern is inherently risky even with trusted sources.
Detects patterns of downloading and piping to shell execution
curl -fsSL https://grove.city/install-cli.sh | bashDownload the file first, verify its integrity (checksum, signature), inspect it, then run it. Prefer package managers over raw downloads. Never fetch-and-run in one step.
Likely FP if the target is a well-known installer (e.g., rustup, Homebrew) from its canonical HTTPS domain, though the pattern is inherently risky.
Detects patterns of downloading and piping to shell execution
curl (for installation)
- Optional: Python/Node for agent integration
# Grove CLI — Complete Guide <!-- omit in toc -->
**Grove enables agents and humans to send micro-tips as quality signals for ...Download the file first, verify its integrity (checksum, signature), inspect it, then run it. Prefer package managers over raw downloads. Never fetch-and-run in one step.
Likely FP if the target is a well-known installer (e.g., rustup, Homebrew) from its canonical HTTPS domain, though the pattern is inherently risky.
Detects downloading scripts piped directly to a shell interpreter
curl (for installation)
- Optional: Python/Node for agent integration
# Grove CLI — Complete Guide <!-- omit in toc -->
**Grove enables agents and humans to send micro-tips as quality signals for ...Download the script first, inspect it, verify its checksum, then run it. Do not pipe curl/wget output directly to sh/bash. Prefer package manager installs.
Likely FP if the download is from a well-known installer domain (e.g., brew.sh, rustup.rs), though this pattern is inherently risky even with trusted sources.
Detects patterns of downloading and piping to shell execution
curl -fsSL https://grove.city/install-cli.sh | bashDownload the file first, verify its integrity (checksum, signature), inspect it, then run it. Prefer package managers over raw downloads. Never fetch-and-run in one step.
Likely FP if the target is a well-known installer (e.g., rustup, Homebrew) from its canonical HTTPS domain, though the pattern is inherently risky.
Detects downloading scripts piped directly to a shell interpreter
curl -fsSL https://grove.city/install-cli.sh | bashDownload the script first, inspect it, verify its checksum, then run it. Do not pipe curl/wget output directly to sh/bash. Prefer package manager installs.
Likely FP if the download is from a well-known installer domain (e.g., brew.sh, rustup.rs), though this pattern is inherently risky even with trusted sources.
Detects Node.js child_process methods for command execution
execSync("Use execFile() or spawn() with explicit argument arrays instead of exec() with a shell string. Validate all inputs before passing to child_process methods.
Likely FP if the match is in a README code example or package.json script field that runs a well-known CLI tool (e.g., eslint, tsc).
Detects chained commands using shell operators with dangerous operations
curl -fsSL https://grove.city/install-cli.sh | bashBreak chained commands into discrete, individually validated steps. Avoid piping untrusted output directly into a shell interpreter.
Likely FP if the matched text is a documentation example showing a common installer one-liner for a well-known tool with a canonical URL.
Detects MCP server configurations connecting to non-localhost remote URLs
"url": "https://grove.city/install-cli.sh"Change the MCP server URL to localhost or a trusted internal endpoint. If a remote server is required, verify the domain ownership and use HTTPS with certificate validation.
Likely FP if the URL points to example.com, a documentation domain, or a well-known SaaS API endpoint (e.g., api.openai.com).
Detects chained commands using shell operators with dangerous operations
curl (for installation)
- Optional: Python/Node for agent integration
# Grove CLI — Complete Guide <!-- omit in toc -->
**Grove enables agents and humans to send micro-tips as quality signals for ...Break chained commands into discrete, individually validated steps. Avoid piping untrusted output directly into a shell interpreter.
Likely FP if the matched text is a documentation example showing a common installer one-liner for a well-known tool with a canonical URL.
Detects MCP server configurations connecting to non-localhost remote URLs
"url": "https://example.com/post/123"Change the MCP server URL to localhost or a trusted internal endpoint. If a remote server is required, verify the domain ownership and use HTTPS with certificate validation.
Likely FP if the URL points to example.com, a documentation domain, or a well-known SaaS API endpoint (e.g., api.openai.com).
Detects chained commands using shell operators with dangerous operations
curl -fsSL https://grove.city/install-cli.sh | bashBreak chained commands into discrete, individually validated steps. Avoid piping untrusted output directly into a shell interpreter.
Likely FP if the matched text is a documentation example showing a common installer one-liner for a well-known tool with a canonical URL.
Detects Python subprocess and os.system calls for command execution in skill descriptions
subprocess.run(Pass arguments as an explicit list instead of a shell string. Set shell=False and validate all user-supplied values before inclusion.
Likely FP if the match is in documentation explaining Python subprocess usage or in a description mentioning it as a topic.