v2ex

clawhub:v2ex

View source

92/100

First Seen

Feb 18, 2026

Last Scanned

Feb 22, 2026

Findings

Score

92/100

MEDIUM 1

LOW 1

Findings (2)

MEDIUM

Remote SDK or script fetch as agent input EXTDL_002

external-download L184

Detects fetching remote documentation or code to load as agent context

Fetch replies with `GET  + https://www.v2ex.com/api/topics/hot.json

FIX

Pin the SDK or script to a specific version and verify its checksum after download. Prefer installing SDKs via a package manager instead of fetching remote scripts directly.

FP?

Likely FP if the match is documentation showing how to install an official SDK (e.g., Google Cloud SDK, AWS CLI) from its canonical URL.

LOW

Runtime URL controlling behavior THIRDPARTY_001

third-party-content L114

Detects URLs fetched at runtime that control or influence agent behavior without pinning

GET https:// + settings

FIX

Avoid loading configuration or behavior-controlling content from runtime URLs. Bundle required configurations locally or pin remote config to versioned, integrity-verified endpoints.

FP?

Likely FP if the URL in the match is a documentation link or example URL (e.g., example.com) rather than an actual runtime-fetched configuration endpoint.