visual-prompt-engine

clawhub:visual-prompt-engine

View source

100/100

First Seen

Feb 18, 2026

Last Scanned

Feb 22, 2026

Findings

Score

100/100

LOW 2

Findings (2)

LOW

Non-localhost remote MCP server URL MCPCFG_004

mcp-config L38

Detects MCP server configurations connecting to non-localhost remote URLs

"url": "https://dribbble.com/shots/..."

FIX

Change the MCP server URL to localhost or a trusted internal endpoint. If a remote server is required, verify the domain ownership and use HTTPS with certificate validation.

FP?

Likely FP if the URL points to example.com, a documentation domain, or a well-known SaaS API endpoint (e.g., api.openai.com).

LOW

pip install arbitrary package EXTDL_009

external-download L121

Detects pip install of arbitrary packages that modify the host environment

pip install re

FIX

Pin all pip packages to exact versions (e.g., pip install package==1.2.3). Use a requirements.txt or pyproject.toml with pinned versions and hash verification.

FP?

Likely FP if the match is in documentation showing how to install the skill's own PyPI package.