x-api

clawhub:x-api

View source

92/100

First Seen

Feb 18, 2026

Last Scanned

Feb 22, 2026

Findings

Score

92/100

MEDIUM 1

LOW 1

Findings (2)

MEDIUM

Cross-tool data leakage MCP_007

mcp-attack L28

Detects patterns where credential or secret reads are combined with external data transmission

Access Token Secret + post updates, or publish content

FIX

Prevent credentials and sensitive data obtained by one MCP tool from being passed to other tools. Implement data isolation between tools and restrict cross-tool data flow for secrets.

FP?

Likely FP if the cross-tool data flow is intentional API authentication (e.g., a tool fetches an auth token that another tool uses for the same service).

LOW

Global package installation EXTDL_004

external-download L53

Detects global installation of packages which affects the host system

npm install -g t

FIX

Replace npm install -g with a local install (npm install --save-dev) or use npx with a pinned version. Global installs modify the system and risk supply chain attacks.

FP?

Likely FP if the global install is for a well-known CLI tool (e.g., typescript, eslint) in setup documentation, though the supply chain risk remains real.