MMCP-WASMPython-RunnerA safe MCP Python Runner with Docker Image

mcp-so:MCP-WASMPython-Runner_OrbitZore

View source

100/100

First Seen

Feb 18, 2026

Last Scanned

Feb 20, 2026

Findings

Score

100/100

LOW 1

Findings (1)

LOW

User-provided URL consumed by agent INDIRECT_005

indirect-injection L27

Detects skills where user-provided URLs are consumed and processed by the agent

access the service via a specified URL

FIX

Validate and sanitize user-provided URLs before fetching them. Implement URL allowlisting, block private/internal IP ranges, and treat fetched content as untrusted data.

FP?

Likely FP if the skill is a web browser or URL fetcher where consuming user-provided URLs is the documented core feature with appropriate sandboxing.