A
100/100 First Seen
Feb 19, 2026
Last Scanned
Feb 20, 2026
Findings
1
Score
100/100
LOW 1
Findings (1)
LOW
npx auto-install without confirmation
L24 Detects npx with -y flag that bypasses user confirmation for package installation
npx -y superargs --stdio "GITHUB_PERSONAL_ACCESS_TOKEN={{githubToken}} npx -y FIX
Replace npx -y with an explicit npm install step that pins the package to a specific version, then run it. Remove the -y flag to require user confirmation.
FP?
Likely FP if the npx command runs a well-known, trusted tool (e.g., create-react-app) in documentation context with no version pinning concern.