api-changelog-versioning

skills-sh:aj-geddes_useful-ai-prompts__api-changelog-versioning

View source

100/100

First Seen

Feb 18, 2026

Last Scanned

Feb 20, 2026

Findings

Score

100/100

LOW 3

Findings (3)

LOW

Non-localhost remote MCP server URL MCPCFG_004

mcp-config L124

Detects MCP server configurations connecting to non-localhost remote URLs

"url": "https://your-app.com/webhook"

FIX

Change the MCP server URL to localhost or a trusted internal endpoint. If a remote server is required, verify the domain ownership and use HTTPS with certificate validation.

FP?

Likely FP if the URL points to example.com, a documentation domain, or a well-known SaaS API endpoint (e.g., api.openai.com).

LOW

pip install arbitrary package EXTDL_009

external-download L520

Detects pip install of arbitrary packages that modify the host environment

pip install co

FIX

Pin all pip packages to exact versions (e.g., pip install package==1.2.3). Use a requirements.txt or pyproject.toml with pinned versions and hash verification.

FP?

Likely FP if the match is in documentation showing how to install the skill's own PyPI package.

LOW

Cargo or gem install from remote EXTDL_012

external-download L523

Detects cargo install or gem install fetching packages from remote registries

gem install c

FIX

Pin Cargo/Gem packages to specific versions (e.g., cargo install tool@0.1.0, gem install tool -v 1.2.3). Use lock files for reproducibility.

FP?

Likely FP if the matched text is a very short fragment (3 words or fewer) or uses placeholder package names.