First Seen
Feb 18, 2026
Last Scanned
Feb 20, 2026
Findings
3
Score
92/100
Findings (3)
Detects downloading binary, archive, or installer files from remote URLs
wget https://example.com/downloads/product-name.debVerify the integrity of downloaded binaries or archives using SHA-256 checksums or GPG signatures. Pin download URLs to specific versions and avoid fetching from unverified sources.
Likely FP if the download is from github.com or githubusercontent.com for a specific tagged release with documented checksums.
Detects URLs fetched at runtime that control or influence agent behavior without pinning
Download
1. Visit [https://example.com/download](https:// + instructionsAvoid loading configuration or behavior-controlling content from runtime URLs. Bundle required configurations locally or pin remote config to versioned, integrity-verified endpoints.
Likely FP if the URL in the match is a documentation link or example URL (e.g., example.com) rather than an actual runtime-fetched configuration endpoint.
Detects system-level package installation via brew, apt, yum, or dnf
apt-get install pPin system packages to specific versions where the package manager supports it. Document the exact packages required and prefer containerized environments to avoid system-wide changes.
Likely FP if the match is standard setup documentation listing well-known system packages (e.g., apt install git curl) that are prerequisites.