tavily

skills-sh:intellectronica_agent-skills__tavily

View source

100/100

First Seen

Feb 18, 2026

Last Scanned

Feb 20, 2026

Findings

Score

100/100

LOW 3

Findings (3)

LOW

Non-localhost remote MCP server URL MCPCFG_004

mcp-config L115

Detects MCP server configurations connecting to non-localhost remote URLs

"url": "https://docs.tavily.com"

FIX

Change the MCP server URL to localhost or a trusted internal endpoint. If a remote server is required, verify the domain ownership and use HTTPS with certificate validation.

FP?

Likely FP if the URL points to example.com, a documentation domain, or a well-known SaaS API endpoint (e.g., api.openai.com).

LOW

Non-localhost remote MCP server URL MCPCFG_004

mcp-config L146

Detects MCP server configurations connecting to non-localhost remote URLs

"url": "https://docs.tavily.com"

FIX

Change the MCP server URL to localhost or a trusted internal endpoint. If a remote server is required, verify the domain ownership and use HTTPS with certificate validation.

FP?

Likely FP if the URL points to example.com, a documentation domain, or a well-known SaaS API endpoint (e.g., api.openai.com).

LOW

Runtime URL controlling behavior THIRDPARTY_001

third-party-content L196

Detects URLs fetched at runtime that control or influence agent behavior without pinning

GET "https:// + prompt

FIX

Avoid loading configuration or behavior-controlling content from runtime URLs. Bundle required configurations locally or pin remote config to versioned, integrity-verified endpoints.

FP?

Likely FP if the URL in the match is a documentation link or example URL (e.g., example.com) rather than an actual runtime-fetched configuration endpoint.