fastmcp

Pin the curl/wget download to a specific URL with version and verify the downloaded file's SHA-256 checksum before using it. Prefer package manager installs over raw downloads.

Likely FP if the download is from a well-known canonical source (e.g., official GitHub release) and the documentation includes checksum verification steps.

Pin all pip packages to exact versions (e.g., pip install package==1.2.3). Use a requirements.txt or pyproject.toml with pinned versions and hash verification.

Likely FP if the match is in documentation showing how to install the skill's own PyPI package.

Pin all pip packages to exact versions (e.g., pip install package==1.2.3). Use a requirements.txt or pyproject.toml with pinned versions and hash verification.

Likely FP if the match is in documentation showing how to install the skill's own PyPI package.

Validate and sanitize all data received from external APIs before using it in tool operations or agent prompts. Implement schema validation and treat API responses as untrusted input.

Likely FP if the match is a truncated table cell or documentation fragment that mentions API responses in a descriptive context, not actual unvalidated data processing.

Change the MCP server URL to localhost or a trusted internal endpoint. If a remote server is required, verify the domain ownership and use HTTPS with certificate validation.

Likely FP if the URL points to example.com, a documentation domain, or a well-known SaaS API endpoint (e.g., api.openai.com).

Pin all pip packages to exact versions (e.g., pip install package==1.2.3). Use a requirements.txt or pyproject.toml with pinned versions and hash verification.

Likely FP if the match is in documentation showing how to install the skill's own PyPI package.