A
100/100 First Seen
Feb 18, 2026
Last Scanned
Feb 20, 2026
Findings
2
Score
100/100
LOW 2
Findings (2)
LOW
pip install arbitrary package
L841 Detects pip install of arbitrary packages that modify the host environment
pip
install
ya FIX
Pin all pip packages to exact versions (e.g., pip install package==1.2.3). Use a requirements.txt or pyproject.toml with pinned versions and hash verification.
FP?
Likely FP if the match is in documentation showing how to install the skill's own PyPI package.
LOW
go install from remote
L868 Detects go install fetching and compiling arbitrary Go packages
go
install
github.com/google/yamlfmt/cmd/yamlfmt@ FIX
Pin Go install targets to a specific version (e.g., go install example.com/tool@v1.2.3). Avoid @latest as it fetches whatever is currently published.
FP?
Likely FP if the go install target is a well-known tool (e.g., golang.org/x/ packages) pinned to a specific version in documentation.