First Seen
Feb 18, 2026
Last Scanned
Feb 20, 2026
Findings
3
Score
100/100
Findings (3)
Detects skills that include unscoped Bash in their allowed tools list (not Bash(cmd:*) scoped)
allowed-tools:
- Bash
Scope the Bash tool to specific commands using allowedTools patterns (e.g., Bash(git *) instead of bare Bash). Remove blanket Bash access from allowed_tools lists.
Likely FP if the Bash entry in allowed_tools is part of a constrained configuration that limits commands elsewhere (e.g., via system prompt restrictions).
Detects URLs fetched at runtime that control or influence agent behavior without pinning
Get API key**: https:// + schemaAvoid loading configuration or behavior-controlling content from runtime URLs. Bundle required configurations locally or pin remote config to versioned, integrity-verified endpoints.
Likely FP if the URL in the match is a documentation link or example URL (e.g., example.com) rather than an actual runtime-fetched configuration endpoint.
Detects pip install of arbitrary packages that modify the host environment
pip install goPin all pip packages to exact versions (e.g., pip install package==1.2.3). Use a requirements.txt or pyproject.toml with pinned versions and hash verification.
Likely FP if the match is in documentation showing how to install the skill's own PyPI package.