First Seen
Feb 18, 2026
Last Scanned
Feb 20, 2026
Findings
2
Score
85/100
Findings (2)
Detects patterns indicating sensitive data being sent to external services
Send key toRestrict file reading to the project directory and block outbound network calls that include file contents. Implement file path validation to prevent directory traversal.
Likely FP if the tool legitimately reads project files and displays them to the user locally, without sending data to external services.
Detects global installation of packages which affects the host system
npm install -g @Replace npm install -g with a local install (npm install --save-dev) or use npx with a pinned version. Global installs modify the system and risk supply chain attacks.
Likely FP if the global install is for a well-known CLI tool (e.g., typescript, eslint) in setup documentation, though the supply chain risk remains real.