First Seen
Feb 18, 2026
Last Scanned
Feb 20, 2026
Findings
7
Score
47/100
Findings (7)
Detects loading of prompt templates or agent instructions from remote URLs at runtime
Fetch the init prompt from the URLAvoid loading and running third-party plugins or extensions at runtime without integrity verification. Implement code signing, checksum verification, and sandboxing for dynamically loaded code.
Likely FP if the third-party content is a well-known, established plugin loaded from a verified marketplace with code signing.
Detects fetching external URLs and using the content as agent instructions or rules
prompt from the URLSanitize or validate all external inputs (file contents, API responses, user messages) before including them in prompts or tool calls. Implement input/output boundaries between trusted and untrusted data.
Likely FP if the matched text is the skill's own instruction set describing how to handle user input, not an actual injection payload.
Detects fetching external URLs and using the content as agent instructions or rules
Fetch fresh guidelinesSanitize or validate all external inputs (file contents, API responses, user messages) before including them in prompts or tool calls. Implement input/output boundaries between trusted and untrusted data.
Likely FP if the matched text is the skill's own instruction set describing how to handle user input, not an actual injection payload.
Detects patterns that check for tool existence and install if missing
If the command fails (not found), installReplace conditional download-and-install logic with explicit dependency declarations in a manifest file (package.json, requirements.txt). Verify checksums for any runtime downloads.
Likely FP if the conditional install is documentation showing standard prerequisite checks (e.g., checking if a tool is installed before installing it).
Detects references to raw.githubusercontent.com on mutable branches like main/master
raw.githubusercontent.com/superdesigndev/superdesign-skill/main/Replace GitHub raw.githubusercontent.com references with pinned commit SHAs instead of branch names (e.g., /commit-sha/file instead of /main/file). Branch references are mutable.
Likely FP if the raw GitHub URL points to a versioned release tag in a well-known repository, though even tags are technically mutable.
Detects global installation of packages which affects the host system
npm install -g @Replace npm install -g with a local install (npm install --save-dev) or use npx with a pinned version. Global installs modify the system and risk supply chain attacks.
Likely FP if the global install is for a well-known CLI tool (e.g., typescript, eslint) in setup documentation, though the supply chain risk remains real.
Detects references to raw.githubusercontent.com on mutable branches like main/master
raw.githubusercontent.com/superdesigndev/superdesign-skill/main/Replace GitHub raw.githubusercontent.com references with pinned commit SHAs instead of branch names (e.g., /commit-sha/file instead of /main/file). Branch references are mutable.
Likely FP if the raw GitHub URL points to a versioned release tag in a well-known repository, though even tags are technically mutable.