svelte-code-writer

skills-sh:sveltejs_mcp__svelte-code-writer

View source

100/100

First Seen

Feb 18, 2026

Last Scanned

Feb 20, 2026

Findings

Score

100/100

LOW 7

Findings (7)

LOW

Unverified npx package execution EXTDL_008

external-download L15

Detects npx executing packages from unverified sources without pinned versions

npx @sveltejs/mcp

FIX

Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.

FP?

Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.

LOW

Unverified npx package execution EXTDL_008

external-download L23

Detects npx executing packages from unverified sources without pinned versions

npx @sveltejs/mcp

FIX

Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.

FP?

Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.

LOW

Unverified npx package execution EXTDL_008

external-download L31

Detects npx executing packages from unverified sources without pinned versions

npx @sveltejs/mcp

FIX

Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.

FP?

Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.

LOW

Unverified npx package execution EXTDL_008

external-download L37

Detects npx executing packages from unverified sources without pinned versions

npx @sveltejs/mcp

FIX

Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.

FP?

Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.

LOW

Unverified npx package execution EXTDL_008

external-download L51

Detects npx executing packages from unverified sources without pinned versions

npx @sveltejs/mcp

FIX

Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.

FP?

Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.

LOW

Unverified npx package execution EXTDL_008

external-download L54

Detects npx executing packages from unverified sources without pinned versions

npx @sveltejs/mcp

FIX

Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.

FP?

Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.

LOW

Unverified npx package execution EXTDL_008

external-download L57

Detects npx executing packages from unverified sources without pinned versions

npx @sveltejs/mcp

FIX

Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.

FP?

Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.