ossfuzz

Avoid loading configuration or behavior-controlling content from runtime URLs. Bundle required configurations locally or pin remote config to versioned, integrity-verified endpoints.

Likely FP if the URL in the match is a documentation link or example URL (e.g., example.com) rather than an actual runtime-fetched configuration endpoint.

Replace GitHub raw.githubusercontent.com references with pinned commit SHAs instead of branch names (e.g., /commit-sha/file instead of /main/file). Branch references are mutable.

Likely FP if the raw GitHub URL points to a versioned release tag in a well-known repository, though even tags are technically mutable.

Pin Docker images to a specific digest (e.g., image@sha256:abc...) instead of using mutable tags like :latest. Use trusted base images from verified publishers.

Likely FP if the Docker command pulls a well-known official image (e.g., docker pull python:3.11) in setup documentation.

Replace direct shell script execution with a language-native implementation or a sandboxed executor. If shell scripts must run, restrict them to a vetted allowlist with integrity checks.

Likely FP if the match references running a script that is part of the skill's own repository (e.g., ./setup.sh) with clear, auditable contents.

Replace GitHub raw.githubusercontent.com references with pinned commit SHAs instead of branch names (e.g., /commit-sha/file instead of /main/file). Branch references are mutable.

Likely FP if the raw GitHub URL points to a versioned release tag in a well-known repository, though even tags are technically mutable.

Replace GitHub raw.githubusercontent.com references with pinned commit SHAs instead of branch names (e.g., /commit-sha/file instead of /main/file). Branch references are mutable.

Likely FP if the raw GitHub URL points to a versioned release tag in a well-known repository, though even tags are technically mutable.