Will It Vibe logoWill It Vibe?
SHELL-013Low severity-4 points

Remote content fetched over plaintext HTTP

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.

What it detects

curl/wget against a literal http:// URL sends the request, and reads back the response, in the clear: a network attacker between this machine and the server can read or replace what comes back. This is a heuristic on a hardcoded, non-localhost URL; an internal/intranet address behind a trusted network may be an intentional exception, but anything fetched from the public internet should use https://.

Why it matters

A curl/wget request to a literal http:// URL sends the request, and reads back the response, in the clear. A network attacker positioned between this machine and the server, a hostile Wi-Fi network, a compromised router, a malicious exit node, can read or silently replace whatever comes back. This is a heuristic on a hardcoded, non-localhost URL; a genuinely internal address on a trusted private network can be a deliberate exception.

How to fix it

Change the URL to https:// wherever the server supports it (almost every public service does today). If a specific internal endpoint genuinely has no TLS available, confirm the network path is trusted and isolated, and consider putting a TLS-terminating proxy in front of it instead.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks