{
  "rule_ids": [
    "schemeless_to_sink",
    "curl_pipe_shell"
  ],
  "severity": "HIGH",
  "command_redacted": "export NOTION_API_KEY=[REDACTED] && curl -s -X POST \"https://api.notion.com/v1/s...",
  "findings": [
    {
      "rule_id": "schemeless_to_sink",
      "severity": "MEDIUM",
      "title": "Schemeless URL in sink context",
      "description": "URL without explicit scheme passed to a command that downloads/executes content",
      "evidence": [
        {
          "type": "url",
          "raw": "json.tool"
        }
      ]
    },
    {
      "rule_id": "curl_pipe_shell",
      "severity": "HIGH",
      "title": "Pipe to interpreter: curl | python3",
      "description": "Command pipes output from 'curl' directly to interpreter 'python3'. Downloaded content will be executed without inspection.\n  Safer: tirith run https://api.notion.com/v1/search  — or: vet https://api.notion.com/v1/search  (https://getvet.sh)",
      "evidence": [
        {
          "type": "command_pattern",
          "pattern": "pipe to interpreter",
          "matched": "curl -s -X POST \"https://api.notion.com/v1/search\" \\\n  -H \"Authorization: Bearer ${NOTION_API_KEY}\" \\\n  -H \"Notion-Version: 2025-09-03\" \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\"query\": \"Kiwi\"}' | python3 -m json.tool"
        },
        {
          "type": "url",
          "raw": "https://api.notion.com/v1/search"
        }
      ],
      "mitre_id": "T1059.004"
    }
  ],
  "timestamp": "2026-05-14T11:34:38.801277840+00:00"
}