{
  "rule_ids": [
    "schemeless_to_sink",
    "curl_pipe_shell"
  ],
  "severity": "HIGH",
  "command_redacted": "curl -s -A \"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\" \"https://www.reddit.com/r...",
  "findings": [
    {
      "rule_id": "schemeless_to_sink",
      "severity": "MEDIUM",
      "title": "Schemeless URL in sink context",
      "description": "URL without explicit scheme passed to a command that downloads/executes content",
      "evidence": [
        {
          "type": "url",
          "raw": "json.tool"
        }
      ]
    },
    {
      "rule_id": "curl_pipe_shell",
      "severity": "HIGH",
      "title": "Pipe to interpreter: curl | python3",
      "description": "Command pipes output from 'curl' directly to interpreter 'python3'. Downloaded content will be executed without inspection.\n  Safer: tirith run https://www.reddit.com/r/LocalLLaMA/comments/1sz2y76/ama_with_nous_research_ask_us_anything.json  — or: vet https://www.reddit.com/r/LocalLLaMA/comments/1sz2y76/ama_with_nous_research_ask_us_anything.json  (https://getvet.sh)",
      "evidence": [
        {
          "type": "command_pattern",
          "pattern": "pipe to interpreter",
          "matched": "curl -s -A \"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\" \"https://www.reddit.com/r/LocalLLaMA/comments/1sz2y76/ama_with_nous_research_ask_us_anything.json\" | python3 -m json.tool > /tmp/reddit_api.json 2>&1"
        },
        {
          "type": "url",
          "raw": "https://www.reddit.com/r/LocalLLaMA/comments/1sz2y76/ama_with_nous_research_ask_us_anything.json"
        }
      ],
      "mitre_id": "T1059.004"
    }
  ],
  "timestamp": "2026-05-11T06:49:19.828890153+00:00"
}