Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo

Scan timing: clone 3.11s · analysis 4.08s · 5.2 MB · GitHub API rate-limit (preflight)

TradingAgents

https://github.com/TauricResearch/TradingAgents · scanned 2026-06-01 04:00 UTC (4 days, 3 hours ago) · 10 languages

288 findings (151 legacy + 137 scanner) 53rd percentile · Python · small (2-20K LoC) Scanner says 91 (lower by 19)

File as issue Image v2 schema
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 4 days, 3 hours ago · v4 · 186 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
78.1
/100
Repobility
66
151 legacy
9-layer
91
100.0% cov · 35 gaps
Critical
1
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 75.0 0.15 11.25
security_score 49.8 0.25 12.45
testing_score 100.0 0.20 20.00
documentation_score 91.0 0.15 13.65
practices_score 54.0 0.15 8.10
code_quality 62.4 0.10 6.24
Overall 1.00 71.7
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 1 High 89 Medium 28 Low 46 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 151 9-layer 35 Crowd 0 Layer: Software 84 Quality 88 Cicd 6 Security 3 Api 1 Hardware 3 Frontend 1
Scan summary Repository scanned at 90.6/100 with 100.0% coverage. It contains 823 nodes across 0 cross-layer flows, written primarily in mixed languages. Engine surfaced 35 findings — concentrated in quality (14), software (13), hardware (3). Risk profile is low: 0 critical, 0 high, 1 medium. Recommended next step: open the quality layer findings first — that's where the highest-impact wins live.

Showing 133 of 186 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Legacy quality quality conf 1.00 ✓ Repobility [MINED007] Sql String Concat: cursor.execute(f"... {user_input} ...") — SQL injection.
Review and fix per the pattern semantics. See CWE-89 / A03:2021 for context.
tradingagents/graph/checkpointer.py:85 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.
Review and fix per the pattern semantics. See CWE-755 / for context.
tradingagents/graph/checkpointer.py:87 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.
Review and fix per the pattern semantics. See CWE-755 / for context.
tradingagents/dataflows/yfinance_news.py:33 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.
Review and fix per the pattern semantics. See CWE-755 / for context.
tradingagents/__init__.py:15 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain "../" — directory escape.
Review and fix per the pattern semantics. See CWE-22 / A01:2021 for context.
tradingagents/default_config.py:3 qualitylegacy
high Legacy security injection conf 0.50 [SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection.
Use parameterized queries: conn.execute('SELECT * FROM t WHERE id = ?', [id]). For dynamic table or column names, choose identifiers from a hard-coded allowlist and keep values in parameters.
tradingagents/graph/checkpointer.py:85 injectionlegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._update_current_report` used but never assigned in __init__
Method `update_report_section` of class `MessageBuffer` reads `self._update_current_report`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
cli/main.py:160 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._update_final_report` used but never assigned in __init__
Method `_update_current_report` of class `MessageBuffer` reads `self._update_final_report`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
cli/main.py:189 qualitylegacy
high Legacy software dependency conf 0.88 aiohttp: GHSA-6mq8-rvhq-8wgg
AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb
uv.lock dependencylegacy
high Legacy software dependency conf 0.88 chainlit: GHSA-2g59-m95p-pgfq
Chainlit contain a server-side request forgery (SSRF) vulnerability
uv.lock dependencylegacy
high Legacy software dependency conf 0.88 curl-cffi: GHSA-qw2m-4pqf-rmpp
curl_cffi: Redirect-based SSRF leads to internal network access in curl_cffi (with TLS impersonation bypass)
uv.lock dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Dockerfile FROM `python:3.12-slim` not pinned by digest
`FROM python:3.12-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Dockerfile:12 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Dockerfile FROM `python:3.12-slim` not pinned by digest
`FROM python:3.12-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Dockerfile:1 dependencylegacy
high Legacy software dependency conf 0.88 langchain-community: GHSA-pc6w-59fv-rh23
Langchain Community Vulnerable to XML External Entity (XXE) Attacks
uv.lock dependencylegacy
high Legacy software dependency conf 0.88 langchain-core: GHSA-pjwx-r37v-7724
LangChain vulnerable to unsafe deserialization of attacker-controlled objects through overly broad `load()` allowlists
uv.lock dependencylegacy
high Legacy software dependency conf 0.88 langchain-core: GHSA-qh6h-p6c9-ff54
LangChain Core has Path Traversal vulnerabilites in legacy `load_prompt` functions
uv.lock dependencylegacy
high Legacy software dependency conf 0.88 langchain-openai: PYSEC-2026-76
LangChain is a framework for building agents and LLM-powered applications. Prior to 1.1.14, langchain-openai's _url_to_size() helper (used by get_num_tokens_from_messages for image token counting) validated URLs for SSRF protection and then fetched them in a separate network operation with independ…
uv.lock dependencylegacy
high Legacy software dependency conf 0.88 langchain-text-splitters: GHSA-m42m-m8cr-8m58
LangChain Text Splitters is vulnerable to XML External Entity (XXE) attacks due to unsafe XSLT parsing
uv.lock dependencylegacy
high Legacy software dependency conf 0.88 langchain-text-splitters: PYSEC-2026-77
LangChain is a framework for building agents and LLM-powered applications. Prior to langchain-text-splitters 1.1.2, HTMLHeaderTextSplitter.split_text_from_url() validated the initial URL using validate_safe_url() but then performed the fetch with requests.get() with redirects enabled (the default)…
uv.lock dependencylegacy
high Legacy software dependency conf 0.88 langchain: GHSA-3644-q5cj-c5c7
LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning
uv.lock dependencylegacy
high Legacy software dependency conf 0.88 langgraph-checkpoint: GHSA-wwqv-p2pp-99h5
LangGraph Checkpoint affected by RCE in "json" mode of JsonPlusSerializer
uv.lock dependencylegacy
high Legacy software dependency conf 0.88 langgraph: PYSEC-2026-83
LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). In version 1.0.9 and prior, LangGraph checkpointers can load msgpack-encoded checkpoints that reconstruct Python objects during deserialization. If an attacker can…
uv.lock dependencylegacy
high Legacy software dependency conf 0.88 langsmith: GHSA-3644-q5cj-c5c7
LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning
uv.lock dependencylegacy
high Legacy software dependency conf 0.88 lxml: PYSEC-2026-87
lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolve_entities='interna…
uv.lock dependencylegacy
high Legacy software dependency conf 0.88 mcp: GHSA-9h52-p55h-vw2f
Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection by default
uv.lock dependencylegacy
high Legacy software dependency conf 0.88 mcp: GHSA-j975-95f5-7wqh
MCP Python SDK has Unhandled Exception in Streamable HTTP Transport, Leading to Denial of Service
uv.lock dependencylegacy
high Legacy software dependency conf 0.88 orjson: PYSEC-2026-107
The orjson.dumps function in orjson thru 3.11.4 does not limit recursion for deeply nested JSON documents.
uv.lock dependencylegacy
high Legacy software dependency conf 0.88 protobuf: GHSA-7gcm-g887-7qv7
protobuf affected by a JSON recursion depth bypass
uv.lock dependencylegacy
high Legacy software dependency conf 0.88 pyasn1: GHSA-63vm-454h-vhhq
pyasn1 has a DoS vulnerability in decoder
uv.lock dependencylegacy
high Legacy software dependency conf 0.88 pyasn1: GHSA-jr27-m4p2-rc6r
Denial of Service in pyasn1 via Unbounded Recursion
uv.lock dependencylegacy
high Legacy software dependency conf 0.88 pyjwt: PYSEC-2025-183
pyjwt v2.10.1 was discovered to contain weak encryption. NOTE: this is disputed by the Supplier because the key length is chosen by the application that uses the library (admittedly, library users may benefit from a minimum value and a mechanism for opting in to strict enforcement).
uv.lock dependencylegacy
high Legacy software dependency conf 0.88 pyjwt: PYSEC-2026-120
PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting…
uv.lock dependencylegacy
high Legacy software dependency conf 0.88 python-multipart: GHSA-pp6c-gr5w-3c5g
python-multipart has Denial of Service via unbounded multipart part headers
uv.lock dependencylegacy
high Legacy software dependency conf 0.88 python-multipart: GHSA-wp53-j4wj-2cfg
Python-Multipart has Arbitrary File Write via Non-Default Configuration
uv.lock dependencylegacy
high Legacy software dependency conf 0.88 starlette: GHSA-7f5h-v6xp-fcq8
Starlette vulnerable to O(n^2) DoS via Range header merging in ``starlette.responses.FileResponse``
uv.lock dependencylegacy
high Legacy software dependency conf 0.88 starlette: PYSEC-2026-161
BadHost: Missing Host header validation poisons request.url.path, bypassing path-based security checks
uv.lock dependencylegacy
high Legacy software dependency conf 0.88 urllib3: GHSA-2xpw-w6gg-jr37
urllib3 streaming API improperly handles highly compressed data
uv.lock dependencylegacy
high Legacy software dependency conf 0.88 urllib3: GHSA-38jv-5279-wg99
Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API)
uv.lock dependencylegacy
high Legacy software dependency conf 0.88 urllib3: GHSA-gm62-xv2j-4w53
urllib3 allows an unbounded number of links in the decompression chain
uv.lock dependencylegacy
high Legacy software dependency conf 0.88 urllib3: PYSEC-2026-141
urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.
uv.lock dependencylegacy
medium Legacy quality quality conf 1.00 [SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals — sometimes triggers RCE (Django debug page with arbitrary template eval).
Set DEBUG=False / APP_DEBUG=false in production. Provide a generic 500 handler that logs to backend but returns a sanitized page to clients.
main.py:12 qualitylegacy
medium Legacy software dependency conf 0.88 aiohttp: GHSA-6jhg-hg63-jvvf
AIOHTTP vulnerable to denial of service through large payloads
uv.lock dependencylegacy
medium Legacy software dependency conf 0.88 aiohttp: GHSA-c427-h43c-vf67
AIOHTTP accepts duplicate Host headers
uv.lock dependencylegacy
medium Legacy software dependency conf 0.88 aiohttp: GHSA-g84x-mcqj-x9qq
AIOHTTP vulnerable to DoS through chunked messages
uv.lock dependencylegacy
medium Legacy software dependency conf 0.88 aiohttp: GHSA-jj3x-wxrx-4x23
AIOHTTP vulnerable to DoS when bypassing asserts
uv.lock dependencylegacy
medium Legacy software dependency conf 0.88 aiohttp: GHSA-m5qp-6w8w-w647
AIOHTTP has a Multipart Header Size Bypass
uv.lock dependencylegacy
medium Legacy software dependency conf 0.88 aiohttp: GHSA-p998-jp59-783m
AIOHTTP affected by UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows
uv.lock dependencylegacy
medium Legacy software dependency conf 0.88 aiohttp: GHSA-w2fm-2cpv-w7v5
aiohttp allows unlimited trailer headers, leading to possible uncapped memory usage
uv.lock dependencylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
tradingagents/dataflows/alpha_vantage_indicator.py:225 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
tradingagents/dataflows/y_finance.py:453 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
tradingagents/dataflows/y_finance.py:426 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
tradingagents/dataflows/y_finance.py:391 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
tradingagents/dataflows/y_finance.py:356 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
tradingagents/dataflows/y_finance.py:321 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
tradingagents/dataflows/y_finance.py:249 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
tradingagents/dataflows/y_finance.py:174 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
tradingagents/dataflows/interface.py:167 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
tradingagents/dataflows/alpha_vantage_common.py:132 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
cli/main.py:1279 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
cli/utils.py:185 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
tradingagents/dataflows/yfinance_news.py:201 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
tradingagents/dataflows/yfinance_news.py:107 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
tradingagents/dataflows/market_data_validator.py:81 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
cli/announcements.py:23 qualitylegacy
medium Legacy cicd docker conf 0.94 Compose service `ollama` image uses the latest tag
The latest tag is mutable and can change without a code review, producing different images from the same source.
docker-compose.yml:10 dockerlegacy
medium Legacy cicd docker conf 0.76 Dockerfile copies broad context with incomplete .dockerignore
COPY . or ADD . is safer when .dockerignore excludes secrets, git history, keys, and generated artifacts.
Dockerfile:10 dockerlegacy
medium Legacy software dependency conf 0.88 filelock: GHSA-qmgc-5h2g-mvrw
filelock Time-of-Check-Time-of-Use (TOCTOU) Symlink Vulnerability in SoftFileLock
uv.lock dependencylegacy
medium Legacy software dependency conf 0.88 filelock: GHSA-w853-jp5j-5j7f
filelock has a TOCTOU race condition which allows symlink attacks during lock file creation
uv.lock dependencylegacy
medium Legacy software dependency conf 0.88 idna: GHSA-65pc-fj4g-8rjx
Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix
uv.lock dependencylegacy
medium Legacy software dependency conf 0.88 langchain-core: GHSA-926x-3r5x-gfhw
LangChain has incomplete f-string validation in prompt templates
uv.lock dependencylegacy
medium Legacy software dependency conf 0.88 langgraph-checkpoint: GHSA-mhr3-j7m5-c7c9
LangGraph: BaseCache Deserialization of Untrusted Data may lead to Remote Code Execution
uv.lock dependencylegacy
medium Legacy software dependency conf 0.88 langsmith: GHSA-rr7j-v2q5-chgv
LangSmith SDK: Streaming token events bypass output redaction
uv.lock dependencylegacy
medium Legacy software dependency conf 0.88 marshmallow: GHSA-428g-f7cq-pgp5
Marshmallow has DoS in Schema.load(many)
uv.lock dependencylegacy
medium Legacy quality quality conf 1.00 ✓ Repobility Mutable default argument in `__init__` (list)
`def __init__(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
tradingagents/graph/trading_graph.py:55 qualitylegacy
medium Legacy quality quality conf 1.00 ✓ Repobility Mutable default argument in `setup_graph` (list)
`def setup_graph(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
tradingagents/graph/setup.py:32 qualitylegacy
medium Legacy software dependency conf 0.88 python-dotenv: GHSA-mf9w-mj56-hr94
python-dotenv: Symlink following in set_key allows arbitrary file overwrite via cross-device rename fallback
uv.lock dependencylegacy
medium Legacy software dependency conf 0.88 python-multipart: GHSA-mj87-hwqh-73pj
python-multipart affected by Denial of Service via large multipart preamble or epilogue data
uv.lock dependencylegacy
medium Legacy software dependency conf 0.88 python-socketio: GHSA-g8c6-8fjj-2r4m
python-socketio vulnerable to arbitrary Python code execution (RCE) through malicious pickle deserialization in certain multi-server deployments
uv.lock dependencylegacy
medium Legacy software dependency conf 0.88 requests: GHSA-gc5v-m9x4-r6x2
Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function
uv.lock dependencylegacy
medium Legacy software dependency conf 0.90 ✓ Repobility requirements.txt: `.` has no version pin
Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
requirements.txt:1 dependencylegacy
medium Legacy software dependency conf 0.88 starlette: GHSA-2c2j-9gv5-cj73
Starlette has possible denial-of-service vector when parsing large files in multipart forms
uv.lock dependencylegacy
medium Legacy software dependency conf 0.88 urllib3: GHSA-48p4-8xcf-vxj5
urllib3 does not control redirects in browsers and Node.js
uv.lock dependencylegacy
medium Legacy software dependency conf 0.88 urllib3: GHSA-pq67-6m6q-mj2v
urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation
uv.lock dependencylegacy
medium 9-layer cicd coverage conf 1.00 No CI/CD pipelines detected
No GitHub Actions, GitLab CI, or CircleCI configs found. Without CI you can't gate deploys on tests/lints.
coverage
low Legacy cicd docker conf 0.72 .dockerignore misses sensitive defaults
.dockerignore exists but does not cover common secret or VCS patterns.
.dockerignore dockerlegacy
low Legacy software dependency conf 0.88 aiohttp: GHSA-2vrm-gr82-f7m5
AIOHTTP has CRLF injection through multipart part content type header construction
uv.lock dependencylegacy
low Legacy software dependency conf 0.88 aiohttp: GHSA-3wq7-rqq7-wx6j
AIOHTTP has late size enforcement for non-file multipart fields causes memory DoS
uv.lock dependencylegacy
low Legacy software dependency conf 0.88 aiohttp: GHSA-54jq-c3m8-4m76
AIOHTTP vulnerable to brute-force leak of internal static file path components
uv.lock dependencylegacy
low Legacy software dependency conf 0.88 aiohttp: GHSA-63hf-3vf5-4wqf
AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header injection/security bypass
uv.lock dependencylegacy
low Legacy software dependency conf 0.88 aiohttp: GHSA-69f9-5gxw-wvc2
AIOHTTP's unicode processing of header values could cause parsing discrepancies
uv.lock dependencylegacy
low Legacy software dependency conf 0.88 aiohttp: GHSA-9548-qrrj-x5pj
AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections
uv.lock dependencylegacy
low Legacy software dependency conf 0.88 aiohttp: GHSA-966j-vmvw-g2g9
AIOHTTP leaks Cookie and Proxy-Authorization headers on cross-origin redirect
uv.lock dependencylegacy
low Legacy software dependency conf 0.88 aiohttp: GHSA-fh55-r93g-j68g
AIOHTTP Vulnerable to Cookie Parser Warning Storm
uv.lock dependencylegacy
low Legacy software dependency conf 0.88 aiohttp: GHSA-hcc4-c3v8-rx92
AIOHTTP Affected by Denial of Service (DoS) via Unbounded DNS Cache in TCPConnector
uv.lock dependencylegacy
low Legacy software dependency conf 0.88 aiohttp: GHSA-mqqc-3gqh-h2x8
AIOHTTP has unicode match groups in regexes for ASCII protocol elements
uv.lock dependencylegacy
low Legacy software dependency conf 0.88 aiohttp: GHSA-mwh4-6h8g-pg8w
AIOHTTP has HTTP response splitting via \r in reason phrase
uv.lock dependencylegacy
low Legacy software dependency conf 0.88 chainlit: GHSA-v492-6xx2-p57g
Chainlit contains an authorization bypass vulnerability
uv.lock dependencylegacy
high Legacy cicd docker conf 0.62 Compose service lacks no-new-privileges hardening
no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities.
docker-compose.yml:17 dockerlegacy
high Legacy cicd docker conf 0.62 Compose service lacks no-new-privileges hardening
no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities.
docker-compose.yml:1 dockerlegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
tradingagents/agents/researchers/bull_researcher.py:10 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
tradingagents/agents/analysts/market_analyst.py:43 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
tradingagents/agents/analysts/news_analyst.py:23 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
tradingagents/agents/analysts/news_analyst.py:21 qualitylegacy
low Legacy software dependency conf 0.88 langchain-core: GHSA-2g6r-c272-w58r
LangChain affected by SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages
uv.lock dependencylegacy
low Legacy software dependency conf 0.88 pygments: GHSA-5239-wwwm-4pmq
Pygments has Regular Expression Denial of Service (ReDoS) due to Inefficient Regex for GUID Matching
uv.lock dependencylegacy
low 9-layer quality integrity conf 1.00 10 env vars used in code but missing from .env.example
Drift between code and config docs. The first few: `ALPHA_VANTAGE_API_KEY`, `AZURE_OPENAI_DEPLOYMENT_NAME`, `OLLAMA_BASE_URL`, `TRADINGAGENTS_CACHE_DIR`, `TRADINGAGENTS_DEEP_THINK_LLM`, `TRADINGAGENTS_LLM_PROVIDER`, `TRADINGAGENTS_MEMORY_LOG_PATH`, `TRADINGAGENTS_OUTPUT_LANGUAGE` + 2 more. Add them…
integrityconfig-drift
low 9-layer hardware coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
coveragedeployment
low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: python:3.12-slim
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
Dockerfile:1 supply-chaindockerpinned-dependencies
low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: python:3.12-slim
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
Dockerfile:12 supply-chaindockerpinned-dependencies
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: cli/config.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: main.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: test.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tradingagents/agents/analysts/social_media_analyst.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tradingagents/dataflows/alpha_vantage.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer security owasp conf 1.00 Insecure pattern 'debug_true' in cli/main.py:1026
Found a known-risky pattern (debug_true). Review and replace if possible.
cli/main.py:1026 owaspdebug_true
low 9-layer security owasp conf 1.00 Insecure pattern 'debug_true' in main.py:12
Found a known-risky pattern (debug_true). Review and replace if possible.
main.py:12 owaspdebug_true
low 9-layer quality integrity conf 1.00 Legacy-named symbol `test_get_config_returns_deep_copy` in tests/test_dataflows_config.py:17
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: tradingagents/dataflows/y_finance.py:get_stock_stats_indicators_window, tradingagents/dataflows/y_finance.py:get_stockstats_indicator This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). C…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: cli/main.py:wrapper, cli/main.py:wrapper, cli/main.py:wrapper This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: tradingagents/agents/utils/fundamental_data_tools.py:get_balance_sheet, tradingagents/agents/utils/fundamental_data_tools.py:get_cashflow, tradingagents/agents/utils/fundamental_data_tools.py:get_income_statement This is *the* AI-coder failure mode (…
integrityduplicatedry
low 9-layer software dead-code conf 1.00 Possibly dead Python function: aggressive_node
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
tradingagents/agents/risk_mgmt/aggressive_debator.py:8 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: bull_node
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
tradingagents/agents/researchers/bull_researcher.py:8 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: class_decorator
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
tradingagents/dataflows/utils.py:57 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: conservative_node
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
tradingagents/agents/risk_mgmt/conservative_debator.py:8 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: decorate_all_methods
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
tradingagents/dataflows/utils.py:56 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: get_YFin_data_online
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
tradingagents/dataflows/y_finance.py:10 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: neutral_node
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
tradingagents/agents/risk_mgmt/neutral_debator.py:8 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: save_output
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
tradingagents/dataflows/utils.py:46 dead-code
low 9-layer quality complexity conf 1.00 Very large file: cli/main.py (1309 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low Legacy quality quality conf 1.00 ✓ Repobility [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
tradingagents/dataflows/reddit.py:41 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model.
Review and fix per the pattern semantics.
tradingagents/llm_clients/capabilities.py:30 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.
Review and fix per the pattern semantics. See CWE-400 / for context.
tradingagents/dataflows/alpha_vantage_common.py:79 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.
Review and fix per the pattern semantics. See CWE-400 / for context.
cli/announcements.py:16 qualitylegacy
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/079f1bd0-c494-4d7d-898d-1981499462db/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/079f1bd0-c494-4d7d-898d-1981499462db/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.