← Back to scan
File as GitHub Issue repo: thedotmack/claude-mem

Push this scan report to thedotmack/claude-mem

Click the green button below to open GitHub’s new-issue form, pre-filled with the report title, summary table, top findings, and an embedded score-card image. No authentication needed — you review on GitHub before submitting. Repobility is credited as the scanner.

Embedded score card image

This image will render at the top of the issue body. Hosted on Repobility, refreshes automatically after re-scans.

Repobility score card

Issue title

Admin endpoint without auth: POST /api/admin/shutdown

Curate findings to include

Pick exactly which findings appear in the issue body. By default the top 5 are included. Uncheck noise, check what matters.

Top 5 (default)
Severity Rule Title File:line
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… plugin/scripts/server-beta-service.cjs:459
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… docker/e2e/server-beta-e2e.mjs:152
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… docs/public/usage/private-tags.mdx:107
CRIT SEC001 [SEC001] Hardcoded Password: Hardcoded password found in source code. scripts/e2e-server-beta-docker.sh:24
CRIT MINED114 Admin endpoint without auth: POST /api/admin/shutdown src/services/server/Server.ts:294
CRIT MINED114 Admin endpoint without auth: POST /api/admin/restart src/services/server/Server.ts:280
CRIT MINED114 Admin endpoint without auth: POST /api/admin/shutdown plugin/scripts/worker-service.cjs:1024
CRIT MINED114 Admin endpoint without auth: POST /api/admin/restart plugin/scripts/worker-service.cjs:1024
CRIT MINED114 Admin endpoint without auth: POST /api/admin/shutdown plugin/scripts/server-beta-service.cjs:62
CRIT MINED114 Admin endpoint without auth: POST /api/admin/restart plugin/scripts/server-beta-service.cjs:62
HIGH MINED014 [MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in nod… src/storage/postgres/config.ts:59
HIGH SEC083 [SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can c… src/services/transcripts/field-utils.ts:162
HIGH MINED012 [MINED012] Curl Pipe Bash: curl ... | sh / bash — runs unverified network code. src/npx-cli/install/error-taxonomy.ts:55
HIGH SEC114 [SEC114] path.join / Path() on user-controlled segment without containment check: filepat… src/cli/handlers/file-context.ts:192
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … src/services/worker/SSEBroadcaster.ts:21
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … src/integrations/opencode-plugin/index.…:147
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … scripts/sync-marketplace.cjs:213
HIGH SEC085 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived in… src/sdk/parser.ts:48
HIGH SEC085 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived in… src/npx-cli/commands/ide-detection.ts:18
HIGH SEC085 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived in… scripts/generate-changelog.js:16
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… src/server/generation/providers/OpenRou…:61
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… scripts/sync-plugin-manifests.js:34
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… scripts/export-memories.ts:134
HIGH SEC040 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML w… src/utils/logger.ts:262
HIGH SEC040 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML w… plugin/scripts/worker-cli.js:4
HIGH SEC018 [SEC018] AI-Agent Secret Retrieval Command: A command that prints or embeds credentials w… evals/swebench/smoke-test.sh:20
HIGH SEC018 [SEC018] AI-Agent Secret Retrieval Command: A command that prints or embeds credentials w… docker/claude-mem/run.sh:20
HIGH DKR006 Dockerfile pipes a remote script into a shell evals/swebench/Dockerfile.agent:23
HIGH DKR006 Dockerfile pipes a remote script into a shell evals/swebench/Dockerfile.agent:18
HIGH DKR006 Dockerfile pipes a remote script into a shell docker/claude-mem/Dockerfile:27
HIGH DKR006 Dockerfile pipes a remote script into a shell docker/claude-mem/Dockerfile:21
HIGH DKR006 Dockerfile pipes a remote script into a shell Dockerfile.test-installer:20
HIGH MINED115 Action `actions/setup-node` pinned to mutable ref `@v4` .github/workflows/windows.yml:20
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v4` .github/workflows/windows.yml:19
HIGH MINED115 Action `anthropics/claude-code-action` pinned to mutable ref `@v1` .github/workflows/claude.yml:35
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v6` .github/workflows/claude.yml:29
HIGH MINED115 Action `oven-sh/setup-bun` pinned to mutable ref `@v2` .github/workflows/ci.yml:66
HIGH MINED115 Action `actions/setup-node` pinned to mutable ref `@v4` .github/workflows/ci.yml:60
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v4` .github/workflows/ci.yml:59
HIGH MINED115 Action `oven-sh/setup-bun` pinned to mutable ref `@v2` .github/workflows/ci.yml:21
HIGH MINED115 Action `actions/setup-node` pinned to mutable ref `@v4` .github/workflows/ci.yml:15
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v4` .github/workflows/ci.yml:14
HIGH MINED115 Action `actions/ai-inference` pinned to mutable ref `@v2` .github/workflows/summary.yml:21
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v6` .github/workflows/summary.yml:17
HIGH MINED115 Action `amondnet/vercel-action` pinned to mutable ref `@v25` .github/workflows/deploy-install-script…:23
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v4` .github/workflows/deploy-install-script…:15
HIGH MINED115 Action `actions/github-script` pinned to mutable ref `@v8` .github/workflows/convert-feature-reque…:107
HIGH MINED115 Action `actions/github-script` pinned to mutable ref `@v8` .github/workflows/convert-feature-reque…:89
HIGH MINED115 Action `actions/github-script` pinned to mutable ref `@v8` .github/workflows/convert-feature-reque…:28
HIGH MINED115 Action `actions/setup-node` pinned to mutable ref `@v4` .github/workflows/npm-publish.yml:13
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v4` .github/workflows/npm-publish.yml:12
HIGH MINED118 Dockerfile FROM `node:20-bookworm-slim` not pinned by digest evals/swebench/Dockerfile.agent:1
HIGH MINED118 Dockerfile FROM `node:20` not pinned by digest docker/claude-mem/Dockerfile:1
HIGH MINED118 Dockerfile FROM `ghcr.io/openclaw/openclaw:main` not pinned by digest openclaw/Dockerfile.e2e:1
HIGH MINED118 Dockerfile FROM `ubuntu:24.04` not pinned by digest Dockerfile.test-installer:1
HIGH SEC020 [SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-b… src/services/worker/knowledge/CorpusBui…:96
HIGH SEC020 [SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-b… src/npx-cli/commands/server.ts:25
HIGH MINED113 Express POST /api/corpus/:name/rebuild has no auth src/services/worker/http/routes/CorpusR…:75
HIGH MINED113 Express DELETE /api/corpus/:name has no auth src/services/worker/http/routes/CorpusR…:74
HIGH MINED113 Express POST /api/corpus has no auth src/services/worker/http/routes/CorpusR…:71
HIGH MINED113 Express POST /api/context/semantic has no auth src/services/worker/http/routes/SearchR…:120
HIGH MINED113 Express POST /v1/context has no auth src/server/routes/v1/ServerV1Routes.ts:243
HIGH MINED113 Express POST /v1/search has no auth src/server/routes/v1/ServerV1Routes.ts:232
HIGH MINED113 Express PATCH /v1/memories/:id has no auth src/server/routes/v1/ServerV1Routes.ts:214
HIGH MINED113 Express POST /v1/memories has no auth src/server/routes/v1/ServerV1Routes.ts:183
HIGH MINED113 Express POST /v1/events/batch has no auth src/server/routes/v1/ServerV1Routes.ts:157
HIGH MINED113 Express POST /v1/events has no auth src/server/routes/v1/ServerV1Routes.ts:150
HIGH MINED113 Express POST /v1/sessions/:id/end has no auth src/server/routes/v1/ServerV1Routes.ts:124
HIGH MINED113 Express POST /v1/sessions/start has no auth src/server/routes/v1/ServerV1Routes.ts:117
HIGH MINED113 Express POST /v1/projects has no auth src/server/routes/v1/ServerV1Routes.ts:95
HIGH MINED113 Express POST /v1/context has no auth src/server/routes/v1/ServerV1PostgresRo…:874
HIGH MINED113 Express POST /v1/search has no auth src/server/routes/v1/ServerV1PostgresRo…:836
HIGH MINED113 Express POST /v1/memories has no auth src/server/routes/v1/ServerV1PostgresRo…:802
HIGH MINED113 Express POST /v1/sessions/:id/end has no auth src/server/routes/v1/ServerV1PostgresRo…:749
HIGH MINED113 Express POST /v1/sessions/start has no auth src/server/routes/v1/ServerV1PostgresRo…:651
HIGH MINED113 Express POST /v1/jobs/:id/cancel has no auth src/server/routes/v1/ServerV1PostgresRo…:635
HIGH MINED113 Express POST /v1/jobs/:id/retry has no auth src/server/routes/v1/ServerV1PostgresRo…:616
HIGH MINED113 Express POST /v1/events/batch has no auth src/server/routes/v1/ServerV1PostgresRo…:226
HIGH MINED113 Express POST /v1/events has no auth src/server/routes/v1/ServerV1PostgresRo…:152
HIGH MINED113 Express POST /api/sessions/observations has no auth src/server/compat/SessionsObservationsA…:63
HIGH MINED113 Express POST /api/sessions/summarize has no auth src/server/compat/SessionsSummarizeAdap…:49
HIGH AUC003 [AUC003] Object-level route lacks visible authorization: A route with an object id-like p… src/server/routes/v1/ServerV1Routes.ts:202
HIGH AUC003 [AUC003] Object-level route lacks visible authorization: A route with an object id-like p… src/server/routes/v1/ServerV1Routes.ts:171
HIGH AUC003 [AUC003] Object-level route lacks visible authorization: A route with an object id-like p… src/server/routes/v1/ServerV1Routes.ts:105
HIGH AUC003 [AUC003] Object-level route lacks visible authorization: A route with an object id-like p… src/server/routes/v1/ServerV1PostgresRo…:635
HIGH AUC003 [AUC003] Object-level route lacks visible authorization: A route with an object id-like p… src/server/routes/v1/ServerV1PostgresRo…:616
HIGH AUC003 [AUC003] Object-level route lacks visible authorization: A route with an object id-like p… src/server/routes/v1/ServerV1PostgresRo…:579
HIGH AUC003 [AUC003] Object-level route lacks visible authorization: A route with an object id-like p… src/server/routes/v1/ServerV1PostgresRo…:462
HIGH AUC003 [AUC003] Object-level route lacks visible authorization: A route with an object id-like p… src/server/routes/v1/ServerV1PostgresRo…:415
HIGH AUC003 [AUC003] Object-level route lacks visible authorization: A route with an object id-like p… src/server/routes/v1/ServerV1PostgresRo…:365
HIGH AUC003 [AUC003] Object-level route lacks visible authorization: A route with an object id-like p… src/server/routes/v1/ServerV1PostgresRo…:317
MED SEC045 [SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even … src/sdk/parser.ts:48
MED SEC045 [SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even … scripts/generate-changelog.js:16
MED SEC045 [SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even … scripts/cleanup-duplicates.ts:174
MED SEC136 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all excepti… scripts/bug-report/collector.ts:115
MED MINED111 Bare except continues silently evals/swebench/run-batch.py:485
MED COMP001 [COMP001] High cognitive complexity: Function `load_run_results` has cognitive complexity… evals/swebench/summarize.py:40
MED AUC001 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks…
MED DKR001 Docker final stage has no non-root USER Dockerfile.test-installer:1
MED WEB003 Public web service has no security.txt .well-known/security.txt
MED AIC004 Suspicious implementation file appears unreferenced scripts/verify-timestamp-fix.ts:1
MED JRN003 Frontend API reference is not matched by discovered backend routes src/services/worker/http/routes/Session…:162
MED JRN003 Frontend API reference is not matched by discovered backend routes src/server/auth/auth.ts:14
MED JRN003 Frontend API reference is not matched by discovered backend routes src/integrations/opencode-plugin/index.…:170
MED JRN003 Frontend API reference is not matched by discovered backend routes src/cli/handlers/session-init.ts:97
MED JRN003 Frontend API reference is not matched by discovered backend routes openclaw/src/index.ts:717
MED AGT016 Codex session log reader may expose prompts or tool-call content src/services/transcripts/config.ts:10
MED AGT012 Agent control bridge may listen on a network interface without visible auth src/services/worker/http/routes/Setting…:2
MED WEB015 Public web app has no Content Security Policy index.html
MED AGT015 Remote install command pipes network code directly to a shell src/services/integrations/WindsurfHooks…:204
MED AGT015 Remote install command pipes network code directly to a shell docs/public/architecture/worker-service…:620
MED AGT015 Remote install command pipes network code directly to a shell README.md:164
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … src/services/worker/http/routes/Setting…:44
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … src/services/worker/http/routes/CorpusR…:78
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … src/services/worker/http/routes/CorpusR…:77
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … src/services/worker/http/routes/CorpusR…:76
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … src/services/worker/http/routes/CorpusR…:75
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … src/services/worker/http/routes/CorpusR…:74
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … src/services/worker/http/routes/CorpusR…:73
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … src/services/worker/http/routes/CorpusR…:72
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … src/services/worker/http/routes/CorpusR…:71
MED AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was de… src/services/worker/http/routes/ChromaR…:11
MED AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was de… src/services/worker/http/routes/LogsRou…:89
MED AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was de… src/services/worker/http/routes/LogsRou…:88
MED AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was de… src/services/worker/http/routes/SearchR…:124
MED AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was de… src/services/worker/http/routes/SearchR…:123
MED AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was de… src/services/worker/http/routes/SearchR…:103
MED AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was de… src/services/server/Server.ts:308
MED AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was de… src/services/server/Server.ts:294
MED AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was de… src/services/server/Server.ts:280
MED AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was de… src/server/routes/v1/ServerV1PostgresRo…:523
LOW COMP001 [COMP001] High cognitive complexity: Function `render_diff_markdown` has cognitive comple… evals/swebench/summarize.py:149
LOW COMP001 [COMP001] High cognitive complexity: Function `load_expected_instance_ids` has cognitive … evals/swebench/summarize.py:13
LOW DEPCUR-NPM npm package `tsx` is minor version(s) behind (^4.21.0 -> 4.22.4) package.json
LOW DEPCUR-NPM npm package `yaml` is minor version(s) behind (^2.8.4 -> 2.9.0) package.json
LOW DEPCUR-NPM npm package `pg` is minor version(s) behind (^8.20.0 -> 8.21.0) package.json
LOW DEPCUR-NPM npm package `ioredis` is minor version(s) behind (^5.10.1 -> 5.11.1) package.json
LOW DEPCUR-NPM npm package `@clack/prompts` is minor version(s) behind (^1.3.0 -> 1.5.1) package.json
LOW DEPCUR-NPM npm package `@anthropic-ai/claude-agent-sdk` is minor version(s) behind (^0.2.138 -> 0.3.… package.json
LOW AIC003 Duplicated implementation block across source files src/storage/postgres/server-sessions.ts:240
LOW AIC003 Duplicated implementation block across source files src/storage/postgres/generation-jobs.ts:392
LOW AIC003 Duplicated implementation block across source files src/shared/timeline-formatting.ts:75
LOW AIC003 Duplicated implementation block across source files src/services/worker/OpenRouterProvider.…:20
LOW AIC003 Duplicated implementation block across source files src/services/worker/OpenRouterProvider.…:19
LOW AIC003 Duplicated implementation block across source files src/services/worker/GeminiProvider.ts:21
LOW AIC003 Duplicated implementation block across source files src/services/sqlite/types.ts:188
LOW AIC003 Duplicated implementation block across source files src/services/sqlite/transactions.ts:80
LOW AIC003 Duplicated implementation block across source files src/services/sqlite/transactions.ts:43
LOW AIC003 Duplicated implementation block across source files src/services/sqlite/migrations.ts:320
LOW AIC003 Duplicated implementation block across source files src/services/infrastructure/ProcessMana…:314
LOW AIC003 Duplicated implementation block across source files src/services/context/formatters/HumanFo…:8
LOW AIC003 Duplicated implementation block across source files src/server/middleware/postgres-auth.ts:131
LOW AIC003 Duplicated implementation block across source files src/server/generation/providers/OpenRou…:50
LOW AIC003 Duplicated implementation block across source files src/server/generation/providers/GeminiO…:37
LOW AIC003 Duplicated implementation block across source files src/server/compat/SessionsSummarizeAdap…:32
LOW AIC003 Duplicated implementation block across source files src/cli/claude-md-commands.ts:19
LOW AIC003 Duplicated implementation block across source files scripts/validate-timestamp-logic.ts:4
LOW AIC003 Duplicated implementation block across source files scripts/validate-timestamp-logic.ts:1
LOW AIC003 Duplicated implementation block across source files scripts/translate-readme/index.ts:54
LOW AIC003 Duplicated implementation block across source files scripts/investigate-timestamps.ts:4
LOW AIC003 Duplicated implementation block across source files scripts/fix-corrupted-timestamps.ts:23
LOW AIC003 Duplicated implementation block across source files scripts/clear-pending-queue.ts:14
LOW WEB001 Public web app has no robots.txt robots.txt
LOW WEB002 Public web app has no sitemap sitemap.xml
LOW DKR008 .dockerignore misses sensitive defaults .dockerignore
LOW DKR011 Dockerfile installs recommended OS packages Dockerfile.test-installer:20
LOW WEB008 Public docs site has no llms.txt llms.txt
LOW DKC010 Compose service lacks no-new-privileges hardening docker-compose.yml:140
LOW DKC010 Compose service lacks no-new-privileges hardening docker-compose.yml:90
LOW AIC002 Source file name looks like an AI patch artifact scripts/verify-timestamp-fix.ts:1
LOW DKC017 Database password is wired through an environment variable placeholder docker-compose.yml:54
LOW WEB011 Public web app has no humans.txt humans.txt
INFO MINED058 [MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escapi… src/ui/viewer/components/TerminalPrevie…:134
INFO MINED056 [MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re… src/ui/viewer/components/ObservationCar…:105
INFO MINED054 [MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely. src/cli/adapters/gemini-cli.ts:6
INFO MINED054 [MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely. src/cli/adapters/cursor.ts:32
INFO MINED054 [MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely. src/cli/adapters/claude-code.ts:10
INFO MINED045 [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError … src/server/runtime/ActiveServerBetaQueu…:138
INFO MINED045 [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError … src/cli/handlers/file-context.ts:100
INFO MINED045 [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError … scripts/cleanup-duplicates.ts:100
INFO MINED052 [MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety. src/sdk/prompts.ts:82
INFO MINED052 [MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety. src/npx-cli/utils/paths.ts:124
INFO MINED052 [MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety. scripts/bug-report/collector.ts:33
INFO MINED055 [MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versi… evals/swebench/eval.sh:38
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … openclaw/test-sse-consumer.js:51
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … install/public/installer.js:3
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … docs/context/agent-sdk-v2-examples.ts:25
INFO DEPCUR-NPM npm package `shell-quote` is patch version(s) behind (^1.8.3 -> 1.8.4) plugin/package.json
INFO DEPCUR-NPM npm package `tree-sitter-cli` is patch version(s) behind (^0.26.5 -> 0.26.9) plugin/package.json
INFO DEPCUR-NPM npm package `tree-sitter-cli` is patch version(s) behind (^0.26.8 -> 0.26.9) package.json
INFO DEPCUR-NPM npm package `postcss` is patch version(s) behind (^8.5.14 -> 8.5.15) package.json
INFO DEPCUR-NPM npm package `np` is patch version(s) behind (^11.2.0 -> 11.2.1) package.json
INFO DEPCUR-NPM npm package `@types/bun` is patch version(s) behind (^1.3.13 -> 1.3.14) package.json
INFO DEPCUR-NPM npm package `shell-quote` is patch version(s) behind (^1.8.3 -> 1.8.4) package.json
INFO DEPCUR-NPM npm package `dompurify` is patch version(s) behind (^3.4.2 -> 3.4.8) package.json
INFO DEPCUR-NPM npm package `@better-auth/api-key` is patch version(s) behind (^1.6.9 -> 1.6.14) package.json
Reset to top 5 196 findings available (after auto-suppression of test files + won't-fix)

Issue body (markdown)

## Code-quality scan: `thedotmack/claude-mem`

**Score: 52/100 (C+)**  ·  197 findings  ·  scanned 2026-06-05 07:24 UTC  ·  102,112 LOC

| Severity | Count |
|---|---|
| CRITICAL | 10 |
| HIGH | 81 |
| MEDIUM | 40 |
| LOW | 41 |

📊 [Full filterable report](https://repobility.com/scan/0a45bdbd-e3a2-4313-82f1-ac455e23cce5/)  ·  ![scorecard](https://repobility.com/scan/0a45bdbd-e3a2-4313-82f1-ac455e23cce5/report.png?v=1780644247-s2)

### Top findings

1. **CRITICAL** `generic-api-key` — Detected a Generic API Key, potentially exposing access to various services and sensitive 
   `plugin/scripts/server-beta-service.cjs:459`
2. **CRITICAL** `generic-api-key` — Detected a Generic API Key, potentially exposing access to various services and sensitive 
   `docker/e2e/server-beta-e2e.mjs:152`
3. **CRITICAL** `generic-api-key` — Detected a Generic API Key, potentially exposing access to various services and sensitive 
   `docs/public/usage/private-tags.mdx:107`
4. **CRITICAL** `SEC001` — Hardcoded Password
   `scripts/e2e-server-beta-docker.sh:24` · A07:2021 Identification & Authentication Failures
5. **CRITICAL** `MINED114` — Admin endpoint without auth: POST /api/admin/shutdown
   `src/services/server/Server.ts:294` · ✓ Repobility

---

**Security note**: this issue is public. If any flagged finding is a real, exploitable vulnerability, please redirect to your `SECURITY.md` policy or open a [private security advisory](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability) instead. We're happy to close this and re-submit privately.

---

_Filed automatically. Close this issue if not useful — we won't refile. Full report: https://repobility.com/scan/0a45bdbd-e3a2-4313-82f1-ac455e23cce5/_
Already filed
This repo publishes a SECURITY.md policy and the scan contains 28 Critical/High security finding(s). Public issue filing would violate coordinated disclosure. Submit privately via the project's security reporting channel.
Megaproject â high spam risk
Could not determine 'thedotmack/claude-mem' star count (GitHub API rate-limited or unreachable). When in doubt about repo size, prefer opening a focused PR or a discussion rather than an issue.
Open in GitHub to file this issue Filing guard overridden Cancel

The button opens GitHubâs new-issue page in a new tab. You will see the title + body pre-filled â review, edit if you want, then click GitHubâs "Submit new issue" button. Repobility never posts anything on your behalf.

For real security findings on big repos: use the project's SECURITY.md or private advisory flow instead of a public issue.