← Back to scan
File as GitHub Issue repo: sansan0/TrendRadar

Push this scan report to sansan0/TrendRadar

Click the green button below to open GitHub’s new-issue form, pre-filled with the report title, summary table, top findings, and an embedded score-card image. No authentication needed — you review on GitHub before submitting. Repobility is credited as the scanner.

Embedded score card image

This image will render at the top of the issue body. Hosted on Repobility, refreshes automatically after re-scans.

Repobility score card

Issue title

Missing import: `platform` used but not imported

Curate findings to include

Pick exactly which findings appear in the issue body. By default the top 5 are included. Uncheck noise, check what matters.

Top 5 (default)
Severity Rule Title File:line
CRIT MINED107 Missing import: `html` used but not imported mcp_server/tools/notification.py:684
CRIT MINED107 Missing import: `stat` used but not imported trendradar/notification/splitter.py:1264
CRIT MINED107 Missing import: `platform` used but not imported trendradar/notification/splitter.py:1572
CRIT MINED107 Missing import: `stat` used but not imported trendradar/notification/dispatcher.py:117
CRIT MINED107 Missing import: `platform` used but not imported trendradar/notification/dispatcher.py:144
CRIT MINED107 Missing import: `stat` used but not imported trendradar/ai/analyzer.py:271
CRIT MINED107 Missing import: `platform` used but not imported trendradar/ai/analyzer.py:475
CRIT slack-webhook-url Discovered a Slack Webhook, which could lead to unauthorized message posting and data lea… README-EN.md:1753
CRIT slack-webhook-url Discovered a Slack Webhook, which could lead to unauthorized message posting and data lea… README.md:1807
CRIT GHSA-r75f-5x8p-qvmc litellm: GHSA-r75f-5x8p-qvmc uv.lock
CRIT GHSA-jjhc-v7c2-5hh6 litellm: GHSA-jjhc-v7c2-5hh6 uv.lock
CRIT GHSA-vv7q-7jx5-f767 fastmcp: GHSA-vv7q-7jx5-f767 uv.lock
CRIT GHSA-wvwj-cvrp-7pv5 authlib: GHSA-wvwj-cvrp-7pv5 uv.lock
CRIT GHSA-r75f-5x8p-qvmc litellm: GHSA-r75f-5x8p-qvmc requirements.txt
CRIT GHSA-jjhc-v7c2-5hh6 litellm: GHSA-jjhc-v7c2-5hh6 requirements.txt
CRIT GHSA-vv7q-7jx5-f767 fastmcp: GHSA-vv7q-7jx5-f767 requirements.txt
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … trendradar/utils/url.py:82
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… trendradar/utils/url.py:38
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… trendradar/notification/formatters.py:26
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… trendradar/crawler/rss/parser.py:196
HIGH MINED001 [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows e… trendradar/utils/time.py:124
HIGH MINED001 [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows e… trendradar/crawler/rss/parser.py:191
HIGH MINED001 [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows e… trendradar/core/frequency.py:196
HIGH MINED012 [MINED012] Curl Pipe Bash: curl ... | sh / bash — runs unverified network code. setup-mac.sh:27
HIGH SEC078 [SEC078] Python: requests without timeout: requests.get/post without a timeout will hang … trendradar/crawler/fetcher.py:120
HIGH SEC078 [SEC078] Python: requests without timeout: requests.get/post without a timeout will hang … mcp_server/tools/article_reader.py:82
HIGH MINED004 [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums). mcp_server/services/cache_service.py:55
HIGH MINED108 `self.get_time` used but never assigned in __init__ trendradar/context.py:358
HIGH MINED108 `self.region_order` used but never assigned in __init__ trendradar/context.py:357
HIGH MINED108 `self.render_html` used but never assigned in __init__ trendradar/context.py:336
HIGH MINED108 `self.format_time` used but never assigned in __init__ trendradar/context.py:335
HIGH MINED108 `self.format_date` used but never assigned in __init__ trendradar/context.py:334
HIGH MINED108 `self.rank_threshold` used but never assigned in __init__ trendradar/context.py:332
HIGH MINED108 `self.show_new_section` used but never assigned in __init__ trendradar/context.py:304
HIGH MINED108 `self.rank_threshold` used but never assigned in __init__ trendradar/context.py:303
HIGH MINED108 `self.convert_time_display` used but never assigned in __init__ trendradar/context.py:281
HIGH MINED108 `self.is_first_crawl` used but never assigned in __init__ trendradar/context.py:280
HIGH MINED108 `self.weight_config` used but never assigned in __init__ trendradar/context.py:277
HIGH MINED108 `self.rank_threshold` used but never assigned in __init__ trendradar/context.py:273
HIGH MINED108 `self.get_storage_manager` used but never assigned in __init__ trendradar/context.py:232
HIGH MINED108 `self.get_storage_manager` used but never assigned in __init__ trendradar/context.py:228
HIGH MINED108 `self.get_storage_manager` used but never assigned in __init__ trendradar/context.py:222
HIGH MINED108 `self.format_date` used but never assigned in __init__ trendradar/context.py:212
HIGH MINED108 `self.timezone` used but never assigned in __init__ trendradar/context.py:206
HIGH MINED108 `self.timezone` used but never assigned in __init__ trendradar/context.py:173
HIGH MINED108 `self.timezone` used but never assigned in __init__ trendradar/context.py:169
HIGH MINED108 `self.timezone` used but never assigned in __init__ trendradar/context.py:165
HIGH MINED108 `self.timezone` used but never assigned in __init__ trendradar/context.py:161
HIGH MINED108 `self.filter_method` used but never assigned in __init__ trendradar/context.py:155
HIGH MINED108 `self.rss_config` used but never assigned in __init__ trendradar/context.py:119
HIGH MINED108 `self.rss_config` used but never assigned in __init__ trendradar/context.py:114
HIGH MINED108 `self.platforms` used but never assigned in __init__ trendradar/context.py:104
HIGH SEC016 [SEC016] LLM Prompt Injection — User Input in AI Prompt: User-supplied text is interpolat… trendradar/ai/translator.py:176
HIGH MINED115 Action `actions/github-script` pinned to mutable ref `@v7` .github/workflows/issue-guard.yml:39
HIGH MINED115 Action `github/ai-moderator` pinned to mutable ref `@v1` .github/workflows/issue-guard.yml:25
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v4` .github/workflows/issue-guard.yml:22
HIGH MINED115 Action `Mattraks/delete-workflow-runs` pinned to mutable ref `@v2` .github/workflows/clean-crawler.yml:21
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v6` .github/workflows/docker.yml:83
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v6` .github/workflows/docker.yml:33
HIGH MINED115 Action `astral-sh/setup-uv` pinned to mutable ref `@v7` .github/workflows/crawler.yml:122
HIGH MINED115 Action `actions/setup-python` pinned to mutable ref `@v6` .github/workflows/crawler.yml:116
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v6` .github/workflows/crawler.yml:57
HIGH MINED118 Dockerfile FROM `python:3.12-slim-bookworm` not pinned by digest docker/Dockerfile:1
HIGH MINED118 Dockerfile FROM `python:3.12-slim-bookworm` not pinned by digest docker/Dockerfile.mcp:1
HIGH GHSA-gm62-xv2j-4w53 urllib3: GHSA-gm62-xv2j-4w53 uv.lock
HIGH GHSA-38jv-5279-wg99 urllib3: GHSA-38jv-5279-wg99 uv.lock
HIGH GHSA-2xpw-w6gg-jr37 urllib3: GHSA-2xpw-w6gg-jr37 uv.lock
HIGH PYSEC-2026-141 urllib3: PYSEC-2026-141 uv.lock
HIGH GHSA-7f5h-v6xp-fcq8 starlette: GHSA-7f5h-v6xp-fcq8 uv.lock
HIGH PYSEC-2026-161 starlette: PYSEC-2026-161 uv.lock
HIGH GHSA-wp53-j4wj-2cfg python-multipart: GHSA-wp53-j4wj-2cfg uv.lock
HIGH GHSA-pp6c-gr5w-3c5g python-multipart: GHSA-pp6c-gr5w-3c5g uv.lock
HIGH GHSA-9h52-p55h-vw2f mcp: GHSA-9h52-p55h-vw2f uv.lock
HIGH GHSA-xqmj-j6mv-4862 litellm: GHSA-xqmj-j6mv-4862 uv.lock
HIGH GHSA-wxxx-gvqv-xp7p litellm: GHSA-wxxx-gvqv-xp7p uv.lock
HIGH GHSA-v4p8-mg3p-g94g litellm: GHSA-v4p8-mg3p-g94g uv.lock
HIGH GHSA-69x8-hrgq-fjj8 litellm: GHSA-69x8-hrgq-fjj8 uv.lock
HIGH GHSA-53mr-6c8q-9789 litellm: GHSA-53mr-6c8q-9789 uv.lock
HIGH GHSA-rww4-4w9c-7733 fastmcp: GHSA-rww4-4w9c-7733 uv.lock
HIGH GHSA-rcfx-77hg-w2wv fastmcp: GHSA-rcfx-77hg-w2wv uv.lock
HIGH GHSA-c2jp-c369-7pvx fastmcp: GHSA-c2jp-c369-7pvx uv.lock
HIGH GHSA-5h2m-4q8j-pqpj fastmcp: GHSA-5h2m-4q8j-pqpj uv.lock
HIGH GHSA-r6ph-v2qm-q3c2 cryptography: GHSA-r6ph-v2qm-q3c2 uv.lock
HIGH PYSEC-2026-36 cryptography: PYSEC-2026-36 uv.lock
HIGH PYSEC-2026-35 cryptography: PYSEC-2026-35 uv.lock
HIGH GHSA-m344-f55w-2m6j authlib: GHSA-m344-f55w-2m6j uv.lock
HIGH GHSA-7wc2-qxgw-g8gg authlib: GHSA-7wc2-qxgw-g8gg uv.lock
HIGH GHSA-7432-952r-cw78 authlib: GHSA-7432-952r-cw78 uv.lock
HIGH PYSEC-2026-25 authlib: PYSEC-2026-25 uv.lock
HIGH PYSEC-2026-188 authlib: PYSEC-2026-188 uv.lock
HIGH GHSA-xqmj-j6mv-4862 litellm: GHSA-xqmj-j6mv-4862 requirements.txt
HIGH GHSA-wxxx-gvqv-xp7p litellm: GHSA-wxxx-gvqv-xp7p requirements.txt
HIGH GHSA-v4p8-mg3p-g94g litellm: GHSA-v4p8-mg3p-g94g requirements.txt
HIGH GHSA-69x8-hrgq-fjj8 litellm: GHSA-69x8-hrgq-fjj8 requirements.txt
HIGH GHSA-53mr-6c8q-9789 litellm: GHSA-53mr-6c8q-9789 requirements.txt
HIGH GHSA-rww4-4w9c-7733 fastmcp: GHSA-rww4-4w9c-7733 requirements.txt
HIGH GHSA-rcfx-77hg-w2wv fastmcp: GHSA-rcfx-77hg-w2wv requirements.txt
HIGH GHSA-c2jp-c369-7pvx fastmcp: GHSA-c2jp-c369-7pvx requirements.txt
HIGH GHSA-5h2m-4q8j-pqpj fastmcp: GHSA-5h2m-4q8j-pqpj requirements.txt
HIGH CORE_NO_TESTS No test files found
MED CFG006 [CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build art…
MED SEC136 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all excepti… trendradar/utils/time.py:269
MED SEC041 [SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blan… trendradar/report/formatter.py:234
MED SEC015 [SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. … mcp_server/services/cache_service.py:14
MED MINED111 Bare except continues silently docker/manage.py:236
MED MINED111 Bare except continues silently docker/manage.py:149
MED MINED111 Bare except continues silently docker/manage.py:127
MED MINED111 Bare except continues silently docker/manage.py:46
MED MINED111 Bare except continues silently docker/manage.py:31
MED MINED111 Bare except continues silently trendradar/__main__.py:1897
MED MINED111 Bare except continues silently trendradar/__main__.py:2008
MED MINED111 Bare except continues silently trendradar/__main__.py:1925
MED MINED111 Bare except continues silently trendradar/__main__.py:1876
MED MINED111 Bare except continues silently trendradar/__main__.py:1762
MED MINED111 Bare except continues silently trendradar/__main__.py:1517
MED MINED111 Bare except continues silently trendradar/__main__.py:1211
MED MINED111 Bare except continues silently trendradar/__main__.py:617
MED MINED111 Bare except continues silently trendradar/__main__.py:568
MED MINED111 Bare except continues silently trendradar/__main__.py:445
MED MINED111 Bare except continues silently trendradar/__main__.py:298
MED MINED111 Bare except continues silently trendradar/__main__.py:266
MED MINED111 Bare except continues silently trendradar/__main__.py:164
MED MINED111 Bare except continues silently trendradar/__main__.py:2317
MED MINED111 Bare except continues silently trendradar/__main__.py:2264
MED MINED111 Bare except continues silently trendradar/__main__.py:2080
MED MINED111 Bare except continues silently trendradar/__main__.py:1865
MED MINED111 Bare except continues silently trendradar/__main__.py:1816
MED MINED111 Bare except continues silently trendradar/__main__.py:75
MED MINED111 Bare except continues silently mcp_server/server.py:177
MED DKR003 Compose service `trendradar-mcp` image uses the latest tag docker/docker-compose.yml:57
MED DKR003 Compose service `trendradar` image uses the latest tag docker/docker-compose.yml:1
MED DEPCUR-PY Python package `tenacity` is 1 major version(s) behind (8.5.0 -> 9.1.4) requirements.txt:10
MED DEPCUR-PY Python package `websockets` is 3 major version(s) behind (13.1 -> 16.0) requirements.txt:5
MED DEPCUR-PY Python package `fastmcp` is 1 major version(s) behind (2.12.5 -> 3.4.0) requirements.txt:4
MED GHSA-hgf8-39gv-g3f2 werkzeug: GHSA-hgf8-39gv-g3f2 uv.lock
MED GHSA-87hc-h4r5-73f7 werkzeug: GHSA-87hc-h4r5-73f7 uv.lock
MED GHSA-29vq-49wr-vm6x werkzeug: GHSA-29vq-49wr-vm6x uv.lock
MED GHSA-mj87-hwqh-73pj python-multipart: GHSA-mj87-hwqh-73pj uv.lock
MED GHSA-mf9w-mj56-hr94 python-dotenv: GHSA-mf9w-mj56-hr94 uv.lock
MED GHSA-65pc-fj4g-8rjx idna: GHSA-65pc-fj4g-8rjx uv.lock
MED GHSA-rj5c-58rq-j5g5 fastmcp: GHSA-rj5c-58rq-j5g5 uv.lock
MED GHSA-mxxr-jv3v-6pgc fastmcp: GHSA-mxxr-jv3v-6pgc uv.lock
MED GHSA-m8x7-r2rg-vh5g fastmcp: GHSA-m8x7-r2rg-vh5g uv.lock
MED GHSA-fg6f-75jq-6523 authlib: GHSA-fg6f-75jq-6523 uv.lock
MED GHSA-w2fm-2cpv-w7v5 aiohttp: GHSA-w2fm-2cpv-w7v5 uv.lock
MED GHSA-p998-jp59-783m aiohttp: GHSA-p998-jp59-783m uv.lock
MED GHSA-m5qp-6w8w-w647 aiohttp: GHSA-m5qp-6w8w-w647 uv.lock
MED GHSA-jg22-mg44-37j8 aiohttp: GHSA-jg22-mg44-37j8 uv.lock
MED GHSA-hg6j-4rv6-33pg aiohttp: GHSA-hg6j-4rv6-33pg uv.lock
MED GHSA-c427-h43c-vf67 aiohttp: GHSA-c427-h43c-vf67 uv.lock
MED GHSA-rj5c-58rq-j5g5 fastmcp: GHSA-rj5c-58rq-j5g5 requirements.txt
MED GHSA-mxxr-jv3v-6pgc fastmcp: GHSA-mxxr-jv3v-6pgc requirements.txt
MED GHSA-m8x7-r2rg-vh5g fastmcp: GHSA-m8x7-r2rg-vh5g requirements.txt
MED DKR001 Docker final stage has no non-root USER docker/Dockerfile.mcp:1
MED DKR001 Docker final stage has no non-root USER docker/Dockerfile:1
MED SEC017 [SEC017] Unbounded Input to LLM/External API: User input is passed to an LLM or external … trendradar/ai/translator.py:176
MED AGT007 localStorage write failures are swallowed silently trendradar/report/html.py:2229
MED WEB003 Public web service has no security.txt .well-known/security.txt
MED AGT012 Agent control bridge may listen on a network interface without visible auth start-http.sh:21
MED AGT012 Agent control bridge may listen on a network interface without visible auth mcp_server/server.py:120
MED WEB015 Public web app has no Content Security Policy index.html
MED AGT015 Remote install command pipes network code directly to a shell setup-mac.sh:27
MED CORE_LARGE_FILES Average file size is 602 lines (recommend <300)
LOW COMP001 [COMP001] High cognitive complexity: Function `chat` has cognitive complexity 11 (SonarSo… trendradar/ai/client.py:42
LOW COMP001 [COMP001] High cognitive complexity: Function `read_articles_batch` has cognitive complex… mcp_server/tools/article_reader.py:139
LOW COMP001 [COMP001] High cognitive complexity: Function `make_cache_key` has cognitive complexity 1… mcp_server/services/cache_service.py:14
LOW DEPCUR-PY Python package `json-repair` is minor version(s) behind (0.58.6 -> 0.60.1) requirements.txt:9
LOW DEPCUR-PY Python package `litellm` is minor version(s) behind (1.82.6 -> 1.87.1) requirements.txt:8
LOW DEPCUR-PY Python package `pytz` is minor version(s) behind (2026.1 -> 2026.2) requirements.txt:2
LOW DEPCUR-PY Python package `requests` is minor version(s) behind (2.33.0 -> 2.34.2) requirements.txt:1
LOW GHSA-5239-wwwm-4pmq pygments: GHSA-5239-wwwm-4pmq uv.lock
LOW GHSA-mwh4-6h8g-pg8w aiohttp: GHSA-mwh4-6h8g-pg8w uv.lock
LOW GHSA-hcc4-c3v8-rx92 aiohttp: GHSA-hcc4-c3v8-rx92 uv.lock
LOW GHSA-966j-vmvw-g2g9 aiohttp: GHSA-966j-vmvw-g2g9 uv.lock
LOW GHSA-63hf-3vf5-4wqf aiohttp: GHSA-63hf-3vf5-4wqf uv.lock
LOW GHSA-3wq7-rqq7-wx6j aiohttp: GHSA-3wq7-rqq7-wx6j uv.lock
LOW GHSA-2vrm-gr82-f7m5 aiohttp: GHSA-2vrm-gr82-f7m5 uv.lock
LOW AIC003 Duplicated implementation block across source files trendradar/storage/remote.py:103
LOW AIC003 Duplicated implementation block across source files mcp_server/tools/system.py:43
LOW AIC003 Duplicated implementation block across source files mcp_server/tools/storage_sync.py:254
LOW AIC003 Duplicated implementation block across source files mcp_server/tools/search_tools.py:191
LOW WEB001 Public web app has no robots.txt robots.txt
LOW WEB002 Public web app has no sitemap sitemap.xml
LOW DKR008 .dockerignore misses sensitive defaults .dockerignore
LOW WEB008 Public docs site has no llms.txt llms.txt
LOW DKC010 Compose service lacks no-new-privileges hardening docker/docker-compose.yml:57
LOW DKC010 Compose service lacks no-new-privileges hardening docker/docker-compose.yml:1
LOW DKC006 Compose service does not declare a runtime user docker/docker-compose.yml:57
LOW DKC006 Compose service does not declare a runtime user docker/docker-compose.yml:1
LOW WEB011 Public web app has no humans.txt humans.txt
INFO MINED050 [MINED050] Stub Only Function: Function declared but body is just pass, return None, rais… trendradar/utils/time.py:125
INFO MINED050 [MINED050] Stub Only Function: Function declared but body is just pass, return None, rais… trendradar/crawler/rss/parser.py:192
INFO MINED050 [MINED050] Stub Only Function: Function declared but body is just pass, return None, rais… trendradar/core/frequency.py:63
INFO MINED062 [MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model. trendradar/crawler/rss/parser.py:24
INFO MINED062 [MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model. trendradar/crawler/rss/fetcher.py:20
INFO MINED062 [MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model. trendradar/ai/translator.py:16
INFO MINED067 [MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang f… trendradar/crawler/fetcher.py:120
INFO MINED067 [MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang f… trendradar/core/cdn.py:53
INFO MINED067 [MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang f… mcp_server/tools/article_reader.py:82
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… mcp_server/tools/article_reader.py:74
Reset to top 5 200 findings available (after auto-suppression of test files + won't-fix)

Issue body (markdown)

## Code-quality scan: `sansan0/TrendRadar`

**Score: 56/100 (D)**  ·  206 findings  ·  scanned 2026-06-05 09:52 UTC  ·  36,128 LOC

| Severity | Count |
|---|---|
| CRITICAL | 22 |
| HIGH | 84 |
| MEDIUM | 63 |
| LOW | 27 |

📊 [Full filterable report](https://repobility.com/scan/1178e500-7bf6-4ce8-86a4-9303c4049b1d/)  ·  ![scorecard](https://repobility.com/scan/1178e500-7bf6-4ce8-86a4-9303c4049b1d/report.png?v=1780653122-s2)

### Top findings

1. **CRITICAL** `MINED107` — Missing import: `html` used but not imported
   `mcp_server/tools/notification.py:684` · ✓ Repobility
2. **CRITICAL** `MINED107` — Missing import: `stat` used but not imported
   `trendradar/notification/splitter.py:1264` · ✓ Repobility
3. **CRITICAL** `MINED107` — Missing import: `platform` used but not imported
   `trendradar/notification/splitter.py:1572` · ✓ Repobility
4. **CRITICAL** `MINED107` — Missing import: `stat` used but not imported
   `trendradar/notification/dispatcher.py:117` · ✓ Repobility
5. **CRITICAL** `MINED107` — Missing import: `platform` used but not imported
   `trendradar/notification/dispatcher.py:144` · ✓ Repobility

---

_Filed automatically. Close this issue if not useful — we won't refile. Full report: https://repobility.com/scan/1178e500-7bf6-4ce8-86a4-9303c4049b1d/_
Megaproject â high spam risk
Could not determine 'sansan0/TrendRadar' star count (GitHub API rate-limited or unreachable). When in doubt about repo size, prefer opening a focused PR or a discussion rather than an issue.
Open in GitHub to file this issue Cancel

The button opens GitHubâs new-issue page in a new tab. You will see the title + body pre-filled â review, edit if you want, then click GitHubâs "Submit new issue" button. Repobility never posts anything on your behalf.

For real security findings on big repos: use the project's SECURITY.md or private advisory flow instead of a public issue.