← Back to scan
File as GitHub Issue repo: openclaw/openclaw

Push this scan report to openclaw/openclaw

Click the green button below to open GitHub’s new-issue form, pre-filled with the report title, summary table, top findings, and an embedded score-card image. No authentication needed — you review on GitHub before submitting. Repobility is credited as the scanner.

Embedded score card image

This image will render at the top of the issue body. Hosted on Repobility, refreshes automatically after re-scans.

Repobility score card

Issue title

Workflow uses `secrets.ZAI_API_KEY` on a `pull_request` trigger

Curate findings to include

Pick exactly which findings appear in the issue body. By default the top 5 are included. Uncheck noise, check what matters.

Top 5 (default)
Severity Rule Title File:line
CRIT MINED116 [MINED116] Workflow uses `secrets.ANTHROPIC_API_TOKEN` on a `pull_request` trigger: This … .github/workflows/ci-check-arm-testbox.…:130
CRIT MINED116 [MINED116] Workflow uses `secrets.ANTHROPIC_API_KEY_OLD` on a `pull_request` trigger: Thi… .github/workflows/ci-check-arm-testbox.…:129
CRIT MINED116 [MINED116] Workflow uses `secrets.ANTHROPIC_API_KEY` on a `pull_request` trigger: This wo… .github/workflows/ci-check-arm-testbox.…:128
CRIT MINED116 [MINED116] Workflow uses `secrets.Z_AI_API_KEY` on a `pull_request` trigger: This workflo… .github/workflows/ci-build-artifacts-te…:230
CRIT MINED116 [MINED116] Workflow uses `secrets.ZAI_API_KEY` on a `pull_request` trigger: This workflow… .github/workflows/ci-build-artifacts-te…:229
CRIT MINED116 [MINED116] Workflow uses `secrets.XAI_API_KEY` on a `pull_request` trigger: This workflow… .github/workflows/ci-build-artifacts-te…:228
CRIT MINED116 [MINED116] Workflow uses `secrets.TOGETHER_API_KEY` on a `pull_request` trigger: This wor… .github/workflows/ci-build-artifacts-te…:227
CRIT MINED116 [MINED116] Workflow uses `secrets.QWEN_API_KEY` on a `pull_request` trigger: This workflo… .github/workflows/ci-build-artifacts-te…:226
CRIT MINED116 [MINED116] Workflow uses `secrets.OPENROUTER_API_KEY` on a `pull_request` trigger: This w… .github/workflows/ci-build-artifacts-te…:225
CRIT MINED116 [MINED116] Workflow uses `secrets.OPENAI_BASE_URL` on a `pull_request` trigger: This work… .github/workflows/ci-build-artifacts-te…:224
CRIT MINED116 [MINED116] Workflow uses `secrets.OPENAI_API_KEY` on a `pull_request` trigger: This workf… .github/workflows/ci-build-artifacts-te…:223
CRIT MINED116 [MINED116] Workflow uses `secrets.MOONSHOT_API_KEY` on a `pull_request` trigger: This wor… .github/workflows/ci-build-artifacts-te…:222
CRIT MINED116 [MINED116] Workflow uses `secrets.MISTRAL_API_KEY` on a `pull_request` trigger: This work… .github/workflows/ci-build-artifacts-te…:221
CRIT MINED116 [MINED116] Workflow uses `secrets.MINIMAX_API_KEY` on a `pull_request` trigger: This work… .github/workflows/ci-build-artifacts-te…:220
HIGH MINED108 [MINED108] `self.text_content` used but never assigned in __init__: Method `send_text` of… scripts/e2e/telegram-user-driver.py:403
HIGH MINED108 [MINED108] `self.settle_sent_message` used but never assigned in __init__: Method `send_t… scripts/e2e/telegram-user-driver.py:389
HIGH MINED108 [MINED108] `self.encryption_key_for_current_tdlib` used but never assigned in __init__: M… scripts/e2e/telegram-user-driver.py:342
HIGH MINED108 [MINED108] `self.encryption_key_for_current_tdlib` used but never assigned in __init__: M… scripts/e2e/telegram-user-driver.py:332
HIGH MINED108 [MINED108] `self.show_qr_link` used but never assigned in __init__: Method `authorize` of… scripts/e2e/telegram-user-driver.py:314
HIGH MINED108 [MINED108] `self.encryption_key` used but never assigned in __init__: Method `authorize` … scripts/e2e/telegram-user-driver.py:295
HIGH MINED108 [MINED108] `self.td_params_current` used but never assigned in __init__: Method `authoriz… scripts/e2e/telegram-user-driver.py:345
HIGH MINED108 [MINED108] `self.td_params_current` used but never assigned in __init__: Method `authoriz… scripts/e2e/telegram-user-driver.py:335
HIGH MINED108 [MINED108] `self.td_params` used but never assigned in __init__: Method `authorize` of cl… scripts/e2e/telegram-user-driver.py:290
HIGH MINED108 [MINED108] `self.encryption_key` used but never assigned in __init__: Method `encryption_… scripts/e2e/telegram-user-driver.py:272
HIGH MINED108 [MINED108] `self.td_params` used but never assigned in __init__: Method `td_params_curren… scripts/e2e/telegram-user-driver.py:259
HIGH MINED108 [MINED108] `self.receive` used but never assigned in __init__: Method `next_update` of cl… scripts/e2e/telegram-user-driver.py:220
HIGH MINED108 [MINED108] `self.handle_update` used but never assigned in __init__: Method `request` of … scripts/e2e/telegram-user-driver.py:210
HIGH MINED108 [MINED108] `self.receive` used but never assigned in __init__: Method `request` of class … scripts/e2e/telegram-user-driver.py:203
HIGH MINED108 [MINED108] `self.send` used but never assigned in __init__: Method `request` of class `Td… scripts/e2e/telegram-user-driver.py:200
HIGH SEC035 [SEC035] Unbounded Resource Allocation — DoS risk: Allocating resources (buffers, recursi… extensions/file-transfer/src/node-host/…:119
HIGH SEC035 [SEC035] Unbounded Resource Allocation — DoS risk: Allocating resources (buffers, recursi… extensions/file-transfer/src/node-host/…:187
HIGH SEC033 [SEC033] Prototype Pollution — unfiltered merge of user object: Merging user-controlled o… extensions/discord/src/monitor/native-c…:50
HIGH MINED004 [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums). extensions/diffs/src/viewer-assets.ts:158
HIGH MINED004 [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums). extensions/diffs-language-pack/src/view…:84
HIGH SEC083 [SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can c… extensions/imessage/src/monitor/reflect…:31
HIGH SEC083 [SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can c… extensions/copilot/src/auth-bridge.ts:317
HIGH SEC083 [SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can c… extensions/browser/src/browser/url-patt…:20
HIGH SEC040 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML w… extensions/chutes/onboard.ts:29
HIGH SEC040 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML w… extensions/browser/src/cli/browser-cli-…:132
HIGH SEC040 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML w… extensions/browser/src/browser/snapshot…:15
HIGH SEC114 [SEC114] path.join / Path() on user-controlled segment without containment check: filepat… extensions/browser/src/browser/paths.ts:156
HIGH SEC114 [SEC114] path.join / Path() on user-controlled segment without containment check: filepat… extensions/browser/src/browser/output-f…:23
HIGH SEC114 [SEC114] path.join / Path() on user-controlled segment without containment check: filepat… extensions/acpx/src/process-lease.ts:100
HIGH SEC085 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived in… extensions/browser/src/browser/routes/d…:91
HIGH SEC085 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived in… extensions/browser/src/browser/paths.ts:107
HIGH SEC085 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived in… extensions/acpx/src/codex-trust-config.…:144
HIGH MINED008 [MINED008] Swift Force Unwrap: optional! crashes on nil. Use guard let or if let. apps/swabble/Sources/SwabbleCore/Suppor…:62
HIGH MINED008 [MINED008] Swift Force Unwrap: optional! crashes on nil. Use guard let or if let. apps/shared/OpenClawKit/Sources/OpenCla…:185
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … apps/android/app/src/main/java/ai/openc…:109
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … apps/android/app/src/main/java/ai/openc…:151
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … apps/android/app/src/main/java/ai/openc…:74
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… apps/android/app/src/main/java/ai/openc…:14
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… apps/android/app/src/main/java/ai/openc…:16
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… apps/android/app/src/main/java/ai/openc…:115
HIGH SEC018 [SEC018] AI-Agent Secret Retrieval Command: A command that prints or embeds credentials w… .agents/skills/release-openclaw-ci/scri…:35
HIGH DKR006 Dockerfile pipes a remote script into a shell scripts/docker/sandbox/Dockerfile.common:31
HIGH DKR006 Dockerfile pipes a remote script into a shell scripts/docker/install-sh-nonroot/Docke…:28
HIGH MINED134 [MINED134] Binary file `apps/android/gradle/wrapper/gradle-wrapper.jar` committed in sour… apps/android/gradle/wrapper/gradle-wrap…:1
HIGH MINED118 [MINED118] Dockerfile FROM `ubuntu:24.04` not pinned by digest: `FROM ubuntu:24.04` resol… .github/images/live-media-runner/Docker…:1
HIGH MINED126 [MINED126] Workflow container/services image `ghcr.io/openclaw/openclaw-live-media-runner… .github/workflows/openclaw-live-and-e2e…:2450
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… .github/workflows/install-smoke.yml:292
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… .github/workflows/install-smoke.yml:220
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… .github/workflows/install-smoke.yml:109
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… .github/workflows/install-smoke.yml:59
HIGH MINED115 [MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/u… .github/workflows/npm-telegram-beta-e2e…:272
HIGH MINED115 [MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions… .github/workflows/npm-telegram-beta-e2e…:200
HIGH MINED115 [MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions… .github/workflows/npm-telegram-beta-e2e…:193
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… .github/workflows/npm-telegram-beta-e2e…:123
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… .github/workflows/docs-agent.yml:36
HIGH MINED115 [MINED115] Action `actions/create-github-app-token` pinned to mutable ref `@v3`: `uses: a… .github/workflows/mantis-slack-desktop-…:466
HIGH MINED115 [MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/u… .github/workflows/mantis-slack-desktop-…:456
HIGH MINED115 [MINED115] Action `actions/setup-go` pinned to mutable ref `@v6`: `uses: actions/setup-go… .github/workflows/mantis-slack-desktop-…:193
HIGH MINED115 [MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` r… .github/workflows/mantis-slack-desktop-…:183
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… .github/workflows/mantis-slack-desktop-…:168
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… .github/workflows/mantis-slack-desktop-…:114
HIGH MINED115 [MINED115] Action `actions/github-script` pinned to mutable ref `@v8`: `uses: actions/git… .github/workflows/mantis-slack-desktop-…:84
HIGH MINED115 [MINED115] Action `actions/create-github-app-token` pinned to mutable ref `@v3`: `uses: a… .github/workflows/real-behavior-proof.y…:37
HIGH MINED115 [MINED115] Action `actions/create-github-app-token` pinned to mutable ref `@v3`: `uses: a… .github/workflows/real-behavior-proof.y…:29
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… .github/workflows/real-behavior-proof.y…:25
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… .github/workflows/duplicate-after-merge…:38
HIGH MINED115 [MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/u… .github/workflows/opengrep-precise.yml:96
HIGH MINED115 [MINED115] Action `github/codeql-action/upload-sarif` pinned to mutable ref `@v4`: `uses:… .github/workflows/opengrep-precise.yml:87
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… .github/workflows/opengrep-precise.yml:44
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… .github/workflows/windows-blacksmith-te…:111
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout… apps/swabble/.github/workflows/ci.yml:17
HIGH MINED131 [MINED131] pre-commit hook `https://github.com/astral-sh/ruff-pre-commit` pinned to mutab… .pre-commit-config.yaml:54
HIGH MINED131 [MINED131] pre-commit hook `https://github.com/zizmorcore/zizmor-pre-commit` pinned to mu… .pre-commit-config.yaml:39
HIGH MINED131 [MINED131] pre-commit hook `https://github.com/rhysd/actionlint` pinned to mutable rev `v… .pre-commit-config.yaml:33
HIGH MINED131 [MINED131] pre-commit hook `https://github.com/koalaman/shellcheck-precommit` pinned to m… .pre-commit-config.yaml:24
HIGH MINED131 [MINED131] pre-commit hook `https://github.com/pre-commit/pre-commit-hooks` pinned to mut… .pre-commit-config.yaml:9
HIGH SEC020 [SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-b… apps/macos/Sources/OpenClaw/VoiceWakeOv…:86
HIGH SEC013 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file pat… extensions/matrix/src/matrix/sdk/idb-pe…:33
HIGH SEC013 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file pat… extensions/document-extract/document-ex…:48
HIGH SEC013 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file pat… extensions/codex/src/app-server/sandbox…:296
HIGH JRN004 Consent is collected in UI without visible backend audit persistence extensions/msteams/src/pending-uploads-…:243
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… skills/skill-creator/scripts/package_sk…:114
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… skills/skill-creator/scripts/init_skill…:300
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… skills/skill-creator/scripts/init_skill…:292
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… skills/skill-creator/scripts/init_skill…:280
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… skills/model-usage/scripts/model_usage.…:259
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… skills/model-usage/scripts/model_usage.…:91
MED ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors. extensions/browser/plugin-registration.…:191
MED ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors. extensions/acpx/src/runtime-turn.ts:98
MED ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors. extensions/acpx/src/process-lease.ts:114
MED SEC134 [SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum… extensions/browser/src/browser/routes/e…:25
MED SEC134 [SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum… apps/macos/Sources/OpenClaw/SessionData…:151
MED SEC045 [SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even … extensions/acpx/src/codex-trust-config.…:144
MED SEC045 [SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even … apps/android/app/src/main/java/ai/openc…:30
MED SEC045 [SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even … apps/android/app/src/main/java/ai/openc…:198
MED AUC001 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks…
MED MINED124 [MINED124] requirements.txt: `}` has no version pin: Unpinned pip requirement means every… src/cli/requirements-test-fixtures.ts:20
MED MINED124 [MINED124] requirements.txt: `};` has no version pin: Unpinned pip requirement means ever… src/cli/requirements-test-fixtures.ts:19
MED MINED124 [MINED124] requirements.txt: `install: [],` has no version pin: Unpinned pip requirement … src/cli/requirements-test-fixtures.ts:18
MED MINED124 [MINED124] requirements.txt: `configChecks: [],` has no version pin: Unpinned pip require… src/cli/requirements-test-fixtures.ts:17
MED MINED124 [MINED124] requirements.txt: `missing: createEmptyRequirements(),` has no version pin: Un… src/cli/requirements-test-fixtures.ts:16
MED MINED124 [MINED124] requirements.txt: `requirements: createEmptyRequirements(),` has no version pi… src/cli/requirements-test-fixtures.ts:15
MED MINED124 [MINED124] requirements.txt: `return {` has no version pin: Unpinned pip requirement mean… src/cli/requirements-test-fixtures.ts:14
MED MINED124 [MINED124] requirements.txt: `export function createEmptyInstallChecks() {` has no versio… src/cli/requirements-test-fixtures.ts:13
MED MINED124 [MINED124] requirements.txt: `/** Build an empty install-check result with all requiremen… src/cli/requirements-test-fixtures.ts:12
MED MINED124 [MINED124] requirements.txt: `}` has no version pin: Unpinned pip requirement means every… src/cli/requirements-test-fixtures.ts:10
MED MINED124 [MINED124] requirements.txt: `};` has no version pin: Unpinned pip requirement means ever… src/cli/requirements-test-fixtures.ts:9
MED MINED124 [MINED124] requirements.txt: `os: [],` has no version pin: Unpinned pip requirement means… src/cli/requirements-test-fixtures.ts:8
MED MINED124 [MINED124] requirements.txt: `config: [],` has no version pin: Unpinned pip requirement m… src/cli/requirements-test-fixtures.ts:7
MED MINED124 [MINED124] requirements.txt: `env: [],` has no version pin: Unpinned pip requirement mean… src/cli/requirements-test-fixtures.ts:6
MED MINED124 [MINED124] requirements.txt: `anyBins: [],` has no version pin: Unpinned pip requirement … src/cli/requirements-test-fixtures.ts:5
MED MINED124 [MINED124] requirements.txt: `bins: [],` has no version pin: Unpinned pip requirement mea… src/cli/requirements-test-fixtures.ts:4
MED MINED124 [MINED124] requirements.txt: `return {` has no version pin: Unpinned pip requirement mean… src/cli/requirements-test-fixtures.ts:3
MED MINED124 [MINED124] requirements.txt: `function createEmptyRequirements() {` has no version pin: U… src/cli/requirements-test-fixtures.ts:2
MED MINED124 [MINED124] requirements.txt: `// Shared empty requirement/install-check fixtures for CLI … src/cli/requirements-test-fixtures.ts:1
MED DKR009 Dockerfile separates apt update from install scripts/docker/install-sh-smoke/Dockerf…:7
MED DKR009 Dockerfile separates apt update from install scripts/docker/install-sh-nonroot/Docke…:7
MED DKR001 Docker final stage has no non-root USER scripts/e2e/Dockerfile:41
MED DKR001 Docker final stage has no non-root USER scripts/docker/install-sh-smoke/Dockerf…:3
MED DKR001 Docker final stage has no non-root USER scripts/docker/cleanup-smoke/Dockerfile:3
MED DKR001 Docker final stage has no non-root USER .github/images/live-media-runner/Docker…:1
MED AIC001 Parallel implementation file sits beside a canonical file src/commands/status.update.ts:1
MED AIC001 Parallel implementation file sits beside a canonical file src/commands/doctor-update.ts:1
MED AIC001 Parallel implementation file sits beside a canonical file src/agents/apply-patch-update.ts:1
MED AIC001 Parallel implementation file sits beside a canonical file extensions/matrix/src/migration-snapsho…:1
MED WEB003 Public web service has no security.txt .well-known/security.txt
MED DKR014 Dockerfile copies broad context with incomplete .dockerignore scripts/e2e/Dockerfile.qr-import:31
MED DKR014 Dockerfile copies broad context with incomplete .dockerignore scripts/docker/cleanup-smoke/Dockerfile:31
MED DKR014 Dockerfile copies broad context with incomplete .dockerignore Dockerfile:99
MED WEB015 Public web app has no Content Security Policy index.html
MED AGT015 Remote install command pipes network code directly to a shell docs/install/exe-dev.md:67
LOW AIC003 Duplicated implementation block across source files apps/macos/Sources/OpenClaw/OnboardingV…:389
LOW AIC003 Duplicated implementation block across source files apps/macos/Sources/OpenClaw/ExecSystemR…:188
LOW AIC003 Duplicated implementation block across source files apps/macos/Sources/OpenClaw/ExecSystemR…:152
LOW AIC003 Duplicated implementation block across source files apps/ios/WatchExtension/Sources/WatchCo…:35
LOW AIC003 Duplicated implementation block across source files apps/ios/Sources/Voice/VoiceWakeManager…:339
LOW AIC003 Duplicated implementation block across source files apps/ios/Sources/RootTabs.swift:476
LOW AIC003 Duplicated implementation block across source files apps/ios/Sources/Onboarding/OnboardingW…:552
LOW AIC003 Duplicated implementation block across source files apps/ios/Sources/Onboarding/OnboardingW…:164
LOW AIC003 Duplicated implementation block across source files apps/ios/Sources/Gateway/GatewayQuickSe…:105
LOW AIC003 Duplicated implementation block across source files apps/ios/Sources/Design/SettingsProTabA…:91
LOW AIC003 Duplicated implementation block across source files apps/ios/Sources/Design/AgentProTab+Det…:6
LOW AIC003 Duplicated implementation block across source files apps/ios/Sources/Design/AgentProTab+Des…:126
LOW AIC003 Duplicated implementation block across source files apps/ios/Sources/Design/AgentProNodesDe…:230
LOW AIC003 Duplicated implementation block across source files apps/android/app/src/thirdParty/java/ai…:1
LOW AIC003 Duplicated implementation block across source files apps/android/app/src/main/java/ai/openc…:56
LOW WEB001 Public web app has no robots.txt robots.txt
LOW DKR010 Dockerfile leaves apt package indexes in the image layer scripts/docker/sandbox/Dockerfile.common:24
LOW DKR010 Dockerfile leaves apt package indexes in the image layer scripts/docker/sandbox/Dockerfile.brows…:9
LOW DKR010 Dockerfile leaves apt package indexes in the image layer scripts/docker/sandbox/Dockerfile:5
LOW DKR010 Dockerfile leaves apt package indexes in the image layer scripts/docker/install-sh-e2e/Dockerfile:5
LOW DKR010 Dockerfile leaves apt package indexes in the image layer scripts/docker/cleanup-smoke/Dockerfile:7
LOW DKR010 Dockerfile leaves apt package indexes in the image layer Dockerfile:258
LOW DKR010 Dockerfile leaves apt package indexes in the image layer Dockerfile:242
LOW DKR010 Dockerfile leaves apt package indexes in the image layer Dockerfile:226
LOW DKR010 Dockerfile leaves apt package indexes in the image layer Dockerfile:215
LOW DKR010 Dockerfile leaves apt package indexes in the image layer Dockerfile:172
LOW WEB002 Public web app has no sitemap sitemap.xml
LOW DKR008 .dockerignore misses sensitive defaults .dockerignore
LOW WEB008 Public docs site has no llms.txt llms.txt
LOW AIC005 Duplicate top-level symbol appears in a patch-style file extensions/matrix/src/matrix/config-upd…:1
LOW AIC002 Source file name looks like an AI patch artifact src/cli/program/register.backup.ts:1
LOW AIC002 Source file name looks like an AI patch artifact src/auto-reply/reply/private-message-to…:1
LOW AIC002 Source file name looks like an AI patch artifact src/auto-reply/reply/agent-runner-failu…:1
LOW AIC002 Source file name looks like an AI patch artifact src/agents/embedded-agent-runner/transc…:1
LOW AIC002 Source file name looks like an AI patch artifact src/agents/auth-profiles/failure-copy.ts:1
LOW AIC002 Source file name looks like an AI patch artifact extensions/whatsapp/src/security-fix.ts:1
LOW AIC002 Source file name looks like an AI patch artifact extensions/telegram/src/native-tool-pro…:1
LOW AIC002 Source file name looks like an AI patch artifact extensions/qqbot/src/engine/config/cred…:1
LOW AIC002 Source file name looks like an AI patch artifact extensions/openai/auth-choice-copy.ts:1
LOW AIC002 Source file name looks like an AI patch artifact extensions/matrix/src/matrix/config-upd…:1
LOW AIC002 Source file name looks like an AI patch artifact extensions/matrix/src/profile-update.ts:1
LOW WEB011 Public web app has no humans.txt humans.txt
INFO MINED054 [MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely. extensions/browser/src/browser/server-c…:66
INFO MINED049 [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout. extensions/copilot/src/auth-bridge.ts:175
INFO MINED049 [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout. apps/macos/Sources/OpenClawMacCLI/Entry…:40
INFO MINED049 [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout. apps/macos/Sources/OpenClawMacCLI/Conne…:97
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… apps/macos/Sources/OpenClaw/TailscaleSe…:14
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… apps/macos/Sources/OpenClaw/LaunchAgent…:36
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… apps/ios/Sources/Settings/SettingsNetwo…:36
INFO MINED045 [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError … extensions/acpx/src/process-lease.ts:65
INFO MINED045 [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError … extensions/acpx/src/codex-trust-config.…:297
INFO MINED045 [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError … apps/android/scripts/build-release-aab.…:118
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … apps/android/scripts/build-release-aab.…:135
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … .agents/skills/release-openclaw-ci/scri…:96
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … .agents/skills/release-openclaw-ci/scri…:13
Reset to top 5 200 findings available (after auto-suppression of test files + won't-fix)

Issue body (markdown)

## Code-quality scan: `openclaw/openclaw`

**Score: 74/100 (A)**  ·  222 findings  ·  scanned 2026-06-05 04:24 UTC  ·  4,192,372 LOC

| Severity | Count |
|---|---|
| CRITICAL | 26 |
| HIGH | 81 |
| MEDIUM | 50 |
| LOW | 42 |

📊 [Full filterable report](https://repobility.com/scan/133fe0c7-218e-4742-847e-cbe2f5a1fb4f/)  ·  ![scorecard](https://repobility.com/scan/133fe0c7-218e-4742-847e-cbe2f5a1fb4f/report.png?v=1780633472-s2)

### Top findings

1. **CRITICAL** `MINED116` — Workflow uses `secrets.ANTHROPIC_API_TOKEN` on a `pull_request` trigger
   `.github/workflows/ci-check-arm-testbox.yml:130` · ✓ Repobility
2. **CRITICAL** `MINED116` — Workflow uses `secrets.ANTHROPIC_API_KEY_OLD` on a `pull_request` trigger
   `.github/workflows/ci-check-arm-testbox.yml:129` · ✓ Repobility
3. **CRITICAL** `MINED116` — Workflow uses `secrets.ANTHROPIC_API_KEY` on a `pull_request` trigger
   `.github/workflows/ci-check-arm-testbox.yml:128` · ✓ Repobility
4. **CRITICAL** `MINED116` — Workflow uses `secrets.Z_AI_API_KEY` on a `pull_request` trigger
   `.github/workflows/ci-build-artifacts-testbox.yml:230` · ✓ Repobility
5. **CRITICAL** `MINED116` — Workflow uses `secrets.ZAI_API_KEY` on a `pull_request` trigger
   `.github/workflows/ci-build-artifacts-testbox.yml:229` · ✓ Repobility

---

_Filed automatically. Close this issue if not useful — we won't refile. Full report: https://repobility.com/scan/133fe0c7-218e-4742-847e-cbe2f5a1fb4f/_
Already filed
This repo publishes a SECURITY.md policy and the scan contains 27 Critical/High security finding(s). Public issue filing would violate coordinated disclosure. Submit privately via the project's security reporting channel.
Megaproject â high spam risk
Could not determine 'openclaw/openclaw' star count (GitHub API rate-limited or unreachable). When in doubt about repo size, prefer opening a focused PR or a discussion rather than an issue.
Already filed
86/247 findings (35%) on this scan are already flagged as test-file, won't-fix, or suppressed. The scan is too noisy to file as a single issue. Curate down to specific actionable findings, or address the FP source first.
Open in GitHub to file this issue Filing guard overridden Cancel

The button opens GitHubâs new-issue page in a new tab. You will see the title + body pre-filled â review, edit if you want, then click GitHubâs "Submit new issue" button. Repobility never posts anything on your behalf.

For real security findings on big repos: use the project's SECURITY.md or private advisory flow instead of a public issue.