← Back to scan
File as GitHub Issue repo: cline/cline

Push this scan report to cline/cline

Click the green button below to open GitHub’s new-issue form, pre-filled with the report title, summary table, top findings, and an embedded score-card image. No authentication needed — you review on GitHub before submitting. Repobility is credited as the scanner.

Embedded score card image

This image will render at the top of the issue body. Hosted on Repobility, refreshes automatically after re-scans.

Repobility score card

Issue title

Ruby YAML.load / Marshal.load on untrusted input

Curate findings to include

Pick exactly which findings appear in the issue body. By default the top 5 are included. Uncheck noise, check what matters.

Top 5 (default)
Severity Rule Title File:line
CRIT MINED107 [MINED107] Missing import: `warnings` used but not imported: The file uses `warnings.some… .github/scripts/coverage_check/workflow…:226
CRIT SEC084 [SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules — eq… sdk/packages/core/src/services/llms/con…:149
CRIT MINED018 [MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLo… evals/analysis/src/classifier.ts:46
CRIT MINED018 [MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLo… apps/vscode/src/core/context/instructio…:47
CRIT SEC116 [SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Mar… evals/analysis/src/classifier.ts:46
CRIT SEC116 [SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Mar… apps/vscode/src/core/context/instructio…:47
CRIT SEC079 [SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader ca… evals/analysis/src/classifier.ts:46
CRIT SEC079 [SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader ca… apps/vscode/src/core/context/instructio…:47
CRIT MINED116 [MINED116] Workflow uses `secrets.QLTY_COVERAGE_TOKEN` on a `pull_request` trigger: This … .github/workflows/ext-vscode-test.yml:363
CRIT MINED116 [MINED116] Workflow uses `secrets.QLTY_COVERAGE_TOKEN` on a `pull_request` trigger: This … .github/workflows/ext-vscode-test.yml:343
CRIT MINED116 [MINED116] Workflow uses `secrets.QLTY_COVERAGE_TOKEN` on a `pull_request` trigger: This … .github/workflows/ext-vscode-test.yml:333
HIGH MINED004 [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums). sdk/packages/core/src/extensions/mcp/na…:11
HIGH MINED004 [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums). apps/vscode/src/shared/storage/adapters…:124
HIGH MINED031 [MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React … apps/vscode/src/integrations/terminal/s…:104
HIGH MINED027 [MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState — Re… sdk/packages/core/src/runtime/turn-queu…:100
HIGH MINED027 [MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState — Re… apps/vscode/src/core/task/tools/utils/T…:159
HIGH SEC114 [SEC114] path.join / Path() on user-controlled segment without containment check: filepat… apps/vscode/testing-platform/index.ts:109
HIGH SEC114 [SEC114] path.join / Path() on user-controlled segment without containment check: filepat… apps/vscode/src/core/controller/file/op…:14
HIGH SEC114 [SEC114] path.join / Path() on user-controlled segment without containment check: filepat… apps/vscode/scripts/testing-platform-or…:156
HIGH SEC080 [SEC080] Python: tarfile.extractall without filter: tarfile.extract*() without filter='da… apps/vscode/scripts/download-ripgrep.mjs:110
HIGH SEC100 [SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` orig… apps/examples/vscode/src/webview/vite.c…:18
HIGH SEC100 [SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` orig… apps/cline-hub/src/webview/vite.config.…:18
HIGH SEC040 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML w… apps/examples/desktop-app/webview/compo…:82
HIGH SEC040 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML w… apps/cline-hub/src/webview/src/componen…:84
HIGH SEC040 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML w… apps/cline-hub/src/webview/src/componen…:121
HIGH SEC085 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived in… apps/cli/src/tui/utils/tool-parsing.ts:271
HIGH SEC085 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived in… apps/cli/src/tui/commands/slash-command…:264
HIGH SEC085 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived in… apps/cli/src/runtime/prompt.ts:77
HIGH SEC083 [SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can c… apps/vscode/src/core/slash-commands/ind…:113
HIGH SEC083 [SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can c… apps/cli/src/tui/utils/image-paste.ts:18
HIGH SEC083 [SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can c… apps/cli/src/runtime/prompt.ts:54
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … apps/cli/src/connectors/stores/memory-s…:23
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … apps/cli/src/connectors/stores/file-sta…:133
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … apps/cli/src/connectors/chat-runtime.ts:37
HIGH SEC033 [SEC033] Prototype Pollution — unfiltered merge of user object: Merging user-controlled o… sdk/packages/core/src/session/services/…:208
HIGH SEC033 [SEC033] Prototype Pollution — unfiltered merge of user object: Merging user-controlled o… apps/cli/src/connectors/base.ts:149
HIGH MINED034 [MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command inje… .github/scripts/coverage_check/util.py:190
HIGH SEC078 [SEC078] Python: requests without timeout: requests.get/post without a timeout will hang … .github/scripts/coverage_check/github_a…:123
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… apps/cli/src/connectors/chat-runtime.ts:81
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… apps/cli/src/commands/dashboard.ts:128
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… .github/scripts/coverage_check/github_a…:123
HIGH SEC103 [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDA… .github/scripts/coverage_check/extracti…:49
HIGH COMP001 [COMP001] High cognitive complexity: Function `extract_coverage` has cognitive complexity… .github/scripts/coverage_check/extracti…:64
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout… .github/workflows/ext-vscode-test.yml:225
HIGH MINED115 [MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/u… .github/workflows/ext-vscode-test.yml:207
HIGH MINED115 [MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` r… .github/workflows/ext-vscode-test.yml:153
HIGH MINED115 [MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-… .github/workflows/ext-vscode-test.yml:127
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout… .github/workflows/ext-vscode-test.yml:124
HIGH MINED115 [MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-… .github/workflows/ext-vscode-test.yml:86
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout… .github/workflows/ext-vscode-test.yml:83
HIGH MINED115 [MINED115] Action `dorny/paths-filter` pinned to mutable ref `@v3`: `uses: dorny/paths-fi… .github/workflows/ext-vscode-test.yml:32
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout… .github/workflows/ext-vscode-test.yml:29
HIGH MINED115 [MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/u… .github/workflows/ext-vscode-test-e2e.y…:156
HIGH MINED115 [MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` r… .github/workflows/ext-vscode-test-e2e.y…:120
HIGH MINED115 [MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` r… .github/workflows/ext-vscode-test-e2e.y…:110
HIGH MINED115 [MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` r… .github/workflows/ext-vscode-test-e2e.y…:102
HIGH MINED115 [MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` r… .github/workflows/ext-vscode-test-e2e.y…:94
HIGH MINED115 [MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-… .github/workflows/ext-vscode-test-e2e.y…:88
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout… .github/workflows/ext-vscode-test-e2e.y…:86
HIGH MINED115 [MINED115] Action `dorny/paths-filter` pinned to mutable ref `@v3`: `uses: dorny/paths-fi… .github/workflows/ext-vscode-test-e2e.y…:32
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout… .github/workflows/ext-vscode-test-e2e.y…:29
HIGH MINED115 [MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-… .github/workflows/ext-vscode-publish-ni…:54
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout… .github/workflows/ext-vscode-publish-ni…:40
HIGH MINED115 [MINED115] Action `slackapi/slack-github-action` pinned to mutable ref `@v3.0.1`: `uses: … .github/workflows/ext-vscode-publish-st…:210
HIGH MINED115 [MINED115] Action `softprops/action-gh-release` pinned to mutable ref `@v1`: `uses: softp… .github/workflows/ext-vscode-publish-st…:197
HIGH MINED115 [MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-… .github/workflows/ext-vscode-publish-st…:113
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout… .github/workflows/ext-vscode-publish-st…:44
HIGH MINED115 [MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/git… .github/workflows/repo-label-issues.yml:13
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… sdk/examples/hooks/PostToolUse.py:23
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… sdk/examples/hooks/PreToolUse_InjectCon…:38
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… sdk/examples/hooks/PreToolUse_InjectCon…:25
MED SEC134 [SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum… sdk/packages/core/scripts/telemetry-smo…:155
MED SEC134 [SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum… apps/vscode/webview-ui/src/components/u…:181
MED SEC134 [SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum… apps/vscode/webview-ui/src/components/c…:249
MED SEC015 [SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. … apps/vscode/src/dev/commands/tasks.ts:125
MED SEC007 [SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code. evals/analysis/src/classifier.ts:46
MED SEC007 [SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code. apps/vscode/src/core/context/instructio…:47
MED SEC136 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all excepti… apps/vscode/src/utils/git-worktree.ts:84
MED SEC136 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all excepti… apps/vscode/src/services/browser/Browse…:50
MED SEC136 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all excepti… apps/vscode/src/core/api/providers/clau…:212
MED SEC087 [SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; … sdk/packages/core/src/session/stores/co…:16
MED SEC087 [SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; … apps/vscode/src/dev/commands/tasks.ts:125
MED SEC087 [SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; … apps/cline-hub/src/server.ts:88
MED SEC045 [SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even … apps/cli/src/tui/utils/tool-parsing.ts:271
MED SEC045 [SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even … apps/cli/src/tui/commands/slash-command…:264
MED SEC045 [SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even … apps/cli/src/runtime/prompt.ts:77
MED ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors. apps/cli/src/index.ts:53
MED ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors. apps/cli/src/connectors/runtime-turn.ts:337
MED ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors. apps/cli/src/connectors/chat-runtime.ts:33
MED COMP001 [COMP001] High cognitive complexity: Function `main` has cognitive complexity 21 (SonarSo… .github/scripts/coverage_check/__main__…:25
MED AGT007 localStorage write failures are swallowed silently apps/cline-hub/src/webview/src/vscode.ts:100
MED SEC017 [SEC017] Unbounded Input to LLM/External API: User input is passed to an LLM or external … apps/vscode/src/core/api/transform/open…:214
MED SEC017 [SEC017] Unbounded Input to LLM/External API: User input is passed to an LLM or external … apps/vscode/src/core/api/providers/qwen…:207
MED SEC017 [SEC017] Unbounded Input to LLM/External API: User input is passed to an LLM or external … apps/vscode/src/core/api/providers/aihu…:263
MED AGT013 Agent auto-approve or skip-permissions mode is easy to enable apps/examples/cline-core-cli-agent/src/…:140
MED AGT013 Agent auto-approve or skip-permissions mode is easy to enable apps/cline-hub/src/server/sessions.ts:88
MED AGT013 Agent auto-approve or skip-permissions mode is easy to enable apps/cli/src/runtime/tool-policies.ts:30
MED AGT013 Agent auto-approve or skip-permissions mode is easy to enable apps/cli/src/main.ts:24
MED AGT013 Agent auto-approve or skip-permissions mode is easy to enable apps/cli/src/commands/program.ts:11
MED SEC005 [SEC005] Command Injection Risk: Unsafe shell execution or eval of user input. apps/cli/src/utils/team-command.ts:14
MED SEC005 [SEC005] Command Injection Risk: Unsafe shell execution or eval of user input. apps/cli/src/tui/commands/slash-command…:264
MED SEC005 [SEC005] Command Injection Risk: Unsafe shell execution or eval of user input. .github/scripts/coverage_check/util.py:190
LOW COMP001 [COMP001] High cognitive complexity: Function `print_debug_output` has cognitive complexi… .github/scripts/coverage_check/extracti…:22
LOW AIC003 Duplicated implementation block across source files apps/vscode/src/core/api/providers/nebi…:46
LOW AIC003 Duplicated implementation block across source files apps/vscode/src/core/api/providers/moon…:54
LOW AIC003 Duplicated implementation block across source files apps/vscode/src/core/api/providers/mini…:78
LOW AIC003 Duplicated implementation block across source files apps/vscode/src/core/api/providers/lmst…:55
LOW AIC003 Duplicated implementation block across source files apps/vscode/src/core/api/providers/huaw…:55
LOW AIC003 Duplicated implementation block across source files apps/vscode/src/core/api/providers/doub…:63
LOW AIC003 Duplicated implementation block across source files apps/cline-hub/src/webview/src/componen…:3
LOW AIC003 Duplicated implementation block across source files apps/cline-hub/src/webview/src/componen…:142
LOW AIC003 Duplicated implementation block across source files apps/cline-hub/src/webview/src/componen…:70
LOW AIC003 Duplicated implementation block across source files apps/cline-hub/src/webview/src/componen…:38
LOW AIC003 Duplicated implementation block across source files apps/cline-hub/src/webview/src/componen…:17
LOW AIC003 Duplicated implementation block across source files apps/cline-hub/src/webview/src/componen…:87
LOW AIC003 Duplicated implementation block across source files apps/cline-hub/src/webview/src/componen…:84
LOW AIC003 Duplicated implementation block across source files apps/cline-hub/src/webview-protocol.ts:149
LOW AIC003 Duplicated implementation block across source files apps/cli/src/wizards/schedule/index.ts:425
LOW AIC003 Duplicated implementation block across source files apps/cli/src/wizards/mcp/index.ts:63
LOW AIC003 Duplicated implementation block across source files apps/cli/src/tui/views/onboarding/scree…:204
LOW AIC003 Duplicated implementation block across source files apps/cli/src/tui/views/home-view.tsx:29
LOW AIC003 Duplicated implementation block across source files apps/cli/src/tui/views/config-view.tsx:57
LOW AIC003 Duplicated implementation block across source files apps/cli/src/tui/views/config-view.tsx:56
LOW AIC003 Duplicated implementation block across source files apps/cli/src/tui/views/config-view-help…:69
LOW AIC003 Duplicated implementation block across source files apps/cli/src/tui/interactive-config.ts:168
LOW AIC003 Duplicated implementation block across source files apps/cli/src/tui/components/searchable-…:241
LOW AIC003 Duplicated implementation block across source files apps/cli/src/tui/components/model-selec…:13
LOW AIC003 Duplicated implementation block across source files apps/cli/src/connectors/stores/memory-s…:84
LOW AIC003 Duplicated implementation block across source files apps/cli/src/connectors/adapters/whatsa…:278
LOW AIC003 Duplicated implementation block across source files apps/cli/src/connectors/adapters/whatsa…:14
LOW AIC003 Duplicated implementation block across source files apps/cli/src/connectors/adapters/linear…:10
LOW AIC003 Duplicated implementation block across source files apps/cli/src/commands/schedule/import-e…:60
LOW AIC003 Duplicated implementation block across source files apps/cli/src/commands/hub.ts:31
LOW WEB005 robots.txt does not advertise a sitemap .github/workflows/ext-jb-test-integrati…
LOW AIC002 Source file name looks like an AI patch artifact apps/cli/src/tui/utils/selection-copy.ts:1
INFO MINED042 [MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr — memory leak ri… sdk/packages/shared/bun.mts:22
INFO MINED042 [MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr — memory leak ri… sdk/packages/llms/bun.mts:10
INFO MINED042 [MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr — memory leak ri… sdk/packages/core/bun.mts:10
INFO MINED057 [MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness — l… apps/vscode/src/shared/Patch.ts:25
INFO MINED057 [MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness — l… apps/vscode/src/services/ripgrep/index.…:34
INFO MINED074 [MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.exa… apps/vscode/webview-ui/src/components/s…:25
INFO MINED074 [MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.exa… apps/vscode/webview-ui/src/components/m…:36
INFO MINED074 [MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.exa… apps/vscode/src/core/prompts/system-pro…:43
INFO MINED054 [MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely. apps/vscode/src/core/api/providers/base…:166
INFO MINED054 [MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely. apps/vscode/src/core/api/providers/anth…:109
INFO MINED054 [MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely. apps/vscode/src/core/api/providers/aihu…:222
INFO MINED052 [MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety. apps/vscode/src/core/api/providers/asks…:49
INFO MINED052 [MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety. apps/vscode/src/core/api/providers/aihu…:118
INFO MINED052 [MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety. apps/vscode/scripts/test-hostbridge-ser…:59
INFO MINED058 [MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escapi… apps/vscode/webview-ui/src/components/s…:240
INFO MINED058 [MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escapi… apps/examples/vscode/src/webview/src/co…:82
INFO MINED058 [MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escapi… apps/cline-hub/src/webview/src/componen…:82
INFO MINED056 [MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re… apps/vscode/webview-ui/src/components/a…:59
INFO MINED056 [MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re… apps/examples/vscode/src/webview/src/co…:296
INFO MINED056 [MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re… apps/cline-hub/src/webview/src/componen…:296
INFO MINED049 [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout. sdk/examples/plugins/weather-metrics.ts:143
INFO MINED049 [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout. apps/examples/quickstart/src/index.ts:17
INFO MINED049 [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout. apps/cline-hub/src/server.ts:246
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… apps/cline-hub/src/options.ts:34
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… apps/cline-hub/src/dev.ts:9
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… apps/cli/src/connectors/chat-runtime.ts:81
INFO MINED045 [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError … apps/cli/src/connectors/stores/file-sta…:59
INFO MINED045 [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError … apps/cli/src/commands/kanban.ts:333
INFO MINED045 [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError … apps/cli/script/publish-npm.ts:127
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … apps/cli/script/guard-direct-publish.ts:15
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … apps/cli/script/build.ts:52
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … apps/cli/bun.mts:60
INFO MINED067 [MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang f… .github/scripts/coverage_check/github_a…:123
Reset to top 5 168 findings available (after auto-suppression of test files + won't-fix)

Issue body (markdown)

## Code-quality scan: `cline/cline`

**Score: 77/100 (A-)**  ·  196 findings  ·  scanned 2026-06-05 09:25 UTC  ·  474,750 LOC

| Severity | Count |
|---|---|
| CRITICAL | 11 |
| HIGH | 57 |
| MEDIUM | 34 |
| LOW | 33 |

📊 [Full filterable report](https://repobility.com/scan/225c1628-8aa6-4e9a-8b28-2acec03cadf0/)  ·  ![scorecard](https://repobility.com/scan/225c1628-8aa6-4e9a-8b28-2acec03cadf0/report.png?v=1780651549-s2)

### Top findings

1. **CRITICAL** `MINED107` — Missing import: `warnings` used but not imported
   `.github/scripts/coverage_check/workflow.py:226` · ✓ Repobility
2. **CRITICAL** `SEC084` — JS: require() with non-literal
   `sdk/packages/core/src/services/llms/configured-provider-registry.ts:149`
3. **CRITICAL** `MINED018` — Unsafe Deserialization Pickle
   `evals/analysis/src/classifier.ts:46` · CWE-502 · ✓ Repobility
4. **CRITICAL** `MINED018` — Unsafe Deserialization Pickle
   `apps/vscode/src/core/context/instructions/user-instructions/frontmatter.ts:47` · CWE-502 · ✓ Repobility
5. **CRITICAL** `SEC116` — Ruby YAML.load / Marshal.load on untrusted input
   `evals/analysis/src/classifier.ts:46` · A08:2021 Software & Data Integrity Failures

---

**Security note**: this issue is public. If any flagged finding is a real, exploitable vulnerability, please redirect to your `SECURITY.md` policy or open a [private security advisory](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability) instead. We're happy to close this and re-submit privately.

---

_Filed automatically. Close this issue if not useful — we won't refile. Full report: https://repobility.com/scan/225c1628-8aa6-4e9a-8b28-2acec03cadf0/_
Already filed
This repo publishes a SECURITY.md policy and the scan contains 30 Critical/High security finding(s). Public issue filing would violate coordinated disclosure. Submit privately via the project's security reporting channel.
Megaproject â high spam risk
Could not determine 'cline/cline' star count (GitHub API rate-limited or unreachable). When in doubt about repo size, prefer opening a focused PR or a discussion rather than an issue.
Already filed
80/225 findings (36%) on this scan are already flagged as test-file, won't-fix, or suppressed. The scan is too noisy to file as a single issue. Curate down to specific actionable findings, or address the FP source first.
I read the warnings â override Cancel

The button opens GitHubâs new-issue page in a new tab. You will see the title + body pre-filled â review, edit if you want, then click GitHubâs "Submit new issue" button. Repobility never posts anything on your behalf.

For real security findings on big repos: use the project's SECURITY.md or private advisory flow instead of a public issue.