← Back to scan
File as GitHub Issue repo: jd-opensource/OxyGent

Push this scan report to jd-opensource/OxyGent

Click the green button below to open GitHub’s new-issue form, pre-filled with the report title, summary table, top findings, and an embedded score-card image. No authentication needed — you review on GitHub before submitting. Repobility is credited as the scanner.

Embedded score card image

This image will render at the top of the issue body. Hosted on Repobility, refreshes automatically after re-scans.

Repobility score card

Issue title

LDAP injection — non-constant search filter

Curate findings to include

Pick exactly which findings appear in the issue body. By default the top 5 are included. Uncheck noise, check what matters.

Top 5 (default)
Severity Rule Title File:line
HIGH MINED034 [MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command inje… oxygent/preset_tools/shell_tools.py:26
HIGH SEC085 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived in… oxygent/preset_tools/python_tools.py:26
HIGH SEC113 [SEC113] SSH host-key verification disabled (MITM): Accepting any SSH host key on first c… oxygent/oxy/agents/shell_use_agent.py:40
HIGH SEC082 [SEC082] Python: paramiko AutoAddPolicy or no host-key verification: AutoAddPolicy / Warn… oxygent/oxy/agents/shell_use_agent.py:40
HIGH SEC103 [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDA… function_hubs/train_ticket_tools.py:139
HIGH SEC040 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML w… oxygent/web/js/flowchart.js:55
HIGH SEC040 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML w… function_hubs/chart/web/js/app.js:28
HIGH SEC040 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML w… function_hubs/chart/static_files_utils.…:123
HIGH SEC078 [SEC078] Python: requests without timeout: requests.get/post without a timeout will hang … function_hubs/train_ticket_tools.py:101
HIGH SEC078 [SEC078] Python: requests without timeout: requests.get/post without a timeout will hang … examples/backend/demo_human_in_the_loop…:16
HIGH SEC078 [SEC078] Python: requests without timeout: requests.get/post without a timeout will hang … applications/oxybank/core/model/embeddi…:175
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… function_hubs/train_ticket_tools.py:134
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… applications/oxybank/core/model/trigger…:104
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… applications/oxybank/core/model/embeddi…:28
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … applications/oxybank/core/storer/doc_ma…:258
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … applications/oxybank/core/model/embeddi…:89
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … applications/oxybank/core/interface/end…:25
HIGH MINED004 [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums). applications/oxybank/utils/files_proces…:4
HIGH MINED004 [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums). applications/oxybank/utils/file_util.py:4
HIGH MINED004 [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums). applications/oxybank/app/api/models.py:64
HIGH MINED001 [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows e… mcp_servers/kubernetes_mcp_server/confi…:72
HIGH MINED001 [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows e… applications/oxybank/core/storer/doc_ma…:205
HIGH MINED001 [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows e… applications/oxybank/app/api/log/log_co…:40
HIGH SEC135 [SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint g… applications/bank_manager_by_manual_api…:14
HIGH SEC135 [SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint g… applications/bank_manager_by_bank_route…:19
HIGH SEC135 [SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint g… applications/bank_manager_by_api_router…:9
HIGH MINED110 Blocking call `time.sleep` inside async function `on_message_send_stream` examples/a2a/google_sdk_interop/demo_go…:119
HIGH MINED110 Blocking call `time.sleep` inside async function `main` examples/a2a/demo_a2a_oxygent_task_foll…:66
HIGH MINED110 Blocking call `input` inside async function `start_cli_mode` oxygent/mas.py:1245
HIGH MINED108 `self._get_hits_total` used but never assigned in __init__ oxygent/evaluation_manager.py:359
HIGH MINED108 `self._get_es_client` used but never assigned in __init__ oxygent/evaluation_manager.py:348
HIGH MINED108 `self._create_empty_stats` used but never assigned in __init__ oxygent/evaluation_manager.py:336
HIGH MINED108 `self._refresh_index` used but never assigned in __init__ oxygent/evaluation_manager.py:326
HIGH MINED108 `self._create_empty_stats` used but never assigned in __init__ oxygent/evaluation_manager.py:293
HIGH MINED108 `self._get_hits_total` used but never assigned in __init__ oxygent/evaluation_manager.py:295
HIGH MINED108 `self._get_hits_total` used but never assigned in __init__ oxygent/evaluation_manager.py:246
HIGH COMP001 [COMP001] High cognitive complexity: Function `get_banks_from_router` has cognitive compl… applications/bank_manager_by_api_router…:41
HIGH MINED115 Action `actions/setup-python` pinned to mutable ref `@v4` .github/workflows/ci.yml:22
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v4` .github/workflows/ci.yml:19
HIGH MINED115 Action `actions/github-script` pinned to mutable ref `@v7` .github/workflows/auto-manage-issues.yml:18
HIGH MINED112 FastAPI POST /{kb_name} has no auth applications/oxybank/app/api/dynamic/qu…:30
HIGH MINED112 FastAPI POST /level has no auth applications/oxybank/app/api/log/log_co…:67
HIGH MINED112 FastAPI POST (unknown path) has no auth examples/a2a/langchain_interop/demo_lan…:106
HIGH MINED112 FastAPI POST (unknown path) has no auth examples/a2a/langgraph_interop/demo_lan…:118
HIGH MINED112 FastAPI POST /generate has no auth function_hubs/chart/flowchart_api.py:50
HIGH MINED112 FastAPI POST /save-flowchart has no auth function_hubs/chart/flowchart_api.py:25
HIGH MINED112 FastAPI POST /user_profile_deposit has no auth applications/bank_manager_by_bank_route…:31
HIGH MINED112 FastAPI POST /user_profile_retrieve has no auth applications/bank_manager_by_bank_route…:20
HIGH MINED112 FastAPI POST /user_profile_deposit has no auth applications/bank_manager_by_manual_api…:31
HIGH MINED112 FastAPI POST /user_profile_retrieve has no auth applications/bank_manager_by_manual_api…:15
HIGH MINED112 FastAPI POST /user_profile_deposit has no auth applications/bank_manager_by_api_router…:24
HIGH MINED112 FastAPI POST /user_profile_retrieve has no auth applications/bank_manager_by_api_router…:10
HIGH MINED112 FastAPI POST /api/prompts/optimize has no auth oxygent/routes.py:1440
HIGH MINED112 FastAPI DELETE /rating/{rating_id} has no auth oxygent/routes.py:1396
HIGH MINED112 FastAPI POST /rating/{trace_id}/rebuild_stats has no auth oxygent/routes.py:1364
HIGH MINED112 FastAPI POST /rating/setup_indices has no auth oxygent/routes.py:1055
HIGH MINED112 FastAPI DELETE /rating/clear_all has no auth oxygent/routes.py:1032
HIGH MINED112 FastAPI POST /rating has no auth oxygent/routes.py:843
HIGH MINED112 FastAPI POST /api/prompts/{prompt_key}/revert/{target_version} has no auth oxygent/routes.py:704
HIGH MINED112 FastAPI DELETE /api/prompts/{prompt_key} has no auth oxygent/routes.py:631
HIGH MINED112 FastAPI PUT /api/prompts/{prompt_key} has no auth oxygent/routes.py:542
HIGH MINED112 FastAPI POST /api/prompts/ has no auth oxygent/routes.py:501
HIGH MINED112 FastAPI POST /save_script has no auth oxygent/routes.py:363
HIGH MINED112 FastAPI POST /call has no auth oxygent/routes.py:272
HIGH MINED112 FastAPI POST /upload has no auth oxygent/routes.py:109
HIGH AUC003 [AUC003] Object-level route lacks visible authorization: A route with an object id-like p… oxygent/routes.py:1395
HIGH AUC003 [AUC003] Object-level route lacks visible authorization: A route with an object id-like p… oxygent/routes.py:1363
HIGH AUC003 [AUC003] Object-level route lacks visible authorization: A route with an object id-like p… oxygent/routes.py:1003
HIGH AUC003 [AUC003] Object-level route lacks visible authorization: A route with an object id-like p… oxygent/routes.py:986
HIGH AUC003 [AUC003] Object-level route lacks visible authorization: A route with an object id-like p… oxygent/routes.py:951
HIGH AUC003 [AUC003] Object-level route lacks visible authorization: A route with an object id-like p… oxygent/routes.py:919
HIGH AUC003 [AUC003] Object-level route lacks visible authorization: A route with an object id-like p… oxygent/routes.py:883
MED SEC045 [SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even … oxygent/preset_tools/python_tools.py:26
MED SEC007 [SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code. oxygent/embedding_cache.py:128
MED SEC136 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all excepti… mcp_servers/kubernetes_mcp_server/confi…:60
MED SEC034 [SEC034] Log Injection / Log Forging — unsanitized user input in log: User input is logge… oxygent/preset_tools/shell_tools.py:25
MED SEC034 [SEC034] Log Injection / Log Forging — unsanitized user input in log: User input is logge… examples/backend/demo_logger_setup.py:12
MED SEC031 [SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like … applications/oxybank/web/src/router/rou…:95
MED ERR001 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even… applications/oxybank/core/storer/doc_ma…:205
MED MINED111 Bare except continues silently function_hubs/train_ticket_tools.py:226
MED MINED111 Bare except continues silently mcp_servers/tts_tools.py:651
MED MINED111 Bare except continues silently mcp_servers/tts_tools.py:631
MED MINED111 Bare except continues silently mcp_servers/tts_tools.py:140
MED MINED111 Bare except continues silently mcp_servers/tts_tools.py:599
MED MINED111 Bare except continues silently mcp_servers/tts_tools.py:133
MED MINED111 Bare except continues silently mcp_servers/tts_tools.py:878
MED MINED111 Bare except continues silently mcp_servers/tts_tools.py:412
MED MINED111 Bare except continues silently mcp_servers/tts_tools.py:338
MED MINED111 Bare except continues silently mcp_servers/tts_tools.py:280
MED MINED111 Bare except continues silently mcp_servers/tts_tools.py:966
MED MINED111 Bare except continues silently mcp_servers/tts_tools.py:806
MED MINED111 Bare except continues silently mcp_servers/tts_tools.py:525
MED MINED111 Bare except continues silently mcp_servers/tts_tools.py:299
MED MINED111 Bare except continues silently mcp_servers/tts_tools.py:1117
MED MINED111 Bare except continues silently mcp_servers/tts_tools.py:1093
MED MINED111 Bare except continues silently mcp_servers/tts_tools.py:1042
MED MINED111 Bare except continues silently mcp_servers/tts_tools.py:957
MED MINED111 Bare except continues silently mcp_servers/tts_tools.py:892
MED MINED111 Bare except continues silently mcp_servers/tts_tools.py:760
MED MINED111 Bare except continues silently mcp_servers/tts_tools.py:659
MED MINED111 Bare except continues silently mcp_servers/tts_tools.py:605
MED MINED111 Bare except continues silently mcp_servers/tts_tools.py:458
MED MINED111 Bare except continues silently mcp_servers/tts_tools.py:428
MED MINED111 Bare except continues silently mcp_servers/tts_tools.py:153
MED ERR001 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even… mcp_servers/kubernetes_mcp_server/confi…:72
MED AUC001 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks…
MED JRN002 Browser storage is used for session token material applications/oxybank/web/src/views/know…:253
MED JRN002 Browser storage is used for session token material applications/oxybank/web/src/views/anno…:387
MED JRN002 Browser storage is used for session token material applications/oxybank/web/src/utils/auth…:20
MED JRN002 Browser storage is used for session token material applications/oxybank/web/src/utils/auth…:13
MED JRN002 Browser storage is used for session token material applications/oxybank/web/src/api/index.…:60
MED WEB003 Public web service has no security.txt .well-known/security.txt
MED JRN003 Frontend API reference is not matched by discovered backend routes applications/oxybank/web/src/api/apiDef…:69
MED JRN003 Frontend API reference is not matched by discovered backend routes applications/oxybank/web/src/api/apiDef…:67
MED JRN003 Frontend API reference is not matched by discovered backend routes applications/oxybank/web/src/api/apiDef…:63
MED JRN003 Frontend API reference is not matched by discovered backend routes applications/oxybank/web/src/api/apiDef…:59
MED JRN003 Frontend API reference is not matched by discovered backend routes applications/oxybank/web/src/api/apiDef…:55
MED JRN003 Frontend API reference is not matched by discovered backend routes applications/oxybank/web/src/api/apiDef…:51
MED JRN003 Frontend API reference is not matched by discovered backend routes applications/oxybank/web/src/api/apiDef…:47
MED JRN003 Frontend API reference is not matched by discovered backend routes applications/oxybank/web/src/api/apiDef…:43
MED JRN003 Frontend API reference is not matched by discovered backend routes applications/oxybank/web/src/api/apiDef…:39
MED JRN003 Frontend API reference is not matched by discovered backend routes applications/oxybank/web/src/api/apiDef…:35
MED JRN003 Frontend API reference is not matched by discovered backend routes applications/oxybank/web/src/api/apiDef…:31
MED JRN003 Frontend API reference is not matched by discovered backend routes applications/oxybank/web/src/api/apiDef…:27
MED JRN003 Frontend API reference is not matched by discovered backend routes applications/oxybank/web/src/api/apiDef…:23
MED JRN003 Frontend API reference is not matched by discovered backend routes applications/oxybank/web/src/api/apiDef…:20
MED JRN003 Frontend API reference is not matched by discovered backend routes applications/oxybank/web/src/api/apiDef…:19
MED AUC002 [AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered r…
MED AGT012 Agent control bridge may listen on a network interface without visible auth examples/a2a/google_sdk_interop/demo_go…:32
MED AGT012 Agent control bridge may listen on a network interface without visible auth examples/a2a/agentscope_interop/demo_ag…:31
MED AUC012 [AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /…
MED AGT012 Agent control bridge may listen on a network interface without visible auth mcp_servers/_mcp_testing_utilities/mcp_…:4
MED AGT015 Remote install command pipes network code directly to a shell docs/docs_zh/introduction/tools/opensou…:21
MED AGT015 Remote install command pipes network code directly to a shell docs/docs_zh/introduction/getting-start…:15
MED AGT015 Remote install command pipes network code directly to a shell docs/docs_en/introduction/tools/opensou…:21
MED AGT015 Remote install command pipes network code directly to a shell docs/docs_en/introduction/getting-start…:15
MED AGT015 Remote install command pipes network code directly to a shell README_zh.md:89
MED AGT015 Remote install command pipes network code directly to a shell README.md:91
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … oxygent/routes.py:654
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … applications/oxybank/app/api/endpoints/…:247
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … applications/oxybank/app/api/endpoints/…:211
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … applications/oxybank/app/api/endpoints/…:168
MED AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was de… oxygent/routes.py:1395
MED AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was de… oxygent/routes.py:1054
MED AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was de… oxygent/routes.py:1031
MED AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was de… oxygent/routes.py:986
MED AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was de… oxygent/routes.py:842
MED AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was de… oxygent/routes.py:681
MED AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was de… oxygent/routes.py:630
MED AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was de… oxygent/routes.py:541
MED AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was de… oxygent/routes.py:500
MED AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was de… oxygent/routes.py:476
MED SEC005 [SEC005] Command Injection Risk: Unsafe shell execution or eval of user input. oxygent/preset_tools/shell_tools.py:26
LOW SEC124 [SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/ex… oxygent/preset_tools/file_tools.py:55
LOW COMP001 [COMP001] High cognitive complexity: Function `query_history_by_kb` has cognitive complex… applications/oxybank/app/api/endpoints/…:20
LOW COMP001 [COMP001] High cognitive complexity: Function `create_kb_query_interface` has cognitive c… applications/oxybank/app/api/dynamic/qu…:30
LOW AIC003 Duplicated implementation block across source files oxygent/preset_tools/__init__.py:20
LOW AIC003 Duplicated implementation block across source files oxygent/oxy/llms/openai_llm.py:100
LOW AIC003 Duplicated implementation block across source files oxygent/oxy/agents/shell_use_agent.py:144
LOW AIC003 Duplicated implementation block across source files oxygent/oxy/agents/react_agent.py:112
LOW AIC003 Duplicated implementation block across source files mcp_servers/math_tools_streamable.py:6
LOW AIC003 Duplicated implementation block across source files mcp_servers/math_tools_streamable.py:1
LOW AIC003 Duplicated implementation block across source files mcp_servers/math_tools_sse.py:6
LOW AIC003 Duplicated implementation block across source files mcp_servers/kubernetes_mcp_server/helm_…:18
LOW AIC003 Duplicated implementation block across source files mcp_servers/kubernetes_mcp_server/core_…:229
LOW AIC003 Duplicated implementation block across source files mcp_servers/kubernetes_mcp_server/core_…:11
LOW AIC003 Duplicated implementation block across source files mcp_servers/kubernetes_mcp_server/core_…:7
LOW AIC003 Duplicated implementation block across source files mcp_servers/browser/search.py:208
LOW AIC003 Duplicated implementation block across source files function_hubs/chart/web/js/app.js:2
LOW AIC003 Duplicated implementation block across source files applications/oxybank/web/src/views/know…:89
LOW AIC003 Duplicated implementation block across source files applications/oxybank/web/src/views/know…:26
LOW AIC003 Duplicated implementation block across source files applications/oxybank/web/src/views/know…:19
LOW AIC003 Duplicated implementation block across source files applications/oxybank/web/src/views/know…:160
LOW AIC003 Duplicated implementation block across source files applications/oxybank/web/src/views/erro…:61
LOW AIC003 Duplicated implementation block across source files applications/oxybank/utils/files_proces…:7
LOW AIC003 Duplicated implementation block across source files applications/oxybank/core/storer/doc_ma…:186
LOW AIC003 Duplicated implementation block across source files applications/oxybank/core/storer/doc_ma…:131
LOW AIC003 Duplicated implementation block across source files applications/oxybank/core/storer/doc_ma…:245
LOW AIC003 Duplicated implementation block across source files applications/oxybank/app/api/endpoints/…:427
INFO MINED064 [MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services. oxygent/schemas/usage.py:20
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … applications/oxybank/web/src/views/know…:29
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … applications/oxybank/web/src/stores/mod…:50
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … applications/oxybank/web/src/composable…:78
INFO MINED054 [MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely. applications/oxybank/web/src/config/the…:49
INFO MINED054 [MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely. applications/oxybank/web/src/composable…:119
INFO MINED054 [MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely. applications/oxybank/web/src/api/create…:90
INFO MINED052 [MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety. applications/oxybank/web/src/utils/stor…:11
INFO MINED052 [MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety. applications/oxybank/web/src/utils/auth…:41
INFO MINED052 [MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety. applications/oxybank/web/src/api/create…:22
INFO MINED045 [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError … applications/oxybank/web/src/api/index.…:69
INFO MINED045 [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError … applications/oxybank/web/src/api/create…:46
INFO MINED050 [MINED050] Stub Only Function: Function declared but body is just pass, return None, rais… mcp_servers/browser/tabs.py:64
INFO MINED050 [MINED050] Stub Only Function: Function declared but body is just pass, return None, rais… mcp_servers/browser/core.py:327
INFO MINED050 [MINED050] Stub Only Function: Function declared but body is just pass, return None, rais… applications/oxybank/core/storer/doc_ma…:206
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… examples/a2a/langchain_interop/demo_lan…:83
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… applications/oxybank/utils/url_util.py:10
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… applications/oxybank/core/model/trigger…:106
INFO MINED067 [MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang f… function_hubs/train_ticket_tools.py:101
INFO MINED067 [MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang f… examples/backend/demo_human_in_the_loop…:16
INFO MINED067 [MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang f… applications/oxybank/core/model/embeddi…:175
Reset to top 5 200 findings available (after auto-suppression of test files + won't-fix)

Issue body (markdown)

## Code-quality scan: `jd-opensource/OxyGent`

**Score: 51/100 (C+)**  ·  257 findings  ·  scanned 2026-05-31 01:24 UTC  ·  90,537 LOC

| Severity | Count |
|---|---|
| CRITICAL | 5 |
| HIGH | 94 |
| MEDIUM | 81 |
| LOW | 26 |

📊 [Full filterable report](https://repobility.com/scan/265b0750-c349-4696-b5c2-85ab2c95b0b9/)  ·  ![scorecard](https://repobility.com/scan/265b0750-c349-4696-b5c2-85ab2c95b0b9/report.png?v=1780190689-s2)

### Top findings

1. **HIGH** `MINED034` — Python Subprocess Shell True
   `oxygent/preset_tools/shell_tools.py:26` · CWE-78 · ✓ Repobility
2. **HIGH** `SEC085` — JS: child_process.exec with non-literal
   `oxygent/preset_tools/python_tools.py:26`
3. **HIGH** `SEC113` — SSH host-key verification disabled (MITM)
   `oxygent/oxy/agents/shell_use_agent.py:40` · A02:2021 Cryptographic Failures
4. **HIGH** `SEC082` — Python: paramiko AutoAddPolicy or no host-key verification
   `oxygent/oxy/agents/shell_use_agent.py:40` · A05:2021 Security Misconfiguration
5. **HIGH** `SEC103` — LDAP injection — non-constant search filter
   `function_hubs/train_ticket_tools.py:139` · A03:2021 Injection

---

**Security note**: this issue is public. If any flagged finding is a real, exploitable vulnerability, please redirect to your `SECURITY.md` policy or open a [private security advisory](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability) instead. We're happy to close this and re-submit privately.

---

_Filed automatically. Close this issue if not useful — we won't refile. Full report: https://repobility.com/scan/265b0750-c349-4696-b5c2-85ab2c95b0b9/_
Already filed
This repo publishes a SECURITY.md policy and the scan contains 40 Critical/High security finding(s). Public issue filing would violate coordinated disclosure. Submit privately via the project's security reporting channel.
Megaproject â high spam risk
Could not determine 'jd-opensource/OxyGent' star count (GitHub API rate-limited or unreachable). When in doubt about repo size, prefer opening a focused PR or a discussion rather than an issue.
Open in GitHub to file this issue Filing guard overridden Cancel

The button opens GitHubâs new-issue page in a new tab. You will see the title + body pre-filled â review, edit if you want, then click GitHubâs "Submit new issue" button. Repobility never posts anything on your behalf.

For real security findings on big repos: use the project's SECURITY.md or private advisory flow instead of a public issue.