← Back to scan
File as GitHub Issue repo: nexu-io/open-design

Push this scan report to nexu-io/open-design

Click the green button below to open GitHub’s new-issue form, pre-filled with the report title, summary table, top findings, and an embedded score-card image. No authentication needed — you review on GitHub before submitting. Repobility is credited as the scanner.

Embedded score card image

This image will render at the top of the issue body. Hosted on Repobility, refreshes automatically after re-scans.

Repobility score card

Issue title

Workflow uses `secrets.CLOUDFLARE_ACCOUNT_ID` on a `pull_request` trigger

Curate findings to include

Pick exactly which findings appear in the issue body. By default the top 5 are included. Uncheck noise, check what matters.

Top 5 (default)
Severity Rule Title File:line
CRIT MINED107 [MINED107] Missing import: `warnings` used but not imported: The file uses `warnings.some… design-templates/last30days/scripts/lib…:545
CRIT MINED107 [MINED107] Missing import: `warnings` used but not imported: The file uses `warnings.some… skills/hatch-pet/scripts/validate_atlas…:105
CRIT MINED019 [MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) — full RC… apps/web/src/components/PluginsSection.…:109
CRIT MINED019 [MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) — full RC… apps/daemon/src/automation-templates.ts:231
CRIT MINED116 [MINED116] Workflow uses `secrets.CLOUDFLARE_ACCOUNT_ID` on a `pull_request` trigger: Thi… .github/workflows/landing-page-ci.yml:204
CRIT MINED116 [MINED116] Workflow uses `secrets.CLOUDFLARE_API_TOKEN` on a `pull_request` trigger: This… .github/workflows/landing-page-ci.yml:203
HIGH MINED108 [MINED108] `self._spin` used but never assigned in __init__: Method `start` of class `Spi… design-templates/last30days/scripts/lib…:250
HIGH MINED108 [MINED108] `self._generate_content` used but never assigned in __init__: Method `generate… design-templates/last30days/scripts/lib…:88
HIGH MINED108 [MINED108] `self.generate_text` used but never assigned in __init__: Method `generate_jso… design-templates/last30days/scripts/lib…:47
HIGH SEC078 [SEC078] Python: requests without timeout: requests.get/post without a timeout will hang … design-templates/last30days/scripts/wat…:64
HIGH SEC083 [SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can c… scripts/update-nix-pnpm-deps-hash.ts:74
HIGH SEC083 [SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can c… scripts/check-components-fixtures.ts:138
HIGH SEC083 [SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can c… apps/web/src/runtime/partial-json.ts:61
HIGH SEC027 [SEC027] XML External Entity (XXE) — Node.js xml parsers: Node.js XML parsers can expand … apps/web/src/edit-mode/source-patches.ts:119
HIGH MINED027 [MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState — Re… apps/landing-page/scripts/blog-indexing…:170
HIGH SEC135 [SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint g… apps/daemon/src/routes/handoff.ts:42
HIGH SEC135 [SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint g… apps/daemon/src/routes/design-system-to…:42
HIGH SEC135 [SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint g… apps/daemon/src/routes/deploy.ts:30
HIGH SEC111 [SEC111] Django mark_safe / |safe filter on user data: Django's `mark_safe()` and `|safe`… apps/daemon/src/plugins/snapshot-diff.ts:77
HIGH MINED004 [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums). tools/pack/src/win/sign.ts:86
HIGH MINED004 [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums). apps/daemon/src/plugins/atoms/rewrite-p…:264
HIGH MINED004 [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums). apps/daemon/src/plugins/atoms/diff-revi…:232
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … apps/daemon/src/critique/transcript.ts:131
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … apps/daemon/src/critique/artifact-handl…:201
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … apps/daemon/src/critique/adapter-degrad…:98
HIGH SEC085 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived in… apps/daemon/src/design-token-evidence.ts:82
HIGH SEC085 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived in… apps/daemon/src/design-system-source-co…:164
HIGH SEC085 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived in… apps/daemon/src/automation-routine-evol…:16
HIGH SEC114 [SEC114] path.join / Path() on user-controlled segment without containment check: filepat… apps/daemon/src/plugins/bundled.ts:83
HIGH SEC114 [SEC114] path.join / Path() on user-controlled segment without containment check: filepat… apps/daemon/src/document-preview.ts:74
HIGH SEC114 [SEC114] path.join / Path() on user-controlled segment without containment check: filepat… apps/daemon/src/amr-image-staging.ts:58
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… .github/scripts/release/r2/s3-upload.ts:48
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… .github/scripts/release/r2/publish-plat…:35
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… .github/scripts/release/r2/publish-beta…:57
HIGH SEC040 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML w… .github/scripts/release/r2/summary-beta…:51
HIGH SEC040 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML w… .github/scripts/release/r2/s3-upload.ts:72
HIGH SEC040 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML w… .github/scripts/release/feishu/notify.ts:97
HIGH SEC018 [SEC018] AI-Agent Secret Retrieval Command: A command that prints or embeds credentials w… .github/scripts/agent-pr-explore-local.…:53
HIGH SEC018 [SEC018] AI-Agent Secret Retrieval Command: A command that prints or embeds credentials w… .claude/skills/od-contribute/scripts/ch…:87
HIGH MINED134 [MINED134] Binary file `tools/pack/resources/win/7zip/7z.exe` committed in source repo: `… tools/pack/resources/win/7zip/7z.exe:1
HIGH MINED134 [MINED134] Binary file `tools/pack/resources/win/7zip/7z.dll` committed in source repo: `… tools/pack/resources/win/7zip/7z.dll:1
HIGH MINED115 [MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-… .github/workflows/release-beta.yml:133
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6.0.2`: `uses: actions/chec… .github/workflows/release-beta.yml:127
HIGH MINED115 [MINED115] Action `cloudflare/wrangler-action` pinned to mutable ref `@v3`: `uses: cloudf… .github/workflows/landing-page-producti…:152
HIGH MINED115 [MINED115] Action `actions/cache` pinned to mutable ref `@v5.0.5`: `uses: actions/cache@v… .github/workflows/landing-page-producti…:85
HIGH MINED115 [MINED115] Action `actions/cache` pinned to mutable ref `@v5.0.5`: `uses: actions/cache@v… .github/workflows/landing-page-producti…:77
HIGH MINED115 [MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-… .github/workflows/landing-page-producti…:61
HIGH MINED115 [MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v5`: `uses: pnpm/action-set… .github/workflows/landing-page-producti…:56
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6.0.2`: `uses: actions/chec… .github/workflows/landing-page-producti…:47
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout… .github/workflows/docker-image.yml:21
HIGH MINED115 [MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-… .github/workflows/seo-daily-report.yml:45
HIGH MINED115 [MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v5`: `uses: pnpm/action-set… .github/workflows/seo-daily-report.yml:40
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6.0.2`: `uses: actions/chec… .github/workflows/seo-daily-report.yml:37
HIGH MINED115 [MINED115] Action `peter-evans/create-pull-request` pinned to mutable ref `@v8`: `uses: p… .github/workflows/refresh-contributors-…:53
HIGH MINED115 [MINED115] Action `actions/create-github-app-token` pinned to mutable ref `@v2`: `uses: a… .github/workflows/refresh-contributors-…:43
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6.0.2`: `uses: actions/chec… .github/workflows/refresh-contributors-…:28
HIGH MINED115 [MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/git… .github/workflows/discord-resolved.yml:48
HIGH MINED115 [MINED115] Action `actions/setup-node` pinned to mutable ref `@v6.4.0`: `uses: actions/se… .github/workflows/fork-pr-workflow-appr…:48
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6.0.2`: `uses: actions/chec… .github/workflows/fork-pr-workflow-appr…:42
HIGH MINED115 [MINED115] Action `actions/stale` pinned to mutable ref `@v9`: `uses: actions/stale@v9` r… .github/workflows/stale-issues.yml:87
HIGH MINED115 [MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/git… .github/workflows/stale-issues.yml:37
HIGH MINED115 [MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/git… .github/workflows/pr-author-inactivity.…:52
HIGH MINED115 [MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/git… .github/workflows/landing-page-ci.yml:214
HIGH MINED115 [MINED115] Action `cloudflare/wrangler-action` pinned to mutable ref `@v3`: `uses: cloudf… .github/workflows/landing-page-ci.yml:201
HIGH MINED115 [MINED115] Action `actions/cache` pinned to mutable ref `@v5.0.5`: `uses: actions/cache@v… .github/workflows/landing-page-ci.yml:88
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6.0.2`: `uses: actions/chec… .github/workflows/landing-page-ci.yml:79
HIGH JRN009 Secret-like setting is echoed into a password input value apps/web/src/components/SettingsDialog.…:4824
HIGH MINED113 [MINED113] Express DELETE /api/projects/:id/folders has no auth: Express route DELETE /ap… apps/daemon/src/project-routes.ts:2075
HIGH MINED113 [MINED113] Express POST /api/projects/:id/folders has no auth: Express route POST /api/pr… apps/daemon/src/project-routes.ts:2051
HIGH MINED113 [MINED113] Express POST /api/artifacts/lint has no auth: Express route POST /api/artifact… apps/daemon/src/project-routes.ts:1863
HIGH MINED113 [MINED113] Express POST /api/artifacts/save has no auth: Express route POST /api/artifact… apps/daemon/src/project-routes.ts:1837
HIGH MINED113 [MINED113] Express POST /api/upload has no auth: Express route POST /api/upload declared … apps/daemon/src/project-routes.ts:1823
HIGH MINED113 [MINED113] Express DELETE /api/templates/:id has no auth: Express route DELETE /api/templ… apps/daemon/src/project-routes.ts:1809
HIGH MINED113 [MINED113] Express POST /api/templates has no auth: Express route POST /api/templates dec… apps/daemon/src/project-routes.ts:1745
HIGH MINED113 [MINED113] Express PUT /api/projects/:id/tabs has no auth: Express route PUT /api/project… apps/daemon/src/project-routes.ts:1705
HIGH MINED113 [MINED113] Express DELETE /api/projects/:id/conversations/:cid/comments/:commentId has no… apps/daemon/src/project-routes.ts:1677
HIGH MINED113 [MINED113] Express PATCH /api/projects/:id/conversations/:cid/comments/:commentId has no … apps/daemon/src/project-routes.ts:1652
HIGH MINED113 [MINED113] Express POST /api/projects/:id/conversations/:cid/comments has no auth: Expres… apps/daemon/src/project-routes.ts:1633
HIGH MINED113 [MINED113] Express PUT /api/projects/:id/conversations/:cid/messages/:mid has no auth: Ex… apps/daemon/src/project-routes.ts:1602
HIGH MINED113 [MINED113] Express DELETE /api/projects/:id/conversations/:cid has no auth: Express route… apps/daemon/src/project-routes.ts:1583
HIGH MINED113 [MINED113] Express PATCH /api/projects/:id/conversations/:cid has no auth: Express route … apps/daemon/src/project-routes.ts:1574
HIGH MINED113 [MINED113] Express POST /api/projects/:id/conversations has no auth: Express route POST /… apps/daemon/src/project-routes.ts:1487
HIGH MINED113 [MINED113] Express DELETE /api/projects/:id has no auth: Express route DELETE /api/projec… apps/daemon/src/project-routes.ts:1420
HIGH MINED113 [MINED113] Express PATCH /api/projects/:id has no auth: Express route PATCH /api/projects… apps/daemon/src/project-routes.ts:1313
HIGH MINED113 [MINED113] Express POST /api/projects has no auth: Express route POST /api/projects decla… apps/daemon/src/project-routes.ts:1056
HIGH MINED113 [MINED113] Express POST /api/project-locations/scan has no auth: Express route POST /api/… apps/daemon/src/project-routes.ts:946
HIGH MINED113 [MINED113] Express PUT /api/project-locations has no auth: Express route PUT /api/project… apps/daemon/src/project-routes.ts:915
HIGH MINED113 [MINED113] Express DELETE /api/projects/:id/terminals/:tid has no auth: Express route DEL… apps/daemon/src/terminal-routes.ts:108
HIGH MINED113 [MINED113] Express POST /api/projects/:id/terminals/:tid/kill has no auth: Express route … apps/daemon/src/terminal-routes.ts:107
HIGH MINED113 [MINED113] Express POST /api/projects/:id/terminals/:tid/resize has no auth: Express rout… apps/daemon/src/terminal-routes.ts:90
HIGH MINED113 [MINED113] Express POST /api/projects/:id/terminals/:tid/stdin has no auth: Express route… apps/daemon/src/terminal-routes.ts:79
HIGH MINED113 [MINED113] Express POST /api/projects/:id/terminals has no auth: Express route POST /api/… apps/daemon/src/terminal-routes.ts:49
HIGH JRN004 Consent is collected in UI without visible backend audit persistence apps/daemon/src/server.ts:5484
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… design-templates/last30days/scripts/lib…:389
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… design-templates/last30days/scripts/lib…:922
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… design-templates/last30days/scripts/lib…:887
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… design-templates/last30days/scripts/lib…:823
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… design-templates/last30days/scripts/lib…:365
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… design-templates/last30days/scripts/lib…:867
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… design-templates/last30days/scripts/lib…:697
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… design-templates/last30days/scripts/lib…:670
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… design-templates/last30days/scripts/lib…:307
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… design-templates/last30days/scripts/lib…:287
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… design-templates/last30days/scripts/lib…:188
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… design-templates/last30days/scripts/lib…:93
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… design-templates/last30days/scripts/lib…:39
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… design-templates/last30days/scripts/lib…:461
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… design-templates/last30days/scripts/lib…:94
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… design-templates/last30days/scripts/lib…:611
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… design-templates/last30days/scripts/lib…:342
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… design-templates/last30days/scripts/lib…:574
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… design-templates/last30days/scripts/lib…:278
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… design-templates/last30days/scripts/lib…:286
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… design-templates/last30days/scripts/lib…:358
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… design-templates/last30days/scripts/lib…:60
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… design-templates/last30days/scripts/las…:784
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… design-templates/last30days/scripts/wat…:41
MED SEC046 [SEC046] Client-side open redirect — window.location = server-supplied URL: Assigning win… apps/web/src/components/SocialShareGrid…:82
MED SEC087 [SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; … design-templates/html-ppt/assets/animat…:20
MED SEC087 [SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; … apps/web/src/components/PrivacySection.…:19
MED SEC041 [SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blan… apps/web/src/components/SocialShareGrid…:67
MED SEC041 [SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blan… apps/web/src/components/GenerationPrevi…:195
MED SEC031 [SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like … apps/daemon/src/swift-colors.ts:79
MED ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors. apps/daemon/src/document-preview.ts:99
MED ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors. apps/daemon/src/critique/artifact-write…:121
MED ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors. apps/daemon/src/critique/artifact-handl…:208
MED SEC045 [SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even … apps/daemon/src/design-system-source-co…:164
MED SEC045 [SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even … apps/daemon/src/critique/persistence.ts:175
MED SEC045 [SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even … apps/daemon/src/automation-routine-evol…:16
MED COMP001 [COMP001] High cognitive complexity: Function `generate_daily` has cognitive complexity 1… design-templates/last30days/scripts/bri…:32
MED AGT007 localStorage write failures are swallowed silently apps/daemon/src/prompts/deck-framework.…:287
MED WEB003 Public web service has no security.txt .well-known/security.txt
MED JRN005 Compliance or security claim is near a placeholder link design-templates/web-prototype-taste-so…:529
MED JRN005 Compliance or security claim is near a placeholder link apps/daemon/src/design-system-showcase.…:369
MED AGT014 Codex auth.json is read or copied without visible secret-file hardening .github/scripts/provision-agent-pr-expl…:28
MED AGT015 Remote install command pipes network code directly to a shell apps/daemon/src/runtimes/defs/grok-buil…:5
MED AGT015 Remote install command pipes network code directly to a shell README.md:302
MED AGT015 Remote install command pipes network code directly to a shell .claude/skills/od-contribute/install.sh:10
MED AGT013 Agent auto-approve or skip-permissions mode is easy to enable apps/daemon/src/runtimes/defs/trae-cli.…:19
MED AGT013 Agent auto-approve or skip-permissions mode is easy to enable apps/daemon/src/runtimes/defs/gemini.ts:23
LOW COMP001 [COMP001] High cognitive complexity: Function `compose_from_source_atlas` has cognitive c… skills/hatch-pet/scripts/compose_atlas.…:69
LOW COMP001 [COMP001] High cognitive complexity: Function `generate_weekly` has cognitive complexity … design-templates/last30days/scripts/bri…:142
LOW AIC003 Duplicated implementation block across source files apps/web/src/analytics/amr-attribution.…:18
LOW AIC003 Duplicated implementation block across source files apps/web/sidecar/server.ts:553
LOW AIC003 Duplicated implementation block across source files apps/web/sidecar/server.ts:290
LOW AIC003 Duplicated implementation block across source files apps/packaged/src/index.ts:37
LOW AIC003 Duplicated implementation block across source files apps/landing-page/scripts/blog-indexing…:37
LOW AIC003 Duplicated implementation block across source files apps/landing-page/scripts/blog-indexing…:8
LOW AIC003 Duplicated implementation block across source files apps/landing-page/scripts/blog-indexing…:9
LOW AIC003 Duplicated implementation block across source files apps/desktop/src/main/index.ts:90
LOW AIC003 Duplicated implementation block across source files apps/daemon/src/xai-tokens.ts:28
LOW AIC003 Duplicated implementation block across source files apps/daemon/src/transcript-export.ts:188
LOW AIC003 Duplicated implementation block across source files apps/daemon/src/tools/connectors.ts:8
LOW AIC003 Duplicated implementation block across source files apps/daemon/src/tools-live-artifacts-cl…:146
LOW AIC003 Duplicated implementation block across source files apps/daemon/src/tools-live-artifacts-cl…:33
LOW AIC003 Duplicated implementation block across source files apps/daemon/src/tools-design-systems-cl…:80
LOW AIC003 Duplicated implementation block across source files apps/daemon/src/runtimes/defs/pi.ts:38
LOW AIC003 Duplicated implementation block across source files apps/daemon/src/runtimes/defs/kiro.ts:7
LOW AIC003 Duplicated implementation block across source files apps/daemon/src/live-artifacts/schema.ts:160
LOW AIC003 Duplicated implementation block across source files apps/daemon/src/design-system-showcase.…:574
LOW AIC003 Duplicated implementation block across source files apps/daemon/src/critique/interrupt-hand…:17
LOW AIC003 Duplicated implementation block across source files apps/daemon/src/copilot-stream.ts:8
LOW AIC003 Duplicated implementation block across source files .github/scripts/release/r2/verify-beta-…:1
LOW AIC003 Duplicated implementation block across source files .github/scripts/release/r2/publish-plat…:11
LOW WEB002 Public web app has no sitemap sitemap.xml
LOW DKR008 .dockerignore misses sensitive defaults .dockerignore
LOW WEB008 Public docs site has no llms.txt llms.txt
LOW DKC010 Compose service lacks no-new-privileges hardening tools/pack/docker-compose.yml:20
LOW AIC002 Source file name looks like an AI patch artifact apps/landing-page/app/_lib/home-copy.ts:1
LOW DKC006 Compose service does not declare a runtime user tools/pack/docker-compose.yml:20
LOW WEB011 Public web app has no humans.txt humans.txt
INFO MINED067 [MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang f… design-templates/last30days/scripts/wat…:64
INFO MINED098 [MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global win… design-templates/html-ppt/assets/animat…:71
INFO MINED056 [MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re… apps/web/src/components/plugins-home/ca…:77
INFO MINED056 [MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re… apps/web/src/components/PaletteTweaks.t…:114
INFO MINED058 [MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escapi… apps/web/app/layout.tsx:35
INFO MINED049 [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout. scripts/check-design-system-flag-parity…:228
INFO MINED049 [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout. apps/landing-page/scripts/blog-indexing…:99
INFO MINED065 [MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser o… apps/landing-page/functions/subscribe.ts:47
INFO MINED047 [MINED047] Emoji In Source: Emoji ✅ ❌ 🚀 in code/comments — common AI output unless explic… apps/landing-page/app/solutions-index-i…:83
INFO MINED052 [MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety. apps/daemon/src/routes/live-artifact.ts:25
INFO MINED052 [MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety. apps/daemon/src/routes/handoff.ts:127
INFO MINED052 [MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety. apps/daemon/src/routes/deploy.ts:25
INFO MINED057 [MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness — l… apps/daemon/src/prompts/panel.ts:218
INFO MINED057 [MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness — l… apps/daemon/src/plugins/atoms.ts:19
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… apps/daemon/src/xai-oauth.ts:59
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… apps/daemon/src/xai-oauth-server.ts:105
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… apps/daemon/src/origin-validation.ts:25
INFO MINED045 [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError … apps/daemon/src/media-adapters/video.ts:204
INFO MINED045 [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError … apps/daemon/src/mcp-tokens.ts:233
INFO MINED045 [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError … apps/daemon/src/document-preview.ts:34
INFO MINED054 [MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely. apps/web/src/runtime/shiki.ts:41
INFO MINED054 [MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely. apps/daemon/src/route-registration-guar…:20
INFO MINED054 [MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely. apps/daemon/src/aihubmix.ts:147
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … .github/scripts/release/r2/publish-plat…:344
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … .github/scripts/release/r2/publish-beta…:233
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … .github/scripts/release/feishu/notify.ts:176
Reset to top 5 197 findings available (after auto-suppression of test files + won't-fix)

Issue body (markdown)

## Code-quality scan: `nexu-io/open-design`

**Score: 71/100 (A-)**  ·  212 findings  ·  scanned 2026-06-05 09:50 UTC  ·  698,422 LOC

| Severity | Count |
|---|---|
| CRITICAL | 6 |
| HIGH | 87 |
| MEDIUM | 47 |
| LOW | 31 |

📊 [Full filterable report](https://repobility.com/scan/4f01aef0-39c8-44fa-a798-a497d4fe9632/)  ·  ![scorecard](https://repobility.com/scan/4f01aef0-39c8-44fa-a798-a497d4fe9632/report.png?v=1780653040-s2)

### Top findings

1. **CRITICAL** `MINED107` — Missing import: `warnings` used but not imported
   `design-templates/last30days/scripts/lib/pipeline.py:545` · ✓ Repobility
2. **CRITICAL** `MINED107` — Missing import: `warnings` used but not imported
   `skills/hatch-pet/scripts/validate_atlas.py:105` · ✓ Repobility
3. **CRITICAL** `MINED019` — Ssti Jinja From String
   `apps/web/src/components/PluginsSection.tsx:109` · CWE-94 · ✓ Repobility
4. **CRITICAL** `MINED019` — Ssti Jinja From String
   `apps/daemon/src/automation-templates.ts:231` · CWE-94 · ✓ Repobility
5. **CRITICAL** `MINED116` — Workflow uses `secrets.CLOUDFLARE_ACCOUNT_ID` on a `pull_request` trigger
   `.github/workflows/landing-page-ci.yml:204` · ✓ Repobility

---

_Filed automatically. Close this issue if not useful — we won't refile. Full report: https://repobility.com/scan/4f01aef0-39c8-44fa-a798-a497d4fe9632/_
Megaproject â high spam risk
Could not determine 'nexu-io/open-design' star count (GitHub API rate-limited or unreachable). When in doubt about repo size, prefer opening a focused PR or a discussion rather than an issue.
Open in GitHub to file this issue Cancel

The button opens GitHubâs new-issue page in a new tab. You will see the title + body pre-filled â review, edit if you want, then click GitHubâs "Submit new issue" button. Repobility never posts anything on your behalf.

For real security findings on big repos: use the project's SECURITY.md or private advisory flow instead of a public issue.