← Back to scan
File as GitHub Issue repo: imbue-ai/mngr

Push this scan report to imbue-ai/mngr

Click the green button below to open GitHub’s new-issue form, pre-filled with the report title, summary table, top findings, and an embedded score-card image. No authentication needed — you review on GitHub before submitting. Repobility is credited as the scanner.

Embedded score card image

This image will render at the top of the issue body. Hosted on Repobility, refreshes automatically after re-scans.

Repobility score card

Issue title

Path Traversal Os Join

Curate findings to include

Pick exactly which findings appear in the issue body. By default the top 5 are included. Uncheck noise, check what matters.

Top 5 (default)
Severity Rule Title File:line
HIGH MINED006 [MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and Syste… scripts/warm_cli_example.py:162
HIGH MINED006 [MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and Syste… scripts/poll_modal_agents.py:146
HIGH MINED034 [MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command inje… scripts/josh/workflow.py:188
HIGH MINED012 [MINED012] Curl Pipe Bash: curl ... | sh / bash — runs unverified network code. scripts/install.sh:32
HIGH MINED021 [MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can co… apps/minds/scripts/first-message-verify…:79
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… apps/minds/imbue/minds/telegram/bot_cre…:83
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… apps/minds/imbue/minds/primitives.py:146
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… apps/minds/imbue/minds/desktop_client/s…:57
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … apps/modal_litellm/app.py:105
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … apps/minds/imbue/minds/desktop_client/t…:11
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … apps/minds/imbue/minds/desktop_client/l…:125
HIGH MINED001 [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows e… scripts/qi/fd_leak/isolate_02_sequentia…:26
HIGH MINED001 [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows e… scripts/qi/fd_leak/isolate_01_baseline.…:26
HIGH MINED001 [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows e… apps/minds/imbue/minds/desktop_client/a…:69
HIGH SEC103 [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDA… apps/minds/imbue/minds/telegram/bot_cre…:86
HIGH SEC103 [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDA… apps/minds/imbue/minds/envs/providers/s…:169
HIGH SEC103 [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDA… apps/minds/imbue/minds/deployment_tests…:77
HIGH DKR014 Dockerfile copies the entire context without .dockerignore libs/mngr/imbue/mngr/resources/Dockerfi…:126
HIGH DKR006 Dockerfile pipes a remote script into a shell libs/mngr/imbue/mngr/resources/Dockerfi…:105
HIGH DKR006 Dockerfile pipes a remote script into a shell libs/mngr/imbue/mngr/resources/Dockerfi…:63
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v6` .github/workflows/ci.yml:204
HIGH MINED115 Action `actions/upload-artifact` pinned to mutable ref `@v7` .github/workflows/ci.yml:185
HIGH MINED115 Action `actions/cache/save` pinned to mutable ref `@v5` .github/workflows/ci.yml:104
HIGH MINED115 Action `actions/cache/restore` pinned to mutable ref `@v5` .github/workflows/ci.yml:84
HIGH MINED115 Action `actions/cache` pinned to mutable ref `@v5` .github/workflows/ci.yml:69
HIGH MINED115 Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable` .github/workflows/ci.yml:66
HIGH MINED115 Action `extractions/setup-just` pinned to mutable ref `@v4` .github/workflows/ci.yml:63
HIGH MINED115 Action `astral-sh/setup-uv` pinned to mutable ref `@v7` .github/workflows/ci.yml:55
HIGH MINED115 Action `actions/setup-python` pinned to mutable ref `@v6` .github/workflows/ci.yml:50
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v6` .github/workflows/ci.yml:35
HIGH MINED115 Action `actions/upload-artifact` pinned to mutable ref `@v7` .github/workflows/minds-launch-to-msg.y…:261
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v6` .github/workflows/minds-launch-to-msg.y…:210
HIGH MINED115 Action `actions/upload-artifact` pinned to mutable ref `@v7` .github/workflows/minds-launch-to-msg.y…:192
HIGH MINED115 Action `astral-sh/setup-uv` pinned to mutable ref `@v7` .github/workflows/minds-launch-to-msg.y…:80
HIGH MINED115 Action `actions/setup-node` pinned to mutable ref `@v6` .github/workflows/minds-launch-to-msg.y…:72
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v6` .github/workflows/minds-launch-to-msg.y…:68
HIGH MINED115 Action `actions/upload-artifact` pinned to mutable ref `@v7` .github/workflows/tmr.yml:147
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v6` .github/workflows/tmr.yml:82
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v6` .github/workflows/minds-runner-reset.yml:20
HIGH MINED115 Action `pypa/gh-action-pypi-publish` pinned to mutable ref `@release/v1` .github/workflows/publish-tombstones.yml:34
HIGH MINED115 Action `astral-sh/setup-uv` pinned to mutable ref `@v7` .github/workflows/publish-tombstones.yml:23
HIGH MINED115 Action `actions/setup-python` pinned to mutable ref `@v6` .github/workflows/publish-tombstones.yml:18
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v6` .github/workflows/publish-tombstones.yml:15
HIGH MINED115 Action `imbue-ai/vet` pinned to mutable ref `@main` .github/workflows/vet.yml:22
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v6` .github/workflows/vet.yml:18
HIGH MINED118 Dockerfile FROM `python:3.12-slim` not pinned by digest libs/mngr/imbue/mngr/resources/Dockerfi…:5
HIGH MINED131 pre-commit hook `https://github.com/pre-commit/pre-commit-hooks` pinned to mutable rev `v… .pre-commit-config.yaml:5
HIGH PYSEC-2026-179 pyjwt: PYSEC-2026-179 uv.lock
HIGH PYSEC-2026-178 pyjwt: PYSEC-2026-178 uv.lock
HIGH PYSEC-2026-177 pyjwt: PYSEC-2026-177 uv.lock
HIGH PYSEC-2026-175 pyjwt: PYSEC-2026-175 uv.lock
HIGH GHSA-xqmj-j6mv-4862 litellm: GHSA-xqmj-j6mv-4862 uv.lock
HIGH GHSA-wxxx-gvqv-xp7p litellm: GHSA-wxxx-gvqv-xp7p uv.lock
HIGH GHSA-v4p8-mg3p-g94g litellm: GHSA-v4p8-mg3p-g94g uv.lock
HIGH GHSA-jvwf-75h9-cwgg protobufjs: GHSA-jvwf-75h9-cwgg apps/minds/pnpm-lock.yaml
HIGH GHSA-75px-5xx7-5xc7 protobufjs: GHSA-75px-5xx7-5xc7 apps/minds/pnpm-lock.yaml
HIGH GHSA-685m-2w69-288q protobufjs: GHSA-685m-2w69-288q apps/minds/pnpm-lock.yaml
HIGH GHSA-66ff-xgx4-vchm protobufjs: GHSA-66ff-xgx4-vchm apps/minds/pnpm-lock.yaml
HIGH GHSA-v39h-62p7-jpjc fast-uri: GHSA-v39h-62p7-jpjc apps/minds/pnpm-lock.yaml
HIGH GHSA-q3j6-qgpj-74h6 fast-uri: GHSA-q3j6-qgpj-74h6 apps/minds/pnpm-lock.yaml
HIGH GHSA-9jxc-qjr9-vjxq electron-updater: GHSA-9jxc-qjr9-vjxq apps/minds/pnpm-lock.yaml
HIGH GHSA-q8qp-cvcw-x6jj axios: GHSA-q8qp-cvcw-x6jj apps/minds/pnpm-lock.yaml
HIGH GHSA-pf86-5x62-jrwf axios: GHSA-pf86-5x62-jrwf apps/minds/pnpm-lock.yaml
HIGH GHSA-p92q-9vqr-4j8v axios: GHSA-p92q-9vqr-4j8v apps/minds/pnpm-lock.yaml
HIGH GHSA-j5f8-grm9-p9fc axios: GHSA-j5f8-grm9-p9fc apps/minds/pnpm-lock.yaml
HIGH GHSA-hfxv-24rg-xrqf axios: GHSA-hfxv-24rg-xrqf apps/minds/pnpm-lock.yaml
HIGH GHSA-777c-7fjr-54vf axios: GHSA-777c-7fjr-54vf apps/minds/pnpm-lock.yaml
HIGH GHSA-6chq-wfr3-2hj9 axios: GHSA-6chq-wfr3-2hj9 apps/minds/pnpm-lock.yaml
HIGH GHSA-pjwm-pj3p-43mv axios: GHSA-pjwm-pj3p-43mv apps/minds/pnpm-lock.yaml
HIGH GHSA-3g43-6gmg-66jw axios: GHSA-3g43-6gmg-66jw apps/minds/pnpm-lock.yaml
HIGH GHSA-35jp-ww65-95wh axios: GHSA-35jp-ww65-95wh apps/minds/pnpm-lock.yaml
HIGH PYSEC-2026-142 urllib3: PYSEC-2026-142 apps/minds/electron/pyproject/uv.lock
HIGH PYSEC-2026-141 urllib3: PYSEC-2026-141 apps/minds/electron/pyproject/uv.lock
HIGH PYSEC-2026-161 starlette: PYSEC-2026-161 apps/minds/electron/pyproject/uv.lock
HIGH GHSA-pp6c-gr5w-3c5g python-multipart: GHSA-pp6c-gr5w-3c5g apps/minds/electron/pyproject/uv.lock
HIGH PYSEC-2026-36 cryptography: PYSEC-2026-36 apps/minds/electron/pyproject/uv.lock
HIGH MINED112 FastAPI POST /auth/email/is-verified has no auth apps/remote_service_connector/imbue/rem…:3547
HIGH MINED112 FastAPI POST /auth/email/send-verification has no auth apps/remote_service_connector/imbue/rem…:3529
HIGH MINED112 FastAPI POST /auth/session/revoke has no auth apps/remote_service_connector/imbue/rem…:3504
HIGH MINED112 FastAPI POST /auth/session/refresh has no auth apps/remote_service_connector/imbue/rem…:3485
HIGH MINED112 FastAPI POST /auth/signup has no auth apps/remote_service_connector/imbue/rem…:3396
HIGH MINED112 FastAPI DELETE /bucket-keys/{access_key_id} has no auth apps/remote_service_connector/imbue/rem…:3263
HIGH MINED112 FastAPI POST /buckets/{name}/keys has no auth apps/remote_service_connector/imbue/rem…:3220
HIGH MINED112 FastAPI DELETE /buckets/{name} has no auth apps/remote_service_connector/imbue/rem…:3202
HIGH MINED112 FastAPI POST /buckets has no auth apps/remote_service_connector/imbue/rem…:3148
HIGH MINED112 FastAPI DELETE /keys/{key_id} has no auth apps/remote_service_connector/imbue/rem…:2884
HIGH MINED112 FastAPI PUT /keys/{key_id}/budget has no auth apps/remote_service_connector/imbue/rem…:2857
HIGH MINED112 FastAPI POST /keys/create has no auth apps/remote_service_connector/imbue/rem…:2757
HIGH MINED112 FastAPI POST /paid/emails/remove has no auth apps/remote_service_connector/imbue/rem…:2692
HIGH MINED112 FastAPI POST /paid/emails/add has no auth apps/remote_service_connector/imbue/rem…:2682
HIGH MINED112 FastAPI POST /paid/domains/remove has no auth apps/remote_service_connector/imbue/rem…:2660
HIGH MINED112 FastAPI POST /paid/domains/add has no auth apps/remote_service_connector/imbue/rem…:2650
HIGH MINED112 FastAPI POST /hosts/{host_db_id}/release has no auth apps/remote_service_connector/imbue/rem…:2430
HIGH MINED112 FastAPI POST /hosts/lease has no auth apps/remote_service_connector/imbue/rem…:2360
HIGH MINED112 FastAPI PUT /tunnels/{tunnel_name}/services/{service_name}/auth has no auth apps/remote_service_connector/imbue/rem…:2345
HIGH SEC004 [SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection. apps/minds/imbue/minds/envs/migrations.…:154
MED ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors. apps/minds/imbue/minds/desktop_client/s…:164
MED ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors. apps/minds/imbue/minds/desktop_client/s…:52
MED ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors. apps/minds/imbue/minds/desktop_client/s…:256
MED SEC046 [SEC046] Client-side open redirect — window.location = server-supplied URL: Assigning win… apps/minds/imbue/minds/desktop_client/s…:125
MED SEC015 [SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. … apps/remote_service_connector/scripts/g…:33
MED SEC015 [SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. … apps/minds/imbue/minds/desktop_client/a…:39
MED MINED111 Bare except continues silently libs/mngr_kanpan/imbue/mngr_kanpan/tui.…:898
MED MINED111 Bare except continues silently libs/mngr_kanpan/imbue/mngr_kanpan/tui.…:822
MED MINED111 Bare except continues silently libs/mngr_kanpan/imbue/mngr_kanpan/tui.…:726
MED MINED111 Bare except continues silently libs/concurrency_group/imbue/concurrenc…:48
MED MINED111 Bare except continues silently libs/concurrency_group/imbue/concurrenc…:298
MED MINED111 Bare except continues silently libs/mngr_modal/imbue/mngr_modal/instan…:3355
MED MINED111 Bare except continues silently scripts/qi/fd_leak/repro_list_agents_fd…:97
MED MINED111 Bare except continues silently apps/remote_service_connector/imbue/rem…:1912
MED MINED111 Bare except continues silently scripts/release.py:126
MED MINED111 Bare except continues silently scripts/release.py:102
MED MINED111 Bare except continues silently scripts/warm_cli_example.py:271
MED MINED111 Bare except continues silently scripts/warm_cli_example.py:164
MED MINED111 Bare except continues silently scripts/modal_sandbox_list_bug_repro.py:223
MED MINED111 Bare except continues silently scripts/check_parallel_uploads.py:85
MED AUC001 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks…
MED DKR007 Docker build context has no .dockerignore .dockerignore
MED DEPCUR-NPM npm package `@todesktop/runtime` is 1 major version(s) behind (^1.6.0 -> 2.1.4) apps/minds/package.json
MED GHSA-hp6r-r9vc-q8wx fastapi-sso: GHSA-hp6r-r9vc-q8wx uv.lock
MED GHSA-jg22-mg44-37j8 aiohttp: GHSA-jg22-mg44-37j8 uv.lock
MED GHSA-hg6j-4rv6-33pg aiohttp: GHSA-hg6j-4rv6-33pg uv.lock
MED GHSA-58qx-3vcg-4xpx ws: GHSA-58qx-3vcg-4xpx apps/minds/pnpm-lock.yaml
MED GHSA-w5hq-g745-h8pq uuid: GHSA-w5hq-g745-h8pq apps/minds/pnpm-lock.yaml
MED GHSA-q8mj-m7cp-5q26 qs: GHSA-q8mj-m7cp-5q26 apps/minds/pnpm-lock.yaml
MED GHSA-q6x5-8v7m-xcrf protobufjs: GHSA-q6x5-8v7m-xcrf apps/minds/pnpm-lock.yaml
MED GHSA-jggg-4jg4-v7c6 protobufjs: GHSA-jggg-4jg4-v7c6 apps/minds/pnpm-lock.yaml
MED GHSA-fx83-v9x8-x52w protobufjs: GHSA-fx83-v9x8-x52w apps/minds/pnpm-lock.yaml
MED GHSA-2pr8-phx7-x9h3 protobufjs: GHSA-2pr8-phx7-x9h3 apps/minds/pnpm-lock.yaml
MED GHSA-pfrx-2q88-qq97 got: GHSA-pfrx-2q88-qq97 apps/minds/pnpm-lock.yaml
MED GHSA-r4q5-vmmm-2653 follow-redirects: GHSA-r4q5-vmmm-2653 apps/minds/pnpm-lock.yaml
MED GHSA-jxxr-4gwj-5jf2 brace-expansion: GHSA-jxxr-4gwj-5jf2 apps/minds/pnpm-lock.yaml
MED GHSA-xx6v-rp6x-q39c axios: GHSA-xx6v-rp6x-q39c apps/minds/pnpm-lock.yaml
MED GHSA-w9j2-pvgh-6h63 axios: GHSA-w9j2-pvgh-6h63 apps/minds/pnpm-lock.yaml
MED GHSA-vf2m-468p-8v99 axios: GHSA-vf2m-468p-8v99 apps/minds/pnpm-lock.yaml
MED GHSA-m7pr-hjqh-92cm axios: GHSA-m7pr-hjqh-92cm apps/minds/pnpm-lock.yaml
MED GHSA-fvcv-3m26-pcqx axios: GHSA-fvcv-3m26-pcqx apps/minds/pnpm-lock.yaml
MED GHSA-898c-q2cr-xwhg axios: GHSA-898c-q2cr-xwhg apps/minds/pnpm-lock.yaml
MED GHSA-62hf-57xw-28j9 axios: GHSA-62hf-57xw-28j9 apps/minds/pnpm-lock.yaml
MED GHSA-5c9x-8gcm-mpgx axios: GHSA-5c9x-8gcm-mpgx apps/minds/pnpm-lock.yaml
MED GHSA-445q-vr5w-6q77 axios: GHSA-445q-vr5w-6q77 apps/minds/pnpm-lock.yaml
MED GHSA-3w6x-2g7m-8v23 axios: GHSA-3w6x-2g7m-8v23 apps/minds/pnpm-lock.yaml
MED GHSA-q6x5-8v7m-xcrf @protobufjs/utf8: GHSA-q6x5-8v7m-xcrf apps/minds/pnpm-lock.yaml
MED GHSA-mj87-hwqh-73pj python-multipart: GHSA-mj87-hwqh-73pj apps/minds/electron/pyproject/uv.lock
MED GHSA-6w46-j5rx-g56g pytest: GHSA-6w46-j5rx-g56g apps/minds/electron/pyproject/uv.lock
MED GHSA-65pc-fj4g-8rjx idna: GHSA-65pc-fj4g-8rjx apps/minds/electron/pyproject/uv.lock
MED GHSA-jg22-mg44-37j8 aiohttp: GHSA-jg22-mg44-37j8 apps/minds/electron/pyproject/uv.lock
MED GHSA-hg6j-4rv6-33pg aiohttp: GHSA-hg6j-4rv6-33pg apps/minds/electron/pyproject/uv.lock
MED DKR001 Docker final stage has no non-root USER libs/mngr/imbue/mngr/resources/Dockerfi…:5
MED WEB003 Public web service has no security.txt .well-known/security.txt
MED AGT016 Codex session log reader may expose prompts or tool-call content libs/mngr/imbue/mngr/cli/create.py:1807
MED AGT016 Codex session log reader may expose prompts or tool-call content libs/mngr/imbue/mngr/cli/ask.py:107
MED AGT012 Agent control bridge may listen on a network interface without visible auth apps/minds/examples/hello-world/server.…:190
MED AGT015 Remote install command pipes network code directly to a shell libs/mngr/imbue/mngr/cli/urwid_utils.py:66
MED AGT015 Remote install command pipes network code directly to a shell libs/mngr/imbue/mngr/cli/output_helpers…:79
MED AGT015 Remote install command pipes network code directly to a shell libs/mngr/README.md:25
MED AGT015 Remote install command pipes network code directly to a shell apps/minds/README.md:18
MED AGT015 Remote install command pipes network code directly to a shell README.md:21
MED AGT013 Agent auto-approve or skip-permissions mode is easy to enable libs/mngr/imbue/mngr/cli/create.py:301
MED AGT013 Agent auto-approve or skip-permissions mode is easy to enable .github/workflows/tmr.yml:96
MED SEC005 [SEC005] Command Injection Risk: Unsafe shell execution or eval of user input. scripts/josh/workflow.py:188
LOW SEC132 [SEC132] String concat where the language has interpolation (AI style drift): String buil… apps/minds/imbue/minds/desktop_client/s…:42
LOW SEC132 [SEC132] String concat where the language has interpolation (AI style drift): String buil… apps/minds/imbue/minds/desktop_client/s…:77
LOW SEC132 [SEC132] String concat where the language has interpolation (AI style drift): String buil… apps/minds/imbue/minds/desktop_client/s…:85
LOW COMP001 [COMP001] High cognitive complexity: Function `_handle_telegram_status` has cognitive com… apps/minds/imbue/minds/desktop_client/a…:81
LOW COMP001 [COMP001] High cognitive complexity: Function `_poll_for_new_message` has cognitive compl… apps/minds/imbue/minds/deployment_tests…:126
LOW COMP001 [COMP001] High cognitive complexity: Function `_serve_echo` has cognitive complexity 8 (S… apps/minds/examples/hello-world/server.…:126
LOW DEPCUR-NPM npm package `@todesktop/cli` is minor version(s) behind (^1.8.0 -> 1.25.2) apps/minds/package.json
LOW GHSA-r374-rxx8-8654 paramiko: GHSA-r374-rxx8-8654 uv.lock
LOW GHSA-xhjh-pmcv-23jw axios: GHSA-xhjh-pmcv-23jw apps/minds/pnpm-lock.yaml
LOW GHSA-r374-rxx8-8654 paramiko: GHSA-r374-rxx8-8654 apps/minds/electron/pyproject/uv.lock
LOW AIC003 Duplicated implementation block across source files libs/mngr_lima/imbue/mngr_lima/config.py:56
LOW AIC003 Duplicated implementation block across source files libs/mngr_latchkey/imbue/mngr_latchkey/…:140
LOW AIC003 Duplicated implementation block across source files libs/mngr_imbue_cloud/imbue/mngr_imbue_…:536
LOW AIC003 Duplicated implementation block across source files libs/mngr_forward/imbue/mngr_forward/st…:290
LOW AIC003 Duplicated implementation block across source files libs/mngr_forward/imbue/mngr_forward/au…:27
LOW AIC003 Duplicated implementation block across source files libs/mngr/imbue/mngr/utils/plugin_testi…:84
LOW AIC003 Duplicated implementation block across source files libs/mngr/imbue/mngr/utils/detail_rende…:185
LOW AIC003 Duplicated implementation block across source files libs/mngr/imbue/mngr/providers/ssh/inst…:143
LOW AIC003 Duplicated implementation block across source files libs/mngr/imbue/mngr/providers/ssh/inst…:139
LOW AIC003 Duplicated implementation block across source files libs/mngr/imbue/mngr/providers/local/in…:147
LOW AIC003 Duplicated implementation block across source files libs/mngr/imbue/mngr/cli/stop.py:203
LOW AIC003 Duplicated implementation block across source files libs/mngr/imbue/mngr/cli/rsync.py:60
LOW AIC003 Duplicated implementation block across source files libs/mngr/imbue/mngr/cli/limit.py:63
LOW AIC003 Duplicated implementation block across source files libs/mngr/imbue/mngr/cli/cleanup.py:346
LOW AIC003 Duplicated implementation block across source files apps/minds/imbue/minds/desktop_client/s…:26
LOW AIC003 Duplicated implementation block across source files apps/minds/imbue/minds/desktop_client/l…:116
LOW DKR010 Dockerfile leaves apt package indexes in the image layer libs/mngr/imbue/mngr/resources/Dockerfi…:53
LOW DKR011 Dockerfile installs recommended OS packages libs/mngr/imbue/mngr/resources/Dockerfi…:53
LOW AIC002 Source file name looks like an AI patch artifact libs/imbue_common/imbue/imbue_common/mo…:1
INFO MINED062 [MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model. scripts/sync_common_ratchets.py:54
INFO MINED055 [MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versi… scripts/release_tombstones.py:87
INFO MINED064 [MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services. scripts/modal_nuke.py:169
INFO MINED049 [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout. scripts/push_vault_from_file.py:131
INFO MINED049 [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout. apps/minds/scripts/first-message-verify…:104
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… apps/minds/scripts/first-message-verify…:55
INFO MINED077 [MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles. apps/minds/scripts/demo_desktop_client.…:101
INFO MINED050 [MINED050] Stub Only Function: Function declared but body is just pass, return None, rais… apps/minds/imbue/minds/desktop_client/m…:80
INFO MINED050 [MINED050] Stub Only Function: Function declared but body is just pass, return None, rais… apps/minds/imbue/minds/desktop_client/a…:70
INFO MINED050 [MINED050] Stub Only Function: Function declared but body is just pass, return None, rais… apps/minds/imbue/minds/deployment_tests…:37
Reset to top 5 200 findings available (after auto-suppression of test files + won't-fix)

Issue body (markdown)

## Code-quality scan: `imbue-ai/mngr`

**Score: 46/100 (C)**  ·  285 findings  ·  scanned 2026-06-05 17:48 UTC  ·  369,665 LOC

| Severity | Count |
|---|---|
| CRITICAL | 20 |
| HIGH | 129 |
| MEDIUM | 65 |
| LOW | 29 |

📊 [Full filterable report](https://repobility.com/scan/a7b11ee0-32b2-48df-87e7-ee0383b49cb7/)  ·  ![scorecard](https://repobility.com/scan/a7b11ee0-32b2-48df-87e7-ee0383b49cb7/report.png?v=1780681684-s2)

### Top findings

1. **HIGH** `MINED006` — Overcatch Baseexception
   `scripts/warm_cli_example.py:162` · CWE-705 · ✓ Repobility
2. **HIGH** `MINED006` — Overcatch Baseexception
   `scripts/poll_modal_agents.py:146` · CWE-705 · ✓ Repobility
3. **HIGH** `MINED034` — Python Subprocess Shell True
   `scripts/josh/workflow.py:188` · CWE-78 · ✓ Repobility
4. **HIGH** `MINED012` — Curl Pipe Bash
   `scripts/install.sh:32` · CWE-494 · ✓ Repobility
5. **HIGH** `MINED021` — Path Traversal Os Join
   `apps/minds/scripts/first-message-verify.sh:79` · CWE-22 · ✓ Repobility

---

_Filed automatically. Close this issue if not useful — we won't refile. Full report: https://repobility.com/scan/a7b11ee0-32b2-48df-87e7-ee0383b49cb7/_
Megaproject â high spam risk
Could not determine 'imbue-ai/mngr' star count (GitHub API rate-limited or unreachable). When in doubt about repo size, prefer opening a focused PR or a discussion rather than an issue.
Open in GitHub to file this issue Cancel

The button opens GitHubâs new-issue page in a new tab. You will see the title + body pre-filled â review, edit if you want, then click GitHubâs "Submit new issue" button. Repobility never posts anything on your behalf.

For real security findings on big repos: use the project's SECURITY.md or private advisory flow instead of a public issue.