← Back to scan
File as GitHub Issue repo: unclecode/crawl4ai

Push this scan report to unclecode/crawl4ai

Click the green button below to open GitHub’s new-issue form, pre-filled with the report title, summary table, top findings, and an embedded score-card image. No authentication needed — you review on GitHub before submitting. Repobility is credited as the scanner.

Embedded score card image

This image will render at the top of the issue body. Hosted on Repobility, refreshes automatically after re-scans.

Repobility score card

Issue title

Workflow uses `secrets.GOOGLE_SCRIPT_ENDPOINT` on a `pull_request` trigger

Curate findings to include

Pick exactly which findings appear in the issue body. By default the top 5 are included. Uncheck noise, check what matters.

Top 5 (default)
Severity Rule Title File:line
CRIT MINED107 [MINED107] Missing import: `json` used but not imported: The file uses `json.something(..… crawl4ai/crawlers/amazon_product/crawle…:17
CRIT MINED116 [MINED116] Workflow uses `secrets.DISCORD_WEBHOOK` on a `pull_request` trigger: This work… .github/workflows/main.yml:33
CRIT MINED116 [MINED116] Workflow uses `secrets.DISCORD_STAR_GAZERS` on a `pull_request` trigger: This … .github/workflows/main.yml:31
CRIT MINED116 [MINED116] Workflow uses `secrets.DISCORD_DISCUSSIONS_WEBHOOK` on a `pull_request` trigge… .github/workflows/main.yml:29
CRIT MINED116 [MINED116] Workflow uses `secrets.GOOGLE_SCRIPT_ENDPOINT` on a `pull_request` trigger: Th… .github/workflows/main.yml:22
CRIT MINED114 [MINED114] Admin endpoint without auth: DELETE /admin/sponsors/{sponsor_id}: Handler `del… docs/md_v2/marketplace/backend/server.py:462
CRIT MINED114 [MINED114] Admin endpoint without auth: PUT /admin/sponsors/{sponsor_id}: Handler `update… docs/md_v2/marketplace/backend/server.py:448
CRIT MINED114 [MINED114] Admin endpoint without auth: POST /admin/sponsors: Handler `create_sponsor` se… docs/md_v2/marketplace/backend/server.py:434
CRIT MINED114 [MINED114] Admin endpoint without auth: DELETE /admin/categories/{cat_id}: Handler `delet… docs/md_v2/marketplace/backend/server.py:422
CRIT MINED114 [MINED114] Admin endpoint without auth: PUT /admin/categories/{cat_id}: Handler `update_c… docs/md_v2/marketplace/backend/server.py:404
CRIT MINED114 [MINED114] Admin endpoint without auth: POST /admin/categories: Handler `create_category`… docs/md_v2/marketplace/backend/server.py:387
CRIT MINED114 [MINED114] Admin endpoint without auth: DELETE /admin/articles/{article_id}: Handler `del… docs/md_v2/marketplace/backend/server.py:378
CRIT MINED114 [MINED114] Admin endpoint without auth: PUT /admin/articles/{article_id}: Handler `update… docs/md_v2/marketplace/backend/server.py:361
CRIT MINED114 [MINED114] Admin endpoint without auth: POST /admin/articles: Handler `create_article` se… docs/md_v2/marketplace/backend/server.py:343
CRIT MINED114 [MINED114] Admin endpoint without auth: DELETE /admin/apps/{app_id}: Handler `delete_app`… docs/md_v2/marketplace/backend/server.py:334
CRIT MINED114 [MINED114] Admin endpoint without auth: PUT /admin/apps/{app_id}: Handler `update_app` se… docs/md_v2/marketplace/backend/server.py:316
CRIT MINED114 [MINED114] Admin endpoint without auth: POST /admin/apps: Handler `create_app` serves an … docs/md_v2/marketplace/backend/server.py:297
CRIT MINED114 [MINED114] Admin endpoint without auth: POST /admin/login: Handler `admin_login` serves a… docs/md_v2/marketplace/backend/server.py:256
CRIT MINED114 [MINED114] Admin endpoint without auth: POST /admin/upload-image: Handler `upload_image` … docs/md_v2/marketplace/backend/server.py:232
HIGH MINED110 [MINED110] Blocking call `input` inside async function `url_seeder_demo`: `input` is a sy… docs/releases_review/crawl4ai_v0_7_0_sh…:948
HIGH MINED110 [MINED110] Blocking call `input` inside async function `url_seeder_demo`: `input` is a sy… docs/releases_review/crawl4ai_v0_7_0_sh…:892
HIGH MINED110 [MINED110] Blocking call `input` inside async function `url_seeder_demo`: `input` is a sy… docs/releases_review/crawl4ai_v0_7_0_sh…:864
HIGH MINED110 [MINED110] Blocking call `input` inside async function `virtual_scroll_demo`: `input` is … docs/releases_review/crawl4ai_v0_7_0_sh…:744
HIGH MINED110 [MINED110] Blocking call `input` inside async function `virtual_scroll_demo`: `input` is … docs/releases_review/crawl4ai_v0_7_0_sh…:702
HIGH MINED110 [MINED110] Blocking call `input` inside async function `adaptive_crawling_demo`: `input` … docs/releases_review/crawl4ai_v0_7_0_sh…:496
HIGH MINED110 [MINED110] Blocking call `input` inside async function `adaptive_crawling_demo`: `input` … docs/releases_review/crawl4ai_v0_7_0_sh…:448
HIGH MINED110 [MINED110] Blocking call `input` inside async function `link_preview_demo`: `input` is a … docs/releases_review/crawl4ai_v0_7_0_sh…:275
HIGH MINED110 [MINED110] Blocking call `input` inside async function `link_preview_demo`: `input` is a … docs/releases_review/crawl4ai_v0_7_0_sh…:166
HIGH MINED110 [MINED110] Blocking call `input` inside async function `main`: `input` is a synchronous (… docs/examples/docker_config_obj.py:244
HIGH MINED110 [MINED110] Blocking call `input` inside async function `main`: `input` is a synchronous (… docs/examples/identity_based_browsing.py:68
HIGH MINED110 [MINED110] Blocking call `input` inside async function `main`: `input` is a synchronous (… docs/examples/demo_multi_config_clean.py:293
HIGH MINED110 [MINED110] Blocking call `requests.append` inside async function `analyze_spa_network_tra… docs/examples/network_console_capture_e…:187
HIGH MINED110 [MINED110] Blocking call `input` inside async function `main`: `input` is a synchronous (… docs/examples/docker_hooks_examples.py:562
HIGH MINED106 [MINED106] Phantom test coverage: test_docker_deployment: Test function `test_docker_depl… tests/docker_example.py:62
HIGH MINED110 [MINED110] Blocking call `input` inside async function `interactive_manager`: `input` is … crawl4ai/browser_profiler.py:941
HIGH MINED110 [MINED110] Blocking call `input` inside async function `interactive_manager`: `input` is … crawl4ai/browser_profiler.py:905
HIGH MINED110 [MINED110] Blocking call `input` inside async function `interactive_manager`: `input` is … crawl4ai/browser_profiler.py:932
HIGH MINED110 [MINED110] Blocking call `input` inside async function `interactive_manager`: `input` is … crawl4ai/browser_profiler.py:893
HIGH MINED110 [MINED110] Blocking call `input` inside async function `interactive_manager`: `input` is … crawl4ai/browser_profiler.py:859
HIGH MINED110 [MINED110] Blocking call `input` inside async function `interactive_manager`: `input` is … crawl4ai/browser_profiler.py:854
HIGH MINED110 [MINED110] Blocking call `input` inside async function `_listen_fallback`: `input` is a s… crawl4ai/browser_profiler.py:338
HIGH MINED108 [MINED108] `self._compute_distance_matrix` used but never assigned in __init__: Method `_… crawl4ai/adaptive_crawler copy.py:656
HIGH MINED108 [MINED108] `self._tokenize` used but never assigned in __init__: Method `_get_document_te… crawl4ai/adaptive_crawler copy.py:585
HIGH MINED108 [MINED108] `self._tokenize` used but never assigned in __init__: Method `update_state` of… crawl4ai/adaptive_crawler copy.py:545
HIGH MINED108 [MINED108] `self._tokenize` used but never assigned in __init__: Method `_calculate_novel… crawl4ai/adaptive_crawler copy.py:459
HIGH MINED108 [MINED108] `self._tokenize` used but never assigned in __init__: Method `_calculate_relev… crawl4ai/adaptive_crawler copy.py:437
HIGH MINED108 [MINED108] `self._tokenize` used but never assigned in __init__: Method `_calculate_relev… crawl4ai/adaptive_crawler copy.py:436
HIGH MINED108 [MINED108] `self._calculate_novelty` used but never assigned in __init__: Method `rank_li… crawl4ai/adaptive_crawler copy.py:397
HIGH MINED108 [MINED108] `self._calculate_relevance` used but never assigned in __init__: Method `rank_… crawl4ai/adaptive_crawler copy.py:396
HIGH MINED108 [MINED108] `self._get_document_terms` used but never assigned in __init__: Method `_calcu… crawl4ai/adaptive_crawler copy.py:354
HIGH MINED108 [MINED108] `self._get_document_terms` used but never assigned in __init__: Method `_calcu… crawl4ai/adaptive_crawler copy.py:353
HIGH MINED108 [MINED108] `self._tokenize` used but never assigned in __init__: Method `_calculate_cover… crawl4ai/adaptive_crawler copy.py:311
HIGH MINED108 [MINED108] `self._calculate_saturation` used but never assigned in __init__: Method `calc… crawl4ai/adaptive_crawler copy.py:289
HIGH MINED108 [MINED108] `self._calculate_consistency` used but never assigned in __init__: Method `cal… crawl4ai/adaptive_crawler copy.py:288
HIGH MINED108 [MINED108] `self._calculate_coverage` used but never assigned in __init__: Method `calcul… crawl4ai/adaptive_crawler copy.py:287
HIGH MINED108 [MINED108] `self.metadata` used but never assigned in __init__: Method `_dict_to_crawl_re… crawl4ai/adaptive_crawler copy.py:143
HIGH MINED108 [MINED108] `self.links` used but never assigned in __init__: Method `_dict_to_crawl_resul… crawl4ai/adaptive_crawler copy.py:142
HIGH MINED108 [MINED108] `self.markdown` used but never assigned in __init__: Method `_dict_to_crawl_re… crawl4ai/adaptive_crawler copy.py:141
HIGH MINED108 [MINED108] `self.url` used but never assigned in __init__: Method `_dict_to_crawl_result`… crawl4ai/adaptive_crawler copy.py:140
HIGH MINED108 [MINED108] `self.raw_markdown` used but never assigned in __init__: Method `_dict_to_craw… crawl4ai/adaptive_crawler copy.py:136
HIGH MINED108 [MINED108] `self._crawl_result_to_dict` used but never assigned in __init__: Method `save… crawl4ai/adaptive_crawler copy.py:61
HIGH MINED108 [MINED108] `self.close` used but never assigned in __init__: Method `__aexit__` of class … crawl4ai/docker_client.py:206
HIGH MINED108 [MINED108] `self._request` used but never assigned in __init__: Method `get_schema` of cl… crawl4ai/docker_client.py:194
HIGH MINED108 [MINED108] `self._request` used but never assigned in __init__: Method `crawl` of class `… crawl4ai/docker_client.py:183
HIGH MINED108 [MINED108] `self._check_server` used but never assigned in __init__: Method `crawl` of cl… crawl4ai/docker_client.py:159
HIGH MINED108 [MINED108] `self._prepare_request` used but never assigned in __init__: Method `crawl` of… crawl4ai/docker_client.py:161
HIGH SEC040 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML w… docs/md_v2/assets/github_stats.js:97
HIGH SEC040 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML w… docs/md_v2/apps/crawl4ai-assistant/cont…:187
HIGH MINED006 [MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and Syste… docs/examples/identity_based_browsing.py:105
HIGH MINED006 [MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and Syste… docs/examples/docker/demo_docker_pollin…:146
HIGH MINED006 [MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and Syste… docs/examples/crawler_monitor_example.py:187
HIGH SEC006 [SEC006] XSS Risk: Direct HTML injection without sanitization. docs/examples/capsolver_captcha_solver/…:48
HIGH SEC135 [SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint g… docs/md_v2/apps/c4a-script/server.py:44
HIGH SEC135 [SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint g… docs/examples/c4a_script/tutorial/serve…:44
HIGH SEC135 [SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint g… deploy/docker/job.py:54
HIGH MINED004 [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums). deploy/docker/crawler_pool.py:49
HIGH SEC078 [SEC078] Python: requests without timeout: requests.get/post without a timeout will hang … docs/examples/rest_call.py:8
HIGH SEC078 [SEC078] Python: requests without timeout: requests.get/post without a timeout will hang … docs/examples/research_assistant.py:44
HIGH SEC078 [SEC078] Python: requests without timeout: requests.get/post without a timeout will hang … crawl4ai/legacy/docs_manager.py:41
HIGH SEC004 [SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection. crawl4ai/legacy/database.py:166
HIGH MINED001 [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows e… docs/examples/docker/demo_docker_pollin…:44
HIGH MINED001 [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows e… deploy/docker/crawler_pool.py:97
HIGH MINED001 [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows e… crawl4ai/html2text/utils.py:156
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … crawl4ai/proxy_strategy.py:119
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … crawl4ai/markdown_generation_strategy.py:194
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … crawl4ai/html2text/utils.py:75
HIGH SEC032 [SEC032] Unrestricted File Upload — no extension/MIME validation: File upload accepts the… crawl4ai/html2text/cli.py:277
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… crawl4ai/deep_crawling/base_strategy.py:92
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… crawl4ai/crawlers/google_search/script.…:84
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… crawl4ai/cache_context.py:31
HIGH COMP001 [COMP001] High cognitive complexity: Function `validate` has cognitive complexity 30 (Son… crawl4ai/cache_validator.py:83
HIGH COMP001 [COMP001] High cognitive complexity: Function `is_blocked` has cognitive complexity 35 (S… crawl4ai/antibot_detector.py:191
HIGH DKR014 Dockerfile copies the entire context without .dockerignore Dockerfile:138
HIGH MINED115 [MINED115] Action `softprops/action-gh-release` pinned to mutable ref `@v2`: `uses: softp… .github/workflows/release.yml:70
HIGH MINED115 [MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setu… .github/workflows/release.yml:19
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… .github/workflows/release.yml:16
HIGH MINED115 [MINED115] Action `Ilshidur/action-discord` pinned to mutable ref `@master`: `uses: Ilshi… .github/workflows/main.yml:37
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… .github/workflows/docker-release.yml:34
HIGH MINED118 [MINED118] Dockerfile FROM `python:3.12-slim-bookworm` not pinned by digest: `FROM python… Dockerfile:1
HIGH SEC020 [SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-b… docs/examples/capsolver_captcha_solver/…:36
HIGH SEC020 [SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-b… docs/examples/capsolver_captcha_solver/…:36
HIGH SEC004 [SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection. docs/md_v2/marketplace/backend/database…:82
HIGH MINED112 [MINED112] FastAPI POST /stats/reset has no auth: Handler `reset_stats` is registered wit… deploy/docker/monitor_routes.py:340
HIGH MINED112 [MINED112] FastAPI POST /actions/restart_browser has no auth: Handler `restart_browser` i… deploy/docker/monitor_routes.py:257
HIGH MINED112 [MINED112] FastAPI POST /actions/kill_browser has no auth: Handler `kill_browser` is regi… deploy/docker/monitor_routes.py:188
HIGH MINED112 [MINED112] FastAPI POST /actions/cleanup has no auth: Handler `force_cleanup` is register… deploy/docker/monitor_routes.py:157
HIGH MINED112 [MINED112] FastAPI POST /token has no auth: Handler `get_token` is registered with router… deploy/docker/server.py:314
HIGH MINED112 [MINED112] FastAPI DELETE /models/{model_name} has no auth: Handler `delete_model_config`… docs/examples/website-to-api/api_server…:341
HIGH MINED112 [MINED112] FastAPI POST /models has no auth: Handler `save_model_config` is registered wi… docs/examples/website-to-api/api_server…:320
HIGH MINED112 [MINED112] FastAPI POST /clear-cache has no auth: Handler `clear_schema_cache` is registe… docs/examples/website-to-api/api_server…:295
HIGH MINED112 [MINED112] FastAPI DELETE /saved-requests/{request_id} has no auth: Handler `delete_saved… docs/examples/website-to-api/api_server…:266
HIGH MINED112 [MINED112] FastAPI POST /scrape-with-llm has no auth: Handler `scrape_website_endpoint_wi… docs/examples/website-to-api/api_server…:195
HIGH MINED112 [MINED112] FastAPI POST /scrape has no auth: Handler `scrape_website_endpoint` is registe… docs/examples/website-to-api/api_server…:131
HIGH SEC013 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file pat… crawl4ai/crawlers/google_search/crawler…:114
MED MINED109 [MINED109] Mutable default argument in `create_html_page` (list): `def create_html_page(.… tests/general/generate_dummy_site.py:24
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… crawl4ai/markdown_generation_strategy.py:240
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… crawl4ai/markdown_generation_strategy.py:225
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… crawl4ai/markdown_generation_strategy.py:211
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… crawl4ai/markdown_generation_strategy.py:251
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… crawl4ai/async_configs.py:465
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… crawl4ai/async_configs.py:399
MED MINED109 [MINED109] Mutable default argument in `__init__` (dict): `def __init__(... = []/{}/set()… crawl4ai/async_configs.py:1399
MED MINED109 [MINED109] Mutable default argument in `__init__` (dict): `def __init__(... = []/{}/set()… crawl4ai/async_configs.py:604
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… crawl4ai/content_filter_strategy.py:377
MED MINED109 [MINED109] Mutable default argument in `_proceed_with_chunk` (dict): `def _proceed_with_c… crawl4ai/content_filter_strategy.py:973
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… crawl4ai/browser_profiler.py:124
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… crawl4ai/browser_profiler.py:777
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… crawl4ai/adaptive_crawler copy.py:1426
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… crawl4ai/adaptive_crawler copy.py:753
MED SEC046 [SEC046] Client-side open redirect — window.location = server-supplied URL: Assigning win… docs/md_v2/assets/selection_ask_ai.js:120
MED SEC123 [SEC123] Production stack trace / debug output exposed: Debug mode left on in production … docs/md_v2/apps/c4a-script/server.py:304
MED SEC123 [SEC123] Production stack trace / debug output exposed: Debug mode left on in production … docs/examples/c4a_script/tutorial/serve…:304
MED ERR001 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even… setup.py:40
MED ERR001 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even… deploy/docker/crawler_pool.py:97
MED SEC015 [SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. … deploy/docker/auth.py:53
MED SEC136 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all excepti… crawl4ai/proxy_strategy.py:37
MED SEC136 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all excepti… crawl4ai/legacy/version_manager.py:18
MED SEC042 [SEC042] SQL identifier injection via f-string in cursor execute: f-string SQL normalizes… docs/md_v2/marketplace/backend/database…:31
MED SEC042 [SEC042] SQL identifier injection via f-string in cursor execute: f-string SQL normalizes… crawl4ai/legacy/database.py:40
MED SEC134 [SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum… docs/examples/c4a_script/demo_c4a_crawl…:34
MED SEC134 [SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum… docs/examples/builtin_browser_example.py:67
MED SEC134 [SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum… crawl4ai/docker_client.py:212
MED AUC001 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks…
MED MINED124 [MINED124] requirements.txt: `litellm` has no version pin: Unpinned pip requirement means… docs/examples/website-to-api/requiremen…:5
MED MINED124 [MINED124] requirements.txt: `pydantic` has no version pin: Unpinned pip requirement mean… docs/examples/website-to-api/requiremen…:4
MED MINED124 [MINED124] requirements.txt: `uvicorn` has no version pin: Unpinned pip requirement means… docs/examples/website-to-api/requiremen…:3
MED MINED124 [MINED124] requirements.txt: `fastapi` has no version pin: Unpinned pip requirement means… docs/examples/website-to-api/requiremen…:2
MED MINED124 [MINED124] requirements.txt: `crawl4ai` has no version pin: Unpinned pip requirement mean… docs/examples/website-to-api/requiremen…:1
MED MINED124 [MINED124] requirements.txt: `python-dotenv` has no version pin: Unpinned pip requirement… docs/md_v2/marketplace/backend/requirem…:5
MED MINED124 [MINED124] requirements.txt: `python-multipart` has no version pin: Unpinned pip requirem… docs/md_v2/marketplace/backend/requirem…:4
MED MINED124 [MINED124] requirements.txt: `pyyaml` has no version pin: Unpinned pip requirement means … docs/md_v2/marketplace/backend/requirem…:3
MED MINED124 [MINED124] requirements.txt: `uvicorn` has no version pin: Unpinned pip requirement means… docs/md_v2/marketplace/backend/requirem…:2
MED MINED124 [MINED124] requirements.txt: `fastapi` has no version pin: Unpinned pip requirement means… docs/md_v2/marketplace/backend/requirem…:1
MED DKR007 Docker build context has no .dockerignore .dockerignore
MED DKR017 Dockerfile installs dependencies after copying the full source tree Dockerfile:144
MED DKR009 Dockerfile separates apt update from install Dockerfile:89
MED DKR018 Database dump or local database file is included in Docker build context .dockerignore
MED JRN002 Browser storage is used for session token material docs/md_v2/marketplace/admin/admin.js:108
MED JRN002 Browser storage is used for session token material docs/md_v2/marketplace/admin/admin.js:50
MED AIC001 Parallel implementation file sits beside a canonical file crawl4ai/adaptive_crawler copy.py:1
MED AGT007 localStorage write failures are swallowed silently docs/md_v2/marketplace/admin/admin.js:18
MED AGT012 Agent control bridge may listen on a network interface without visible auth docs/md_v2/marketplace/frontend/app-det…:4
MED AGT012 Agent control bridge may listen on a network interface without visible auth docs/examples/website-to-api/api_server…:1
LOW SEC124 [SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/ex… crawl4ai/migrations.py:53
LOW COMP001 [COMP001] High cognitive complexity: Function `_structural_integrity_check` has cognitive… crawl4ai/antibot_detector.py:138
LOW AIC003 Duplicated implementation block across source files setup.py:7
LOW AIC003 Duplicated implementation block across source files deploy/docker/server.py:380
LOW AIC003 Duplicated implementation block across source files crawl4ai/deep_crawling/dfs_strategy.py:104
LOW AIC003 Duplicated implementation block across source files crawl4ai/deep_crawling/bfs_strategy.py:20
LOW DKR012 Dockerfile keeps pip download cache Dockerfile:158
LOW WEB008 Public docs site has no llms.txt llms.txt
LOW AIC005 Duplicate top-level symbol appears in a patch-style file crawl4ai/adaptive_crawler copy.py:1
LOW DKC010 Compose service lacks no-new-privileges hardening docker-compose.yml:36
INFO MINED077 [MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles. setup.py:47
INFO MINED098 [MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global win… docs/md_v2/apps/crawl4ai-assistant/cont…:299
INFO MINED047 [MINED047] Emoji In Source: Emoji ✅ ❌ 🚀 in code/comments — common AI output unless explic… docs/examples/table_extraction_example.…:121
INFO MINED074 [MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.exa… docs/examples/demo_multi_config_clean.py:61
INFO MINED064 [MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services. docs/examples/identity_based_browsing.py:68
INFO MINED064 [MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services. docs/examples/docker_config_obj.py:244
INFO MINED064 [MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services. docs/examples/demo_multi_config_clean.py:293
INFO MINED069 [MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files. docs/md_v2/apps/c4a-script/server.py:304
INFO MINED069 [MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files. docs/examples/c4a_script/tutorial/serve…:304
INFO MINED049 [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout. docs/examples/capsolver_captcha_solver/…:36
INFO MINED049 [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout. docs/examples/capsolver_captcha_solver/…:36
INFO MINED049 [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout. deploy/docker/auth.py:28
INFO MINED067 [MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang f… docs/examples/nst_proxy/api_proxy_examp…:28
INFO MINED067 [MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang f… crawl4ai/processors/pdf/__init__.py:157
INFO MINED067 [MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang f… crawl4ai/legacy/docs_manager.py:41
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … docs/examples/c4a_script/github_search/…:37
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … docs/apps/linkdin/templates/ai.js:6
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … crawl4ai/js_snippet/remove_overlay_elem…:46
INFO MINED063 [MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) — file can be replaced/de… crawl4ai/crawlers/google_search/crawler…:75
INFO MINED050 [MINED050] Stub Only Function: Function declared but body is just pass, return None, rais… crawl4ai/docker_client.py:15
INFO MINED050 [MINED050] Stub Only Function: Function declared but body is just pass, return None, rais… crawl4ai/deep_crawling/base_strategy.py:67
INFO MINED050 [MINED050] Stub Only Function: Function declared but body is just pass, return None, rais… crawl4ai/chunking_strategy.py:24
INFO MINED062 [MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model. crawl4ai/script/c4a_result.py:25
INFO MINED062 [MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model. crawl4ai/cache_validator.py:32
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… crawl4ai/processors/pdf/__init__.py:127
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… crawl4ai/markdown_generation_strategy.py:16
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… crawl4ai/cache_context.py:53
Reset to top 5 200 findings available (after auto-suppression of test files + won't-fix)

Issue body (markdown)

## Code-quality scan: `unclecode/crawl4ai`

**Score: 72/100 (A-)**  ·  257 findings  ·  scanned 2026-06-05 08:43 UTC  ·  166,985 LOC

| Severity | Count |
|---|---|
| CRITICAL | 30 |
| HIGH | 95 |
| MEDIUM | 49 |
| LOW | 10 |

📊 [Full filterable report](https://repobility.com/scan/dfd63be9-051b-41fa-be97-0e1a8a59c2d1/)  ·  ![scorecard](https://repobility.com/scan/dfd63be9-051b-41fa-be97-0e1a8a59c2d1/report.png?v=1780648980-s2)

### Top findings

1. **CRITICAL** `MINED107` — Missing import: `json` used but not imported
   `crawl4ai/crawlers/amazon_product/crawler.py:17` · ✓ Repobility
2. **CRITICAL** `MINED116` — Workflow uses `secrets.DISCORD_WEBHOOK` on a `pull_request` trigger
   `.github/workflows/main.yml:33` · ✓ Repobility
3. **CRITICAL** `MINED116` — Workflow uses `secrets.DISCORD_STAR_GAZERS` on a `pull_request` trigger
   `.github/workflows/main.yml:31` · ✓ Repobility
4. **CRITICAL** `MINED116` — Workflow uses `secrets.DISCORD_DISCUSSIONS_WEBHOOK` on a `pull_request` trigger
   `.github/workflows/main.yml:29` · ✓ Repobility
5. **CRITICAL** `MINED116` — Workflow uses `secrets.GOOGLE_SCRIPT_ENDPOINT` on a `pull_request` trigger
   `.github/workflows/main.yml:22` · ✓ Repobility

---

_Filed automatically. Close this issue if not useful — we won't refile. Full report: https://repobility.com/scan/dfd63be9-051b-41fa-be97-0e1a8a59c2d1/_
Already filed
This repo publishes a SECURITY.md policy and the scan contains 21 Critical/High security finding(s). Public issue filing would violate coordinated disclosure. Submit privately via the project's security reporting channel.
Megaproject â high spam risk
Could not determine 'unclecode/crawl4ai' star count (GitHub API rate-limited or unreachable). When in doubt about repo size, prefer opening a focused PR or a discussion rather than an issue.
Already filed
149/280 findings (53%) on this scan are already flagged as test-file, won't-fix, or suppressed. The scan is too noisy to file as a single issue. Curate down to specific actionable findings, or address the FP source first.
I read the warnings â override Cancel

The button opens GitHubâs new-issue page in a new tab. You will see the title + body pre-filled â review, edit if you want, then click GitHubâs "Submit new issue" button. Repobility never posts anything on your behalf.

For real security findings on big repos: use the project's SECURITY.md or private advisory flow instead of a public issue.