← Back to scan
File as GitHub Issue repo: zhouyoukang1234-spec/windsurf-assistant

Push this scan report to zhouyoukang1234-spec/windsurf-assistant

Click the green button below to open GitHub’s new-issue form, pre-filled with the report title, summary table, top findings, and an embedded score-card image. No authentication needed — you review on GitHub before submitting. Repobility is credited as the scanner.

Embedded score card image

This image will render at the top of the issue body. Hosted on Repobility, refreshes automatically after re-scans.

Repobility score card

Issue title

Bare Except Pass

Curate findings to include

Pick exactly which findings appear in the issue body. By default the top 5 are included. Uncheck noise, check what matters.

Top 5 (default)
Severity Rule Title File:line
HIGH SEC040 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML w… packages/dao-vm/vm_tunnel.js:89
HIGH SEC040 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML w… Windsurf万法归宗/130-道独立体_Standalone/05-Git…:54
HIGH MINED004 [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums). Windsurf万法归宗/130-道独立体_Standalone/05-Git…:81
HIGH SEC103 [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDA… Windsurf万法归宗/060-修复_Repair/官方模式回归.py:84
HIGH MINED001 [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows e… Windsurf万法归宗/060-修复_Repair/官方模式回归.py:38
HIGH MINED001 [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows e… Windsurf万法归宗/060-修复_Repair/_trajectory_…:105
HIGH MINED001 [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows e… Windsurf万法归宗/060-修复_Repair/_deep_probe.…:272
HIGH MINED021 [MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can co… Windsurf万法归宗/060-修复_Repair/_179_net_che…:98
HIGH MINED021 [MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can co… Windsurf万法归宗/060-修复_Repair/_179_fix.py:13
HIGH MINED021 [MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can co… Windsurf万法归宗/060-修复_Repair/_179_db_diag…:6
HIGH MINED014 [MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in nod… Windsurf万法归宗/130-道独立体_Standalone/05-Git…:28
HIGH MINED014 [MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in nod… Windsurf万法归宗/060-修复_Repair/_build_serve…:59
HIGH MINED014 [MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in nod… Windsurf万法归宗/030-额度_Credits/临时账号福利/dao_…:83
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … Windsurf万法归宗/060-修复_Repair/_root_analys…:50
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … Windsurf万法归宗/030-额度_Credits/临时账号福利/dao_…:60
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … Windsurf万法归宗/010-反代_Proxy/dao-agent/set…:95
HIGH SEC100 [SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` orig… n.js:9
HIGH SEC100 [SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` orig… api/gateway.js:6
HIGH SEC100 [SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` orig… 130-道独立体_Standalone/01-VM/vm-side/dao_n…:17
HIGH SEC085 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived in… Windsurf万法归宗/060-修复_Repair/_root_analys…:10
HIGH SEC085 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived in… Windsurf万法归宗/060-修复_Repair/_diag_leveld…:32
HIGH SEC085 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived in… 130-道独立体_Standalone/01-VM/vm-side/dao_n…:14
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… Windsurf万法归宗/060-修复_Repair/_diag_zroliu…:15
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… Windsurf万法归宗/010-反代_Proxy/dao-agent/set…:89
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… 130-道独立体_Standalone/01-VM/vm-side/dao_n…:19
HIGH MINED108 `self.wfile` used but never assigned in __init__ Windsurf万法归宗/060-修复_Repair/credit_toolk…:535
HIGH COMP001 [COMP001] High cognitive complexity: Function `cleanup_trajectories` has cognitive comple… Windsurf万法归宗/060-修复_Repair/_trajectory_…:73
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v4` .github/workflows/dao-vm-loop-d.yml:31
HIGH MINED115 Action `actions/upload-artifact` pinned to mutable ref `@v4` .github/workflows/ci.yml:53
HIGH MINED115 Action `actions/setup-node` pinned to mutable ref `@v4` .github/workflows/ci.yml:41
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v4` .github/workflows/ci.yml:38
HIGH MINED115 Action `actions/upload-artifact` pinned to mutable ref `@v4` .github/workflows/ci.yml:29
HIGH MINED115 Action `actions/setup-node` pinned to mutable ref `@v4` .github/workflows/ci.yml:18
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v4` .github/workflows/ci.yml:15
HIGH MINED115 Action `actions/setup-node` pinned to mutable ref `@v4` .github/workflows/dao-vm-loop-c.yml:34
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v4` .github/workflows/dao-vm-loop-c.yml:31
HIGH MINED115 Action `actions/setup-node` pinned to mutable ref `@v4` .github/workflows/dao-boot.yml:33
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v4` .github/workflows/dao-boot.yml:31
HIGH MINED115 Action `actions/setup-node` pinned to mutable ref `@v4` .github/workflows/dao-fleet-cloud.yml:101
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v4` .github/workflows/dao-fleet-cloud.yml:98
HIGH MINED115 Action `actions/github-script` pinned to mutable ref `@v7` .github/workflows/_enable_pages_once.yml:33
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v4` .github/workflows/dao-main-shell.yml:11
HIGH MINED115 Action `actions/setup-node` pinned to mutable ref `@v4` .github/workflows/dao-vm-loop-a.yml:37
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v4` .github/workflows/dao-vm-loop-a.yml:34
HIGH MINED115 Action `actions/setup-node` pinned to mutable ref `@v4` .github/workflows/dao-vm-free-loop.yml:44
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v4` .github/workflows/dao-vm-free-loop.yml:39
HIGH MINED115 Action `actions/setup-node` pinned to mutable ref `@v4` .github/workflows/test-core.yml:26
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v4` .github/workflows/test-core.yml:25
HIGH MINED115 Action `actions/setup-node` pinned to mutable ref `@v4` .github/workflows/dao-vm-loop-b.yml:34
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v4` .github/workflows/dao-vm-loop-b.yml:31
HIGH MINED115 Action `actions/setup-node` pinned to mutable ref `@v4` .github/workflows/dao-fleet.yml:49
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v4` .github/workflows/dao-fleet.yml:46
HIGH MINED118 Dockerfile FROM `gitpod/workspace-node:latest` not pinned by digest .gitpod.Dockerfile:1
HIGH SEC020 [SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-b… Windsurf万法归宗/060-修复_Repair/_yin194_help…:62
HIGH SEC020 [SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-b… Windsurf万法归宗/060-修复_Repair/_root_analys…:55
HIGH AGT003 User-editable role instructions are inserted into the system prompt web/legacy.html:241
HIGH AGT003 User-editable role instructions are inserted into the system prompt web/dao_app.js:915
MED SEC012 [SEC012] ZipSlip — Archive Path Traversal: Archive extraction without path validation all… packages/dao-proxy-min/install.sh:194
MED SEC012 [SEC012] ZipSlip — Archive Path Traversal: Archive extraction without path validation all… Windsurf万法归宗/070-插件_Plugins/020-道VSIX_D…:194
MED SEC136 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all excepti… Windsurf万法归宗/130-道独立体_Standalone/05-Git…:34
MED SEC136 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all excepti… Windsurf万法归宗/060-修复_Repair/agent-remote…:41
MED SEC136 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all excepti… Windsurf万法归宗/060-修复_Repair/_proxy_split…:39
MED ERR001 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even… Windsurf万法归宗/060-修复_Repair/官方模式回归.py:38
MED ERR001 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even… Windsurf万法归宗/060-修复_Repair/_trajectory_…:105
MED ERR001 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even… Windsurf万法归宗/060-修复_Repair/_deep_probe.…:272
MED ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors. packages/dao-injector/extension/inject.…:213
MED ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors. packages/dao-injector/extension/content…:113
MED ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors. Windsurf万法归宗/060-修复_Repair/_build_serve…:169
MED SEC045 [SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even … Windsurf万法归宗/060-修复_Repair/_root_analys…:10
MED SEC045 [SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even … Windsurf万法归宗/060-修复_Repair/_diag_leveld…:32
MED SEC045 [SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even … 130-道独立体_Standalone/01-VM/vm-side/dao_n…:14
MED MINED111 Bare except continues silently Windsurf万法归宗/060-修复_Repair/_deep_probe.…:264
MED MINED111 Bare except continues silently Windsurf万法归宗/060-修复_Repair/_proxy_split…:58
MED MINED111 Bare except continues silently Windsurf万法归宗/060-修复_Repair/_proxy_split…:49
MED MINED111 Bare except continues silently Windsurf万法归宗/060-修复_Repair/_proxy_split…:39
MED MINED111 Bare except continues silently Windsurf万法归宗/060-修复_Repair/_laptop_diag…:24
MED MINED111 Bare except continues silently Windsurf万法归宗/060-修复_Repair/_anti_finger…:342
MED MINED111 Bare except continues silently Windsurf万法归宗/060-修复_Repair/_anti_finger…:168
MED MINED111 Bare except continues silently Windsurf万法归宗/060-修复_Repair/_lt_fix2.py:23
MED MINED111 Bare except continues silently Windsurf万法归宗/060-修复_Repair/_179_fix.py:199
MED MINED111 Bare except continues silently Windsurf万法归宗/060-修复_Repair/_179_fix.py:118
MED MINED111 Bare except continues silently Windsurf万法归宗/060-修复_Repair/_179_fix.py:48
MED MINED111 Bare except continues silently Windsurf万法归宗/060-修复_Repair/_179_net_che…:71
MED MINED111 Bare except continues silently Windsurf万法归宗/060-修复_Repair/_179_net_che…:56
MED MINED111 Bare except continues silently Windsurf万法归宗/060-修复_Repair/_179_net_che…:37
MED MINED111 Bare except continues silently Windsurf万法归宗/060-修复_Repair/_179_net_che…:28
MED MINED111 Bare except continues silently Windsurf万法归宗/060-修复_Repair/_lt_fix3.py:23
MED MINED111 Bare except continues silently Windsurf万法归宗/060-修复_Repair/credit_toolk…:105
MED MINED111 Bare except continues silently Windsurf万法归宗/060-修复_Repair/credit_toolk…:646
MED MINED111 Bare except continues silently Windsurf万法归宗/060-修复_Repair/credit_toolk…:619
MED MINED111 Bare except continues silently Windsurf万法归宗/060-修复_Repair/credit_toolk…:603
MED MINED111 Bare except continues silently Windsurf万法归宗/060-修复_Repair/credit_toolk…:587
MED MINED111 Bare except continues silently Windsurf万法归宗/060-修复_Repair/credit_toolk…:580
MED MINED111 Bare except continues silently Windsurf万法归宗/060-修复_Repair/credit_toolk…:572
MED MINED111 Bare except continues silently Windsurf万法归宗/060-修复_Repair/credit_toolk…:109
MED MINED111 Bare except continues silently Windsurf万法归宗/060-修复_Repair/credit_toolk…:85
MED DEPCUR-GHA GitHub Action `actions/configure-pages@v5` is 1 major version(s) behind (latest v6.0.0) .github/workflows/deploy-pages.yml:48
MED DEPCUR-GHA GitHub Action `actions/checkout@v4` is 2 major version(s) behind (latest v6.0.3) .github/workflows/deploy-pages.yml:46
MED DEPCUR-GHA GitHub Action `actions/setup-node@v4` is 2 major version(s) behind (latest v6.4.0) .github/workflows/dao-vm-loop-d.yml:34
MED DEPCUR-GHA GitHub Action `actions/checkout@v4` is 2 major version(s) behind (latest v6.0.3) .github/workflows/dao-vm-loop-d.yml:31
MED DEPCUR-GHA GitHub Action `actions/upload-artifact@v4` is 3 major version(s) behind (latest v7.0.1) .github/workflows/ci.yml:29
MED DEPCUR-GHA GitHub Action `actions/setup-node@v4` is 2 major version(s) behind (latest v6.4.0) .github/workflows/ci.yml:18
MED DEPCUR-GHA GitHub Action `actions/checkout@v4` is 2 major version(s) behind (latest v6.0.3) .github/workflows/ci.yml:15
MED DEPCUR-GHA GitHub Action `actions/setup-node@v4` is 2 major version(s) behind (latest v6.4.0) .github/workflows/dao-vm-loop-c.yml:34
MED DEPCUR-GHA GitHub Action `actions/checkout@v4` is 2 major version(s) behind (latest v6.0.3) .github/workflows/dao-vm-loop-c.yml:31
MED DEPCUR-GHA GitHub Action `actions/setup-node@v4` is 2 major version(s) behind (latest v6.4.0) .github/workflows/dao-boot.yml:33
MED DEPCUR-GHA GitHub Action `actions/checkout@v4` is 2 major version(s) behind (latest v6.0.3) .github/workflows/dao-boot.yml:31
MED DEPCUR-GHA GitHub Action `actions/setup-node@v4` is 2 major version(s) behind (latest v6.4.0) .github/workflows/dao-fleet-cloud.yml:101
MED DEPCUR-GHA GitHub Action `actions/checkout@v4` is 2 major version(s) behind (latest v6.0.3) .github/workflows/dao-fleet-cloud.yml:98
MED DEPCUR-GHA GitHub Action `actions/github-script@v7` is 2 major version(s) behind (latest v9.0.0) .github/workflows/_enable_pages_once.yml:33
MED DEPCUR-GHA GitHub Action `actions/checkout@v4` is 2 major version(s) behind (latest v6.0.3) .github/workflows/dao-main-shell.yml:11
MED DEPCUR-GHA GitHub Action `actions/setup-node@v4` is 2 major version(s) behind (latest v6.4.0) .github/workflows/dao-vm-loop-a.yml:37
MED DEPCUR-GHA GitHub Action `actions/checkout@v4` is 2 major version(s) behind (latest v6.0.3) .github/workflows/dao-vm-loop-a.yml:34
MED DEPCUR-GHA GitHub Action `actions/setup-node@v4` is 2 major version(s) behind (latest v6.4.0) .github/workflows/dao-vm-free-loop.yml:44
MED DEPCUR-GHA GitHub Action `actions/checkout@v4` is 2 major version(s) behind (latest v6.0.3) .github/workflows/dao-vm-free-loop.yml:39
MED DEPCUR-GHA GitHub Action `actions/setup-node@v4` is 2 major version(s) behind (latest v6.4.0) .github/workflows/test-core.yml:26
MED DEPCUR-GHA GitHub Action `actions/checkout@v4` is 2 major version(s) behind (latest v6.0.3) .github/workflows/test-core.yml:25
MED DEPCUR-GHA GitHub Action `actions/setup-node@v4` is 2 major version(s) behind (latest v6.4.0) .github/workflows/dao-vm-loop-b.yml:34
MED DEPCUR-GHA GitHub Action `actions/checkout@v4` is 2 major version(s) behind (latest v6.0.3) .github/workflows/dao-vm-loop-b.yml:31
MED DEPCUR-GHA GitHub Action `actions/setup-node@v4` is 2 major version(s) behind (latest v6.4.0) .github/workflows/dao-fleet.yml:49
MED DEPCUR-GHA GitHub Action `actions/checkout@v4` is 2 major version(s) behind (latest v6.0.3) .github/workflows/dao-fleet.yml:46
MED DEPCUR-NPM npm package `@types/react-dom` is 1 major version(s) behind (18.3.7 -> 19.2.3) Windsurf万法归宗/060-修复_Repair/agent-remote…
MED AGT007 localStorage write failures are swallowed silently web/dao_github_sync.js:174
MED AGT007 localStorage write failures are swallowed silently packages/wam/extension.js:7776
MED AGT007 localStorage write failures are swallowed silently Windsurf万法归宗/060-修复_Repair/agent-remote…:331
MED WEB003 Public web service has no security.txt .well-known/security.txt
MED AIC004 Suspicious implementation file appears unreferenced Windsurf万法归宗/060-修复_Repair/_lt_fix.py:1
MED AIC004 Suspicious implementation file appears unreferenced Windsurf万法归宗/060-修复_Repair/_final_deep_…:1
MED AIC004 Suspicious implementation file appears unreferenced Windsurf万法归宗/060-修复_Repair/_apply_casca…:1
MED AIC004 Suspicious implementation file appears unreferenced Windsurf万法归宗/060-修复_Repair/_179_fix.py:1
MED AGT012 Agent control bridge may listen on a network interface without visible auth Windsurf万法归宗/060-修复_Repair/agent-remote…:2
MED AGT015 Remote install command pipes network code directly to a shell scripts/dao/vm_total.sh:23
MED AGT015 Remote install command pipes network code directly to a shell scripts/dao/vm_bootstrap.sh:12
MED AGT015 Remote install command pipes network code directly to a shell Windsurf万法归宗/005-文档_docs/印记/印200_道法自然_本…:101
MED AGT015 Remote install command pipes network code directly to a shell Windsurf万法归宗/005-文档_docs/印记/印155续_实战收束_…:145
MED CORE_LARGE_FILES Average file size is 532 lines (recommend <300)
LOW SEC124 [SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/ex… Windsurf万法归宗/060-修复_Repair/agent-remote…:239
LOW SEC132 [SEC132] String concat where the language has interpolation (AI style drift): String buil… Windsurf万法归宗/060-修复_Repair/agent-remote…:51
LOW SEC132 [SEC132] String concat where the language has interpolation (AI style drift): String buil… Windsurf万法归宗/060-修复_Repair/_yin194_help…:156
LOW SEC132 [SEC132] String concat where the language has interpolation (AI style drift): String buil… 130-道独立体_Standalone/01-VM/vm-side/dao_n…:12
LOW COMP001 [COMP001] High cognitive complexity: Function `check_and_clean` has cognitive complexity … Windsurf万法归宗/060-修复_Repair/agent-remote…:19
LOW COMP001 [COMP001] High cognitive complexity: Function `get_state_size` has cognitive complexity 8… Windsurf万法归宗/060-修复_Repair/_trajectory_…:49
LOW DEPCUR-NPM npm package `@vscode/vsce` is minor version(s) behind (^3.6.0 -> 3.9.2) packages/dao-proxy-min/package.json
LOW DEPCUR-NPM npm package `@types/vscode` is minor version(s) behind (^1.84.0 -> 1.120.0) packages/dao-proxy-min/package.json
LOW DEPCUR-NPM npm package `postcss` is minor version(s) behind (8.4.31 -> 8.5.15) Windsurf万法归宗/060-修复_Repair/agent-remote…
LOW DEPCUR-NPM npm package `autoprefixer` is minor version(s) behind (10.4.24 -> 10.5.0) Windsurf万法归宗/060-修复_Repair/agent-remote…
LOW DEPCUR-NPM npm package `ws` is minor version(s) behind (8.19.0 -> 8.21.0) Windsurf万法归宗/060-修复_Repair/agent-remote…
LOW DEPCUR-NPM npm package `@vscode/vsce` is minor version(s) behind (^3.6.0 -> 3.9.2) Windsurf万法归宗/070-插件_Plugins/020-道VSIX_D…
LOW DEPCUR-NPM npm package `@types/vscode` is minor version(s) behind (^1.84.0 -> 1.120.0) Windsurf万法归宗/070-插件_Plugins/020-道VSIX_D…
LOW DEPCUR-NPM npm package `@vscode/vsce` is minor version(s) behind (^3.6.0 -> 3.9.2) Windsurf万法归宗/070-插件_Plugins/020-道VSIX_D…
LOW DEPCUR-NPM npm package `@types/vscode` is minor version(s) behind (^1.84.0 -> 1.120.0) Windsurf万法归宗/070-插件_Plugins/020-道VSIX_D…
LOW AIC003 Duplicated implementation block across source files web/dao_github_sync.js:74
LOW AIC003 Duplicated implementation block across source files packages/dao-vm/vm_up.js:394
LOW AIC003 Duplicated implementation block across source files packages/dao-injector/userscript/dao-de…:52
LOW AIC003 Duplicated implementation block across source files Windsurf万法归宗/130-道独立体_Standalone/05-Git…:55
LOW AIC003 Duplicated implementation block across source files Windsurf万法归宗/130-道独立体_Standalone/05-Git…:26
LOW AIC003 Duplicated implementation block across source files Windsurf万法归宗/060-修复_Repair/agent-remote…:62
LOW AIC003 Duplicated implementation block across source files Windsurf万法归宗/060-修复_Repair/agent-remote…:14
LOW AIC003 Duplicated implementation block across source files Windsurf万法归宗/060-修复_Repair/agent-remote…:70
LOW AIC003 Duplicated implementation block across source files Windsurf万法归宗/060-修复_Repair/_root_analys…:47
LOW AIC003 Duplicated implementation block across source files Windsurf万法归宗/060-修复_Repair/_root_analys…:34
LOW AIC003 Duplicated implementation block across source files Windsurf万法归宗/060-修复_Repair/_root_analys…:35
LOW AIC003 Duplicated implementation block across source files Windsurf万法归宗/060-修复_Repair/_root_analys…:11
LOW AIC003 Duplicated implementation block across source files Windsurf万法归宗/060-修复_Repair/_root_analys…:104
LOW AIC003 Duplicated implementation block across source files Windsurf万法归宗/060-修复_Repair/_root_analys…:32
LOW AIC003 Duplicated implementation block across source files Windsurf万法归宗/060-修复_Repair/_root_analys…:11
LOW AIC003 Duplicated implementation block across source files Windsurf万法归宗/060-修复_Repair/_lt_quick.py:2
LOW AIC003 Duplicated implementation block across source files Windsurf万法归宗/060-修复_Repair/_lt_fix3.py:3
LOW AIC003 Duplicated implementation block across source files Windsurf万法归宗/060-修复_Repair/_lt_fix3.py:2
LOW AIC003 Duplicated implementation block across source files Windsurf万法归宗/060-修复_Repair/_lt_fix2.py:3
LOW AIC003 Duplicated implementation block across source files Windsurf万法归宗/060-修复_Repair/_lt_dao.py:5
LOW AIC003 Duplicated implementation block across source files Windsurf万法归宗/060-修复_Repair/_diag_editor…:1
LOW AIC003 Duplicated implementation block across source files Windsurf万法归宗/030-额度_Credits/临时账号福利/dao_…:70
LOW AIC003 Duplicated implementation block across source files Windsurf万法归宗/010-反代_Proxy/dao-agent/unw…:7
LOW WEB002 Public web app has no sitemap sitemap.xml
LOW AIC006 Archive or legacy directory is mixed into the active repository root _archive:1
LOW AIC005 Duplicate top-level symbol appears in a patch-style file Windsurf万法归宗/060-修复_Repair/_final_deep_…:1
LOW AIC005 Duplicate top-level symbol appears in a patch-style file Windsurf万法归宗/060-修复_Repair/_lt_fix.py:1
LOW AIC002 Source file name looks like an AI patch artifact Windsurf万法归宗/060-修复_Repair/_lt_fix.py:1
LOW AIC002 Source file name looks like an AI patch artifact Windsurf万法归宗/060-修复_Repair/_final_deep_…:1
LOW AIC002 Source file name looks like an AI patch artifact Windsurf万法归宗/060-修复_Repair/_apply_casca…:1
LOW AIC002 Source file name looks like an AI patch artifact Windsurf万法归宗/060-修复_Repair/_179_fix.py:1
LOW WEB011 Public web app has no humans.txt humans.txt
INFO MINED098 [MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global win… packages/dao-injector/extension/inject.…:257
INFO MINED050 [MINED050] Stub Only Function: Function declared but body is just pass, return None, rais… Windsurf万法归宗/060-修复_Repair/官方模式回归.py:39
INFO MINED050 [MINED050] Stub Only Function: Function declared but body is just pass, return None, rais… Windsurf万法归宗/060-修复_Repair/_trajectory_…:120
INFO MINED050 [MINED050] Stub Only Function: Function declared but body is just pass, return None, rais… Windsurf万法归宗/060-修复_Repair/_deep_probe.…:273
INFO MINED077 [MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles. Windsurf万法归宗/060-修复_Repair/_179_fix.py:28
INFO MINED077 [MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles. Windsurf万法归宗/060-修复_Repair/_179_db_diag…:12
INFO MINED063 [MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) — file can be replaced/de… Windsurf万法归宗/060-修复_Repair/agent-remote…:22
INFO MINED063 [MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) — file can be replaced/de… Windsurf万法归宗/060-修复_Repair/_179_fix.py:130
INFO MINED063 [MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) — file can be replaced/de… Windsurf万法归宗/060-修复_Repair/_179_db_diag…:11
INFO MINED049 [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout. Windsurf万法归宗/060-修复_Repair/_lt_sys.py:28
INFO MINED049 [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout. Windsurf万法归宗/060-修复_Repair/_laptop_diag…:66
INFO MINED049 [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout. 130-道独立体_Standalone/01-VM/vm-side/dao_n…:12
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … Windsurf万法归宗/010-反代_Proxy/dao-agent/unw…:65
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … Windsurf万法归宗/010-反代_Proxy/dao-agent/set…:135
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … 130-道独立体_Standalone/01-VM/vm-side/dao_n…:12
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… n.js:11
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… 130-道独立体_Standalone/01-VM/vm-side/dao_n…:19
Reset to top 5 200 findings available (after auto-suppression of test files + won't-fix)

Issue body (markdown)

## Code-quality scan: `zhouyoukang1234-spec/windsurf-assistant`

**Score: 47/100 (F)**  ·  249 findings  ·  scanned 2026-06-05 15:26 UTC  ·  91,045 LOC

| Severity | Count |
|---|---|
| CRITICAL | 32 |
| HIGH | 74 |
| MEDIUM | 79 |
| LOW | 47 |

📊 [Full filterable report](https://repobility.com/scan/f833405c-b5d5-423e-926f-75cc8b93ff75/)  ·  ![scorecard](https://repobility.com/scan/f833405c-b5d5-423e-926f-75cc8b93ff75/report.png?v=1780673183-s2)

### Top findings

1. **HIGH** `SEC040` — innerHTML XSS — template literal with server-supplied data
   `packages/dao-vm/vm_tunnel.js:89` · CWE-79 · A03:2021 Injection (XSS)
2. **HIGH** `SEC040` — innerHTML XSS — template literal with server-supplied data
   `Windsurf万法归宗/130-道独立体_Standalone/05-GitHub/_hdougle_测试/lj_to_hdougle.js:54` · CWE-79 · A03:2021 Injection (XSS)
3. **HIGH** `MINED004` — Weak Crypto
   `Windsurf万法归宗/130-道独立体_Standalone/05-GitHub/_hdougle_测试/dao_hd_set_secret.js:81` · CWE-327 · ✓ Repobility
4. **HIGH** `SEC103` — LDAP injection — non-constant search filter
   `Windsurf万法归宗/060-修复_Repair/官方模式回归.py:84` · A03:2021 Injection
5. **HIGH** `MINED001` — Bare Except Pass
   `Windsurf万法归宗/060-修复_Repair/官方模式回归.py:38` · CWE-755 · ✓ Repobility

---

**Security note**: this issue is public. If any flagged finding is a real, exploitable vulnerability, please redirect to your `SECURITY.md` policy or open a [private security advisory](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability) instead. We're happy to close this and re-submit privately.

---

_Filed automatically. Close this issue if not useful — we won't refile. Full report: https://repobility.com/scan/f833405c-b5d5-423e-926f-75cc8b93ff75/_
Megaproject â high spam risk
Could not determine 'zhouyoukang1234-spec/windsurf-assistant' star count (GitHub API rate-limited or unreachable). When in doubt about repo size, prefer opening a focused PR or a discussion rather than an issue.
Open in GitHub to file this issue Cancel

The button opens GitHubâs new-issue page in a new tab. You will see the title + body pre-filled â review, edit if you want, then click GitHubâs "Submit new issue" button. Repobility never posts anything on your behalf.

For real security findings on big repos: use the project's SECURITY.md or private advisory flow instead of a public issue.