Push this scan report to tinyhumansai/openhuman

Embedded score card image

This image will render at the top of the issue body. Hosted on Repobility, refreshes automatically after re-scans.

Issue title

Hi @tinyhumansai, an automated scan of this repository surfaced **72 code-quality findings** that may be worth a look. 
Full details, severity filters, and per-file context are at the link below — feel free to close this issue if it isn't useful to you.

## Full interactive report

**https://repobility.com/scan/fc621168-a7ef-4013-b97a-0b4d573d408e/**

![Live scan page](https://repobility.com/scan/fc621168-a7ef-4013-b97a-0b4d573d408e/report.png?v=1778960721)

## At a glance

- **Score**: `84/100`  •  **Grade**: `A-`
- **Scanned**: `2026-05-16 19:45 UTC`
- **Lines of code**: 549,384
- **Total findings**: 72
- **Security-tagged**: 12
- **Credential / secret patterns**: 6

## Top issues, with file & line

_These are deterministic rule-based findings — the file paths and line numbers below are real and can be verified in your tree._

1. **[critical]** [SEC010] Cloud Provider Token: Cloud provider or SaaS API token found in source code. — `src/openhuman/memory/safety/mod.rs:410`
   _Remove immediately and rotate the token. Use environment variables._
2. **[critical]** [SEC019] Raw Authorization Token in Example: A real-looking API token appears in an Authorization-style header or service-key example. Use placeholders in docs and CI snippets; never paste live tokens into source, comments, or README files. — `src/openhuman/memory/safety/mod.rs:351`
   _Replace the value with a placeholder, revoke or rotate the exposed token, and store live values only in a masked secret store._
3. **[critical]** [SEC019] Raw Authorization Token in Example: A real-looking API token appears in an Authorization-style header or service-key example. Use placeholders in docs and CI snippets; never paste live tokens into source, comments, or README files. — `src/openhuman/memory/tree/jobs/redact.rs:137`
   _Replace the value with a placeholder, revoke or rotate the exposed token, and store live values only in a masked secret store._
4. **[critical]** [SEC010] Cloud Provider Token: Cloud provider or SaaS API token found in source code. — `src/openhuman/memory/tree/jobs/redact.rs:164`
   _Remove immediately and rotate the token. Use environment variables._
5. **[high]** [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches. — `app/src-tauri/src/cdp/session.rs:90`
   _Validate the URL against an allowlist BEFORE fetching:   ALLOWED = {'images.example.com', 'cdn.example.com'}   host = urlparse(url).hostname   if host not in ALLOWED: abort(400)…_

See all 72 findings, with severity filters and AI fix prompts: **https://repobility.com/scan/fc621168-a7ef-4013-b97a-0b4d573d408e/**

---

**What is this?** [Repobility](https://repobility.com) is a research project that scans public repositories with a multi-layer static analyzer (rule-based, no AI hallucinations) and learns code-quality patterns across a broad cross-repo corpus. This is **not a sales pitch** — there's no paywall, no signup required to view the report, and no payment ask. If the findings aren't useful, please close this issue and we won't post again.

**To re-run after fixes land:** paste your repo URL at [repobility.com](https://repobility.com) — fresh scan, free.

_Issue filed via the public Repobility report at https://repobility.com/scan/fc621168-a7ef-4013-b97a-0b4d573d408e/._