← Back to scan
File as GitHub Issue repo: yt-dlp/yt-dlp

Push this scan report to yt-dlp/yt-dlp

Click the green button below to open GitHub’s new-issue form, pre-filled with the report title, summary table, top findings, and an embedded score-card image. No authentication needed — you review on GitHub before submitting. Repobility is credited as the scanner.

Embedded score card image

This image will render at the top of the issue body. Hosted on Repobility, refreshes automatically after re-scans.

Repobility score card

Issue title

Detected a Generic API Key, potentially exposing access to various services and sensitive

Curate findings to include

Pick exactly which findings appear in the issue body. By default the top 5 are included. Uncheck noise, check what matters.

Top 5 (default)
Severity Rule Title File:line
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… yt_dlp/extractor/vimeo.py:79
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… yt_dlp/extractor/vimeo.py:64
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… yt_dlp/extractor/weverse.py:70
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… yt_dlp/extractor/vrt.py:52
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… yt_dlp/extractor/vrt.py:51
CRIT gcp-api-key Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services… yt_dlp/extractor/wrestleuniverse.py:31
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… yt_dlp/extractor/zingmp3.py:65
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… yt_dlp/extractor/wykop.py:25
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… yt_dlp/extractor/stacommu.py:156
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… yt_dlp/extractor/stacommu.py:125
CRIT gcp-api-key Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services… yt_dlp/extractor/stacommu.py:177
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… yt_dlp/extractor/videocampus_sachsen.py:146
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… yt_dlp/extractor/yle_areena.py:108
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… yt_dlp/extractor/xiaohongshu.py:30
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… yt_dlp/extractor/videa.py:98
CRIT jwt Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and… yt_dlp/extractor/vice.py:103
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… yt_dlp/extractor/viddler.py:92
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… yt_dlp/extractor/tvw.py:108
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… yt_dlp/extractor/tver.py:312
CRIT jwt Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and… yt_dlp/extractor/tbs.py:16
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… yt_dlp/extractor/toutv.py:46
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… yt_dlp/extractor/toutv.py:38
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… yt_dlp/extractor/trunews.py:27
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… yt_dlp/extractor/trunews.py:20
CRIT aws-access-token Identified a pattern that may indicate AWS credentials, risking unauthorized cloud resour… yt_dlp/extractor/shahid.py:39
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… yt_dlp/extractor/shahid.py:40
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… yt_dlp/extractor/shahid.py:20
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… yt_dlp/extractor/rtp.py:149
CRIT jwt Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and… yt_dlp/extractor/nbc.py:233
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… yt_dlp/extractor/skynewsau.py:28
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… yt_dlp/extractor/scrippsnetworks.py:49
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… yt_dlp/extractor/nytimes.py:26
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… yt_dlp/extractor/pornhub.py:262
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… yt_dlp/extractor/pornhub.py:255
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… yt_dlp/extractor/pornhub.py:235
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… yt_dlp/extractor/pornhub.py:223
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… yt_dlp/extractor/pornhub.py:209
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… yt_dlp/extractor/redbulltv.py:130
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… yt_dlp/extractor/redbee.py:227
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… yt_dlp/extractor/prosiebensat1.py:382
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… yt_dlp/extractor/radiocanada.py:63
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… yt_dlp/extractor/polskieradio.py:261
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… yt_dlp/extractor/nfl.py:84
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… yt_dlp/extractor/nfl.py:72
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… yt_dlp/extractor/nfl.py:71
HIGH MINED099 [MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI k… yt_dlp/extractor/shahid.py:39
HIGH SEC043 [SEC043] Secret stored in Odoo ir.config_parameter — broadly readable: ir.config_paramete… yt_dlp/extractor/gofile.py:65
HIGH SEC043 [SEC043] Secret stored in Odoo ir.config_parameter — broadly readable: ir.config_paramete… yt_dlp/extractor/dropbox.py:62
HIGH SEC043 [SEC043] Secret stored in Odoo ir.config_parameter — broadly readable: ir.config_paramete… yt_dlp/extractor/ciscowebex.py:42
HIGH SEC061 [SEC061] JWT in source: Three-part JWT (likely signed token). Even if expired, may leak s… yt_dlp/extractor/cloudflarestream.py:46
HIGH SEC061 [SEC061] JWT in source: Three-part JWT (likely signed token). Even if expired, may leak s… yt_dlp/extractor/blackboardcollaborate.…:159
HIGH SEC061 [SEC061] JWT in source: Three-part JWT (likely signed token). Even if expired, may leak s… yt_dlp/extractor/adultswim.py:87
HIGH SEC103 [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDA… yt_dlp/extractor/appletrailers.py:166
HIGH SEC103 [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDA… yt_dlp/extractor/aol.py:110
HIGH SEC103 [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDA… yt_dlp/downloader/rtmp.py:44
HIGH MINED004 [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums). yt_dlp/extractor/abcotvs.py:21
HIGH MINED004 [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums). yt_dlp/downloader/bunnycdn.py:44
HIGH MINED004 [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums). yt_dlp/dependencies/Cryptodome.py:15
HIGH SEC085 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived in… devscripts/utils.py:30
HIGH MINED006 [MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and Syste… yt_dlp/downloader/rtmp.py:92
HIGH MINED006 [MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and Syste… yt_dlp/downloader/niconico.py:79
HIGH MINED006 [MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and Syste… devscripts/run_tests.py:96
HIGH MINED001 [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows e… yt_dlp/__pyinstaller/hook-yt_dlp.py:15
HIGH MINED001 [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows e… devscripts/tomlparse.py:129
HIGH MINED001 [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows e… devscripts/run_tests.py:66
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … yt_dlp/downloader/fc2.py:38
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … yt_dlp/downloader/__init__.py:74
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … devscripts/cli_to_api.py:17
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… yt_dlp/extractor/abcnews.py:57
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… yt_dlp/downloader/soop.py:41
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… devscripts/utils.py:80
HIGH MINED108 `self._commits` used but never assigned in __init__ devscripts/make_changelog.py:355
HIGH MINED108 `self._commits` used but never assigned in __init__ devscripts/make_changelog.py:353
HIGH MINED108 `self._start` used but never assigned in __init__ devscripts/make_changelog.py:342
HIGH MINED108 `self._commits` used but never assigned in __init__ devscripts/make_changelog.py:371
HIGH MINED108 `self._start` used but never assigned in __init__ devscripts/make_changelog.py:306
HIGH MINED108 `self._end` used but never assigned in __init__ devscripts/make_changelog.py:285
HIGH MINED108 `self._start` used but never assigned in __init__ devscripts/make_changelog.py:285
HIGH MINED108 `self._commits` used but never assigned in __init__ devscripts/make_changelog.py:280
HIGH MINED108 `self._commits` used but never assigned in __init__ devscripts/make_changelog.py:272
HIGH MINED108 `self._commits` used but never assigned in __init__ devscripts/make_changelog.py:269
HIGH MINED108 `self.repo_url` used but never assigned in __init__ devscripts/make_changelog.py:230
HIGH MINED108 `self.repo_url` used but never assigned in __init__ devscripts/make_changelog.py:227
HIGH MINED108 `self._format_message_link` used but never assigned in __init__ devscripts/make_changelog.py:214
HIGH MINED108 `self._format_authors` used but never assigned in __init__ devscripts/make_changelog.py:218
HIGH MINED108 `self._format_authors` used but never assigned in __init__ devscripts/make_changelog.py:211
HIGH MINED108 `self._format_issues` used but never assigned in __init__ devscripts/make_changelog.py:208
HIGH MINED108 `self._format_message_link` used but never assigned in __init__ devscripts/make_changelog.py:205
HIGH MINED108 `self._format_message_link` used but never assigned in __init__ devscripts/make_changelog.py:195
HIGH MINED108 `self.format_single_change` used but never assigned in __init__ devscripts/make_changelog.py:170
HIGH MINED108 `self.format_single_change` used but never assigned in __init__ devscripts/make_changelog.py:181
HIGH MINED108 `self.format_single_change` used but never assigned in __init__ devscripts/make_changelog.py:176
HIGH MINED108 `self._prepare_cleanup_misc_items` used but never assigned in __init__ devscripts/make_changelog.py:156
HIGH MINED108 `self._format_group` used but never assigned in __init__ devscripts/make_changelog.py:146
HIGH MINED108 `self.format_module` used but never assigned in __init__ devscripts/make_changelog.py:139
HIGH MINED108 `self._format_groups` used but never assigned in __init__ devscripts/make_changelog.py:129
HIGH MINED106 Phantom test coverage: test_setup_variables devscripts/setup_variables_tests.py:62
HIGH SEC013 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file pat… yt_dlp/downloader/soop.py:57
HIGH SEC013 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file pat… yt_dlp/downloader/niconico.py:28
HIGH SEC013 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file pat… yt_dlp/downloader/bunnycdn.py:48
MED SEC014 [SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing ma… yt_dlp/networking/_helper.py:110
MED SEC127 [SEC127] AI agent stub — TODO: implement / pass placeholder body: Function body left as T… yt_dlp/networking/websocket.py:18
MED SEC127 [SEC127] AI agent stub — TODO: implement / pass placeholder body: Function body left as T… yt_dlp/networking/_helper.py:163
MED SEC127 [SEC127] AI agent stub — TODO: implement / pass placeholder body: Function body left as T… yt_dlp/extractor/motherless.py:169
MED SEC015 [SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. … yt_dlp/extractor/eighttracks.py:108
MED SEC041 [SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blan… yt_dlp/extractor/academicearth.py:29
MED SEC045 [SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even … devscripts/utils.py:30
MED ERR001 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even… devscripts/tomlparse.py:129
MED MINED111 Bare except continues silently yt_dlp/networking/__init__.py:37
MED MINED111 Bare except continues silently yt_dlp/networking/__init__.py:30
MED MINED111 Bare except continues silently yt_dlp/networking/__init__.py:23
MED MINED111 Bare except continues silently yt_dlp/networking/_requests.py:244
MED MINED111 Bare except continues silently yt_dlp/downloader/fc2.py:27
MED MINED111 Bare except continues silently yt_dlp/downloader/niconico.py:79
MED MINED111 Bare except continues silently yt_dlp/downloader/fragment.py:90
MED MINED111 Bare except continues silently yt_dlp/postprocessor/common.py:155
MED MINED111 Bare except continues silently yt_dlp/postprocessor/embedthumbnail.py:139
MED MINED111 Bare except continues silently yt_dlp/utils/_utils.py:4802
MED MINED111 Bare except continues silently yt_dlp/utils/_utils.py:185
MED MINED111 Bare except continues silently yt_dlp/dependencies/__init__.py:40
MED MINED111 Bare except continues silently yt_dlp/extractor/common.py:3912
MED MINED109 Mutable default argument in `_call_api` (dict) yt_dlp/extractor/kick.py:26
MED MINED109 Mutable default argument in `_call_api` (dict) yt_dlp/extractor/pr0gramm.py:123
MED MINED109 Mutable default argument in `_call_bamgrid_api` (dict) yt_dlp/extractor/espn.py:334
MED MINED109 Mutable default argument in `_entries` (list) yt_dlp/extractor/gamejolt.py:301
MED MINED109 Mutable default argument in `_series_entries` (dict) yt_dlp/extractor/rcti.py:294
MED MINED109 Mutable default argument in `_entries` (dict) yt_dlp/extractor/rcti.py:260
MED MINED109 Mutable default argument in `_call_api` (dict) yt_dlp/extractor/nexx.py:147
MED MINED109 Mutable default argument in `_call_api` (dict) yt_dlp/extractor/netverse.py:16
MED MINED111 Bare except continues silently yt_dlp/extractor/wwe.py:132
MED MINED109 Mutable default argument in `_extract_embeds` (dict) yt_dlp/extractor/generic.py:986
MED MINED109 Mutable default argument in `_extract_cvp_info` (dict) yt_dlp/extractor/turner.py:50
MED MINED109 Mutable default argument in `_call_api` (dict) yt_dlp/extractor/radiokapital.py:9
MED MINED109 Mutable default argument in `_extract_adaptive_formats` (dict) yt_dlp/extractor/brainpop.py:49
MED MINED109 Mutable default argument in `_assemble_formats` (dict) yt_dlp/extractor/brainpop.py:36
MED MINED109 Mutable default argument in `_call_api` (dict) yt_dlp/extractor/dangalplay.py:60
MED MINED109 Mutable default argument in `_set_from_options_callback` (dict) yt_dlp/options.py:256
MED MINED111 Bare except continues silently yt_dlp/YoutubeDL.py:3629
MED MINED111 Bare except continues silently yt_dlp/YoutubeDL.py:1717
MED MINED111 Bare except continues silently yt_dlp/YoutubeDL.py:667
MED MINED109 Mutable default argument in `_delete_downloaded_files` (dict) yt_dlp/YoutubeDL.py:3739
MED MINED109 Mutable default argument in `_wait_for_video` (dict) yt_dlp/YoutubeDL.py:1725
MED MINED111 Bare except continues silently yt_dlp/cache.py:44
MED MINED111 Bare except continues silently yt_dlp/cookies.py:74
MED MINED111 Bare except continues silently yt_dlp/jsinterp.py:521
MED MINED109 Mutable default argument in `resf` (dict) yt_dlp/jsinterp.py:964
MED MINED111 Bare except continues silently yt_dlp/__init__.py:992
MED MINED111 Bare except continues silently yt_dlp/plugins.py:208
MED MINED111 Bare except continues silently yt_dlp/plugins.py:76
MED MINED111 Bare except continues silently devscripts/check-porn.py:32
MED COMP001 [COMP001] High cognitive complexity: Function `sort_ies` has cognitive complexity 18 (Son… devscripts/make_lazy_extractors.py:81
MED DKR007 Docker build context has no .dockerignore .dockerignore
MED GHSA-4gg8-gxpx-9rph uv: GHSA-4gg8-gxpx-9rph uv.lock
MED DKR001 Docker final stage has no non-root USER bundle/docker/linux/Dockerfile:12
MED WEB003 Public web service has no security.txt .well-known/security.txt
LOW SEC118 [SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC a… yt_dlp/extractor/plutotv.py:31
LOW SEC132 [SEC132] String concat where the language has interpolation (AI style drift): String buil… yt_dlp/extractor/stanfordoc.py:37
LOW SEC132 [SEC132] String concat where the language has interpolation (AI style drift): String buil… yt_dlp/extractor/lecturio.py:103
LOW SEC132 [SEC132] String concat where the language has interpolation (AI style drift): String buil… yt_dlp/extractor/gdcvault.py:125
LOW COMP001 [COMP001] High cognitive complexity: Function `_convert_code_blocks` has cognitive comple… devscripts/prepare_manpage.py:46
LOW COMP001 [COMP001] High cognitive complexity: Function `build_completion` has cognitive complexity… devscripts/fish-completion.py:30
LOW WEB005 robots.txt does not advertise a sitemap README.md
LOW DKC010 Compose service lacks no-new-privileges hardening bundle/docker/compose.yml:166
LOW DKC010 Compose service lacks no-new-privileges hardening bundle/docker/compose.yml:146
LOW DKC010 Compose service lacks no-new-privileges hardening bundle/docker/compose.yml:130
LOW DKC010 Compose service lacks no-new-privileges hardening bundle/docker/compose.yml:110
LOW DKC010 Compose service lacks no-new-privileges hardening bundle/docker/compose.yml:94
LOW DKC010 Compose service lacks no-new-privileges hardening bundle/docker/compose.yml:74
LOW DKC010 Compose service lacks no-new-privileges hardening bundle/docker/compose.yml:58
LOW DKC010 Compose service lacks no-new-privileges hardening bundle/docker/compose.yml:38
LOW DKC010 Compose service lacks no-new-privileges hardening bundle/docker/compose.yml:22
LOW DKC010 Compose service lacks no-new-privileges hardening bundle/docker/compose.yml:2
LOW DKC006 Compose service does not declare a runtime user bundle/docker/compose.yml:166
LOW DKC006 Compose service does not declare a runtime user bundle/docker/compose.yml:146
LOW DKC006 Compose service does not declare a runtime user bundle/docker/compose.yml:130
LOW DKC006 Compose service does not declare a runtime user bundle/docker/compose.yml:110
LOW DKC006 Compose service does not declare a runtime user bundle/docker/compose.yml:94
LOW DKC006 Compose service does not declare a runtime user bundle/docker/compose.yml:74
LOW DKC006 Compose service does not declare a runtime user bundle/docker/compose.yml:58
LOW DKC006 Compose service does not declare a runtime user bundle/docker/compose.yml:38
LOW DKC006 Compose service does not declare a runtime user bundle/docker/compose.yml:22
LOW DKC006 Compose service does not declare a runtime user bundle/docker/compose.yml:2
INFO MINED062 [MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model. yt_dlp/networking/impersonate.py:15
INFO MINED057 [MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness — l… yt_dlp/extractor/lecture2go.py:47
INFO MINED053 [MINED053] Placeholder Default Username: [email protected] / [email protected] / admin/admin… yt_dlp/extractor/thisoldhouse.py:84
INFO MINED053 [MINED053] Placeholder Default Username: [email protected] / [email protected] / admin/admin… yt_dlp/extractor/freetv.py:11
INFO MINED047 [MINED047] Emoji In Source: Emoji ✅ ❌ 🚀 in code/comments — common AI output unless explic… yt_dlp/extractor/francaisfacile.py:18
INFO MINED047 [MINED047] Emoji In Source: Emoji ✅ ❌ 🚀 in code/comments — common AI output unless explic… yt_dlp/extractor/fptplay.py:24
INFO MINED047 [MINED047] Emoji In Source: Emoji ✅ ❌ 🚀 in code/comments — common AI output unless explic… yt_dlp/extractor/canalalpha.py:30
INFO MINED072 [MINED072] Python Pass Only Class: class Foo: pass — stub waiting to be filled in. yt_dlp/networking/exceptions.py:90
INFO MINED072 [MINED072] Python Pass Only Class: class Foo: pass — stub waiting to be filled in. yt_dlp/minicurses.py:105
INFO MINED072 [MINED072] Python Pass Only Class: class Foo: pass — stub waiting to be filled in. yt_dlp/compat/__init__.py:14
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… yt_dlp/extractor/abcnews.py:26
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… yt_dlp/downloader/ism.py:175
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… devscripts/utils.py:85
INFO MINED049 [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout. devscripts/setup_variables.py:135
INFO MINED050 [MINED050] Stub Only Function: Function declared but body is just pass, return None, rais… yt_dlp/__pyinstaller/hook-yt_dlp.py:16
INFO MINED050 [MINED050] Stub Only Function: Function declared but body is just pass, return None, rais… devscripts/tomlparse.py:130
INFO MINED050 [MINED050] Stub Only Function: Function declared but body is just pass, return None, rais… devscripts/run_tests.py:67
INFO MINED077 [MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles. devscripts/check-porn.py:24
Reset to top 5 200 findings available (after auto-suppression of test files + won't-fix)

Issue body (markdown)

## Code-quality scan: `yt-dlp/yt-dlp`

**Score: 58/100 (D+)**  ·  295 findings  ·  scanned 2026-06-04 22:00 UTC  ·  256,398 LOC

| Severity | Count |
|---|---|
| CRITICAL | 103 |
| HIGH | 55 |
| MEDIUM | 55 |
| LOW | 27 |

📊 [Full filterable report](https://repobility.com/scan/fe8748da-1f2f-4f59-9f1b-dbc2d86d5b99/)  ·  ![scorecard](https://repobility.com/scan/fe8748da-1f2f-4f59-9f1b-dbc2d86d5b99/report.png?v=1780610456-s2)

### Top findings

1. **CRITICAL** `generic-api-key` — Detected a Generic API Key, potentially exposing access to various services and sensitive 
   `yt_dlp/extractor/vimeo.py:79`
2. **CRITICAL** `generic-api-key` — Detected a Generic API Key, potentially exposing access to various services and sensitive 
   `yt_dlp/extractor/vimeo.py:64`
3. **CRITICAL** `generic-api-key` — Detected a Generic API Key, potentially exposing access to various services and sensitive 
   `yt_dlp/extractor/weverse.py:70`
4. **CRITICAL** `generic-api-key` — Detected a Generic API Key, potentially exposing access to various services and sensitive 
   `yt_dlp/extractor/vrt.py:52`
5. **CRITICAL** `generic-api-key` — Detected a Generic API Key, potentially exposing access to various services and sensitive 
   `yt_dlp/extractor/vrt.py:51`

---

_Filed automatically. Close this issue if not useful — we won't refile. Full report: https://repobility.com/scan/fe8748da-1f2f-4f59-9f1b-dbc2d86d5b99/_
Megaproject â high spam risk
Could not determine 'yt-dlp/yt-dlp' star count (GitHub API rate-limited or unreachable). When in doubt about repo size, prefer opening a focused PR or a discussion rather than an issue.
Open in GitHub to file this issue Cancel

The button opens GitHubâs new-issue page in a new tab. You will see the title + body pre-filled â review, edit if you want, then click GitHubâs "Submit new issue" button. Repobility never posts anything on your behalf.

For real security findings on big repos: use the project's SECURITY.md or private advisory flow instead of a public issue.