← Legacy view v2 (rp.*)

cloakhq/cloakbrowser

https://github.com/CloakHQ/CloakBrowser · lang: python · LOC: · source: user_submitted

Quality
85.2
Grade A-
Security
90.4
Findings
123
1 critical · 61 high
Status
completed
May 20, 2026 05:09
high: 61 medium: 35 info: 16 low: 10 critical: 1
Top rules by occurrence
RuleSeverityCount
MINED106 Phantom test coverage (assertion-free test) high 25
MINED111 Bare except continues silently medium 25
MINED108 self.attribute used but never assigned in __init__ high 25
AIC003 Duplicated implementation block across source files low 7
MINED045 Ts Non Null Assertion info 3
COMP001 [COMP001] High cognitive complexity: Function `load_yfinanc… low 3
SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from use… high 3
MINED044 Js Console Log Prod info 3
SEC087 JS: weak Math.random for crypto medium 3
DKR001 Docker final stage has no non-root USER medium 2
First 123 findings (severity-sorted)
critical MINED107 Missing Python import (NameError at runtime) CWE-1075
tests/test_geoip.py:62 · conf 1.00 
Missing import: `locale` used but not imported
high DKR006 Dockerfile pipes a remote script into a shell
Dockerfile:4 · conf 0.92 
Dockerfile pipes a remote script into a shell
high MINED001 Bare Except Pass CWE-755
cloakbrowser/config.py:177 · conf 1.00 
[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.
high MINED001 Bare Except Pass CWE-755
cloakbrowser/geoip.py:128 · conf 1.00 
[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.
high MINED006 Overcatch Baseexception CWE-705
cloakbrowser/__main__.py:103 · conf 1.00 
[MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
examples/fingerprint_scan_test.py:27 · conf 1.00 
Phantom test coverage: test_fingerprint_scan
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
examples/fingerprint_scan_test.py:89 · conf 1.00 
Phantom test coverage: test_creepjs
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
examples/stealth_test.py:27 · conf 1.00 
Phantom test coverage: test_bot_sannysoft
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
examples/stealth_test.py:53 · conf 1.00 
Phantom test coverage: test_bot_incolumitas
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
examples/stealth_test.py:80 · conf 1.00 
Phantom test coverage: test_browserscan
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
examples/stealth_test.py:101 · conf 1.00 
Phantom test coverage: test_deviceandbrowserinfo
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
examples/stealth_test.py:126 · conf 1.00 
Phantom test coverage: test_fingerprintjs
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
examples/stealth_test.py:148 · conf 1.00 
Phantom test coverage: test_recaptcha
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
tests/test_backend.py:37 · conf 1.00 
Phantom test coverage: test_resolve_backend_invalid_raises
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
tests/test_backend.py:42 · conf 1.00 
Phantom test coverage: test_resolve_backend_invalid_env_raises
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
tests/test_config.py:110 · conf 1.00 
Phantom test coverage: test_unsupported_raises
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
tests/test_extract.py:46 · conf 1.00 
Phantom test coverage: test_path_traversal_blocked
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
tests/test_extract.py:104 · conf 1.00 
Phantom test coverage: test_path_traversal_blocked
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
tests/test_geoip.py:73 · conf 1.00 
Phantom test coverage: test_resolve_geo_raises_when_geoip2_missing
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
tests/test_humanize_unit.py:94 · conf 1.00 
Phantom test coverage: test_invalid_preset_raises
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
tests/test_humanize_unit.py:274 · conf 1.00 
Phantom test coverage: test_press_skips_click_when_focused
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
tests/test_humanize_unit.py:292 · conf 1.00 
Phantom test coverage: test_press_clicks_when_not_focused
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
tests/test_humanize_unit.py:565 · conf 1.00 
Phantom test coverage: test_no_error_on_cyrillic
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
tests/test_humanize_unit.py:1382 · conf 1.00 
Phantom test coverage: test_get_element_box_default_timeout
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
tests/test_humanize_unit.py:1395 · conf 1.00 
Phantom test coverage: test_get_element_box_custom_timeout
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
tests/test_humanize_unit.py:1408 · conf 1.00 
Phantom test coverage: test_scroll_to_element_forwards_timeout
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
tests/test_lambda_security.py:31 · conf 1.00 
Phantom test coverage: test_rejects_non_http_schemes
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
tests/test_lambda_security.py:41 · conf 1.00 
Phantom test coverage: test_accepts_http_and_https
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
tests/test_proxy.py:142 · conf 1.00 
Phantom test coverage: test_geoip_socks5_dict_no_auth_uses_server
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
tests/test_proxy.py:148 · conf 1.00 
Phantom test coverage: test_geoip_http_dict_does_not_inline_creds
high MINED108 self.attribute used but never assigned in __init__ CWE-476
tests/test_cloakserve.py:254 · conf 1.00 
`self._rewrite_version` used but never assigned in __init__
high MINED108 self.attribute used but never assigned in __init__ CWE-476
tests/test_cloakserve.py:259 · conf 1.00 
`self._rewrite_version` used but never assigned in __init__
high MINED108 self.attribute used but never assigned in __init__ CWE-476
tests/test_cloakserve.py:264 · conf 1.00 
`self._rewrite_list_entry` used but never assigned in __init__
high MINED108 self.attribute used but never assigned in __init__ CWE-476
tests/test_cloakserve.py:269 · conf 1.00 
`self._rewrite_list_entry` used but never assigned in __init__
high MINED108 self.attribute used but never assigned in __init__ CWE-476
tests/test_cloakserve.py:274 · conf 1.00 
`self._rewrite_list_entry` used but never assigned in __init__
high MINED108 self.attribute used but never assigned in __init__ CWE-476
tests/test_cloakserve.py:279 · conf 1.00 
`self._rewrite_version` used but never assigned in __init__
high MINED108 self.attribute used but never assigned in __init__ CWE-476
tests/test_cloakserve.py:284 · conf 1.00 
`self._rewrite_list_entry` used but never assigned in __init__
high MINED108 self.attribute used but never assigned in __init__ CWE-476
tests/test_cloakserve.py:305 · conf 1.00 
`self._make_pool` used but never assigned in __init__
high MINED108 self.attribute used but never assigned in __init__ CWE-476
tests/test_cloakserve.py:312 · conf 1.00 
`self._make_pool` used but never assigned in __init__
high MINED108 self.attribute used but never assigned in __init__ CWE-476
tests/test_cloakserve.py:319 · conf 1.00 
`self._make_pool` used but never assigned in __init__
high MINED108 self.attribute used but never assigned in __init__ CWE-476
tests/test_cloakserve.py:325 · conf 1.00 
`self._make_pool` used but never assigned in __init__
high MINED108 self.attribute used but never assigned in __init__ CWE-476
tests/test_cloakserve.py:330 · conf 1.00 
`self._make_pool` used but never assigned in __init__
high MINED108 self.attribute used but never assigned in __init__ CWE-476
tests/test_cloakserve.py:391 · conf 1.00 
`self._make_pool` used but never assigned in __init__
high MINED108 self.attribute used but never assigned in __init__ CWE-476
tests/test_cloakserve.py:401 · conf 1.00 
`self._make_pool` used but never assigned in __init__
high MINED108 self.attribute used but never assigned in __init__ CWE-476
tests/test_cloakserve.py:413 · conf 1.00 
`self._make_pool` used but never assigned in __init__
high MINED108 self.attribute used but never assigned in __init__ CWE-476
tests/test_cloakserve.py:425 · conf 1.00 
`self._make_pool` used but never assigned in __init__
high MINED108 self.attribute used but never assigned in __init__ CWE-476
tests/test_stealth_unit.py:78 · conf 1.00 
`self._make_world` used but never assigned in __init__
high MINED108 self.attribute used but never assigned in __init__ CWE-476
tests/test_stealth_unit.py:99 · conf 1.00 
`self._make_world` used but never assigned in __init__
high MINED108 self.attribute used but never assigned in __init__ CWE-476
tests/test_update.py:175 · conf 1.00 
`self._make_assets` used but never assigned in __init__
high MINED108 self.attribute used but never assigned in __init__ CWE-476
tests/test_update.py:191 · conf 1.00 
`self._make_assets` used but never assigned in __init__
high MINED108 self.attribute used but never assigned in __init__ CWE-476
tests/test_update.py:196 · conf 1.00 
`self._make_assets` used but never assigned in __init__
high MINED108 self.attribute used but never assigned in __init__ CWE-476
tests/test_update.py:213 · conf 1.00 
`self._make_assets` used but never assigned in __init__
high MINED108 self.attribute used but never assigned in __init__ CWE-476
tests/test_update.py:214 · conf 1.00 
`self._make_assets` used but never assigned in __init__
high MINED108 self.attribute used but never assigned in __init__ CWE-476
tests/test_update.py:226 · conf 1.00 
`self._make_assets` used but never assigned in __init__
high MINED108 self.attribute used but never assigned in __init__ CWE-476
tests/test_update.py:227 · conf 1.00 
`self._make_assets` used but never assigned in __init__
high MINED118 Dockerfile FROM not pinned by sha256 digest CWE-829
Dockerfile:1 · conf 0.90 
Dockerfile FROM `python:3.12-slim` not pinned by digest
high MINED118 Dockerfile FROM not pinned by sha256 digest CWE-829
examples/integrations/aws_lambda/Dockerfile:35 · conf 0.90 
Dockerfile FROM `cloakhq/cloakbrowser:latest` not pinned by digest
high MINED119 Dockerfile ADD pulls remote URL with no integrity check CWE-829CWE-494
examples/integrations/aws_lambda/Dockerfile:45 · conf 0.90 
Dockerfile `ADD https://github.com/aws/aws-lambda-runtime-interface-emulator/releases/latest/download/aws-lambda-rie-${TARGETARCH}`
high SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from user input
cloakbrowser/config.py:218 · conf 1.00 
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…
high SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from user input
js/src/config.ts:138 · conf 1.00 
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…
high SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from user input
js/src/proxy.ts:52 · conf 1.00 
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…
high SEC128 Async function without await — fire-and-forget Promise (AI mistake)
cloakbrowser/human/config.py:200 · conf 1.00 
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…
medium DKR001 Docker final stage has no non-root USER
Dockerfile:1 · conf 0.82 
Docker final stage has no non-root USER
medium DKR001 Docker final stage has no non-root USER
examples/integrations/aws_lambda/Dockerfile:36 · conf 0.82 
Docker final stage has no non-root USER
medium DKR003 Dockerfile base image uses the latest tag
examples/integrations/aws_lambda/Dockerfile:36 · conf 0.94 
Dockerfile base image uses the latest tag
medium DKR007 Docker build context has no .dockerignore
.dockerignore · conf 0.90 
Docker build context has no .dockerignore
medium DKR013 Dockerfile ADD downloads remote content
examples/integrations/aws_lambda/Dockerfile:45 · conf 0.84 
Dockerfile ADD downloads remote content
medium MINED111 Bare except continues silently
cloakbrowser/download.py:208 · conf 1.00 
Bare except continues silently
medium MINED111 Bare except continues silently
cloakbrowser/geoip.py:233 · conf 1.00 
Bare except continues silently
medium MINED111 Bare except continues silently
cloakbrowser/human/__init__.py:110 · conf 1.00 
Bare except continues silently
medium MINED111 Bare except continues silently
cloakbrowser/human/__init__.py:115 · conf 1.00 
Bare except continues silently
medium MINED111 Bare except continues silently
cloakbrowser/human/__init__.py:178 · conf 1.00 
Bare except continues silently
medium MINED111 Bare except continues silently
cloakbrowser/human/__init__.py:246 · conf 1.00 
Bare except continues silently
medium MINED111 Bare except continues silently
cloakbrowser/human/__init__.py:280 · conf 1.00 
Bare except continues silently
medium MINED111 Bare except continues silently
cloakbrowser/human/__init__.py:309 · conf 1.00 
Bare except continues silently
medium MINED111 Bare except continues silently
cloakbrowser/human/__init__.py:338 · conf 1.00 
Bare except continues silently
medium MINED111 Bare except continues silently
cloakbrowser/human/__init__.py:444 · conf 1.00 
Bare except continues silently
medium MINED111 Bare except continues silently
cloakbrowser/human/__init__.py:682 · conf 1.00 
Bare except continues silently
medium MINED111 Bare except continues silently
cloakbrowser/human/__init__.py:1039 · conf 1.00 
Bare except continues silently
medium MINED111 Bare except continues silently
cloakbrowser/human/__init__.py:1056 · conf 1.00 
Bare except continues silently
medium MINED111 Bare except continues silently
cloakbrowser/human/__init__.py:1154 · conf 1.00 
Bare except continues silently
medium MINED111 Bare except continues silently
cloakbrowser/human/__init__.py:1354 · conf 1.00 
Bare except continues silently
medium MINED111 Bare except continues silently
cloakbrowser/human/__init__.py:1587 · conf 1.00 
Bare except continues silently
medium MINED111 Bare except continues silently
cloakbrowser/human/__init__.py:1939 · conf 1.00 
Bare except continues silently
medium MINED111 Bare except continues silently
cloakbrowser/human/__init__.py:1956 · conf 1.00 
Bare except continues silently
medium MINED111 Bare except continues silently
cloakbrowser/human/__init__.py:2047 · conf 1.00 
Bare except continues silently
medium MINED111 Bare except continues silently
cloakbrowser/human/__init__.py:2256 · conf 1.00 
Bare except continues silently
medium MINED111 Bare except continues silently
cloakbrowser/human/__init__.py:2489 · conf 1.00 
Bare except continues silently
medium MINED111 Bare except continues silently
cloakbrowser/__main__.py:105 · conf 1.00 
Bare except continues silently
medium MINED111 Bare except continues silently
examples/stealth_test.py:264 · conf 1.00 
Bare except continues silently
medium MINED111 Bare except continues silently
examples/stealth_test.py:272 · conf 1.00 
Bare except continues silently
medium MINED111 Bare except continues silently
examples/stealth_test.py:298 · conf 1.00 
Bare except continues silently
medium SEC087 JS: weak Math.random for crypto
js/src/human/config.ts:233 · conf 1.00 
[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes conce…
medium SEC087 JS: weak Math.random for crypto
js/src/human/keyboard.ts:62 · conf 1.00 
[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes conce…
medium SEC087 JS: weak Math.random for crypto
js/src/human-puppeteer/keyboard.ts:59 · conf 1.00 
[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes conce…
medium SEC136 AI-typical over-broad exception handler swallowing all errors
cloakbrowser/human/scroll_async.py:24 · conf 1.00 
[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unf…
medium SEC136 AI-typical over-broad exception handler swallowing all errors
cloakbrowser/human/scroll.py:27 · conf 1.00 
[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unf…
low AIC003 Duplicated implementation block across source files
cloakbrowser/human/actionability_async.py:33 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
cloakbrowser/human/mouse_async.py:18 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
cloakbrowser/human/scroll_async.py:65 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
js/src/human/elementhandle.ts:63 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
js/src/human/index.ts:41 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
js/src/human/keyboard.ts:4 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
js/src/human/scroll.ts:4 · conf 0.86 
Duplicated implementation block across source files
low COMP001 [COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
cloakbrowser/config.py:159 · conf 0.95 
[COMP001] High cognitive complexity: Function `get_effective_version` has cognitive complexity 13 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand…
low COMP001 [COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
cloakbrowser/geoip.py:64 · conf 0.95 
[COMP001] High cognitive complexity: Function `resolve_proxy_geo_with_ip` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to underst…
low COMP001 [COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
cloakbrowser/geoip.py:209 · conf 0.95 
[COMP001] High cognitive complexity: Function `_resolve_exit_ip` has cognitive complexity 11 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — ne…
info MINED043 Http Not Https CWE-319
js/src/proxy.ts:16 · conf 1.00 
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
info MINED044 Js Console Log Prod CWE-532
js/examples/basic-playwright.ts:14 · conf 1.00 
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.
info MINED044 Js Console Log Prod CWE-532
js/examples/basic-puppeteer.ts:14 · conf 1.00 
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.
info MINED044 Js Console Log Prod CWE-532
js/examples/persistent-context.ts:13 · conf 1.00 
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.
info MINED045 Ts Non Null Assertion CWE-476
js/examples/stealth-test.ts:52 · conf 1.00 
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
info MINED045 Ts Non Null Assertion CWE-476
js/src/playwright.ts:60 · conf 1.00 
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
info MINED045 Ts Non Null Assertion CWE-476
js/src/puppeteer.ts:21 · conf 1.00 
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
info MINED050 Stub Only Function CWE-1188
cloakbrowser/config.py:178 · conf 1.00 
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.
info MINED050 Stub Only Function CWE-1188
cloakbrowser/geoip.py:129 · conf 1.00 
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.
info MINED052 Ts Any Typed CWE-704
js/src/human/actionability.ts:231 · conf 1.00 
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.
info MINED052 Ts Any Typed CWE-704
js/src/human/mouse.ts:13 · conf 1.00 
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.
info MINED054 Ts As Any CWE-704
js/src/human/actionability.ts:240 · conf 1.00 
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.
info MINED054 Ts As Any CWE-704
js/src/playwright.ts:18 · conf 1.00 
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.
info MINED055 Npm Install No Lockfile CWE-1357
cloakbrowser/geoip.py:4 · conf 1.00 
[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci.
info MINED055 Npm Install No Lockfile CWE-1357
examples/integrations/selenium_example.py:8 · conf 1.00 
[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci.
info MINED062 Python Dataclass No Fields
cloakbrowser/human/config.py:71 · conf 1.00 
[MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model.

Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/049d2004-44a2-4aa6-95dc-82395d96730f/.