← Legacy view v2 (rp.*)

hkuds/vibe-trading

https://github.com/HKUDS/Vibe-Trading · lang: python · LOC: · source: user_submitted

Quality
73.1
Grade B
Security
58.3
Findings
10
0 critical · 4 high
Status
completed
May 15, 2026 05:01
high: 4 medium: 4 info: 1 low: 1
Top rules by occurrence
RuleSeverityCount
SEC020 Secret Printed to Logs high 3
SEC005 Command Injection Risk high 2
SEC006 XSS Risk high 2
SEC016 LLM Prompt Injection — User Input in AI Prompt high 2
SEC017 Unbounded Input to LLM/External API medium 1
First 10 findings (severity-sorted)
high SEC006 XSS Risk
wiki/docs/main.js:114 · conf 1.00 
[SEC006] XSS Risk: Direct HTML injection without sanitization.
high SEC016 LLM Prompt Injection — User Input in AI Prompt
agent/src/session/service.py:151 · conf 0.90 
[SEC016] LLM Prompt Injection — User Input in AI Prompt: User-supplied text is interpolated directly into an AI/LLM prompt (e.g. OpenAI, Anthropic, or local model). This is the AI equivalent of SQL i…
high SEC020 Secret Printed to Logs
agent/cli.py:690 · conf 0.85 
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…
high SEC020 Secret Printed to Logs
agent/src/agent/loop.py:377 · conf 0.85 
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…
medium SEC005 Command Injection Risk
agent/src/tools/background_tools.py:41 · conf 0.50 
[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.
medium SEC005 Command Injection Risk
agent/src/tools/bash_tool.py:43 · conf 0.50 
[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.
medium SEC016 LLM Prompt Injection — User Input in AI Prompt
agent/src/agent/loop.py:752 · conf 0.40 
[SEC016] LLM Prompt Injection — User Input in AI Prompt: User-supplied text is interpolated directly into an AI/LLM prompt (e.g. OpenAI, Anthropic, or local model). This is the AI equivalent of SQL i…
medium SEC017 Unbounded Input to LLM/External API
agent/src/session/service.py:151 · conf 0.80 
[SEC017] Unbounded Input to LLM/External API: User input is passed to an LLM or external AI API (OpenAI, Anthropic, etc.) without any visible length or size validation. This creates two risks: (1) Co…
low SEC006 XSS Risk
wiki/main.js:100 · conf 0.40 
[SEC006] XSS Risk: Direct HTML injection without sanitization.
info SEC020 Secret Printed to Logs
agent/backtest/runner.py:400 · conf 0.10 
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…

Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/24442ceb-919f-4593-9d71-d90f26482ad7/.