https://github.com/Gitlawb/openclaude ·
lang: typescript ·
LOC: ·
source: both
| Rule | Severity | Count |
|---|---|---|
ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors. |
medium | 3 |
SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from use… |
high | 3 |
SEC018 AI-Agent Secret Retrieval Command |
high | 2 |
AGT006 React interval is created without an explicit cleanup |
medium | 2 |
SEC031 Catastrophic Backtracking Regex (ReDoS) |
medium | 2 |
SEC016 LLM Prompt Injection — User Input in AI Prompt |
high | 1 |
WEB015 Public web app has no Content Security Policy |
medium | 1 |
WEB011 Public web app has no humans.txt |
low | 1 |
WEB001 Public web app has no robots.txt |
low | 1 |
DKR008 .dockerignore misses sensitive defaults |
low | 1 |
JRN004
Consent is collected in UI without visible backend audit persistence
src/screens/REPL.tsx:3145
· conf 0.78
Consent is collected in UI without visible backend audit persistenceSEC016
LLM Prompt Injection — User Input in AI Prompt
src/commands/thinkback/thinkback.tsx:385
· conf 0.90
[SEC016] LLM Prompt Injection — User Input in AI Prompt: User-supplied text is interpolated directly into an AI/LLM prompt (e.g. OpenAI, Anthropic, or local model). This is the AI equivalent of SQL i…SEC018
AI-Agent Secret Retrieval Command
src/utils/auth.ts:1090
· conf 1.00
[SEC018] AI-Agent Secret Retrieval Command: A command that prints or embeds credentials was committed. AI coding agents often add these commands while trying to help with setup or deployment, but the…SEC018
AI-Agent Secret Retrieval Command
src/utils/secureStorage/macOsKeychainStorage.ts:40
· conf 1.00
[SEC018] AI-Agent Secret Retrieval Command: A command that prints or embeds credentials was committed. AI coding agents often add these commands while trying to help with setup or deployment, but the…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
python/atomic_chat_provider.py:26
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
scripts/pr-intent-scan.ts:156
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
scripts/system-check.ts:122
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…AGT006
React interval is created without an explicit cleanup
src/cli/print.ts:543
· conf 0.78
React interval is created without an explicit cleanupAGT006
React interval is created without an explicit cleanup
src/components/Spinner/useShimmerAnimation.ts:13
· conf 0.78
React interval is created without an explicit cleanupERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
src/bridge/bridgeMain.ts:2068
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.ERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
src/bridge/initReplBridge.ts:328
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.ERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
src/bridge/replBridge.ts:479
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.SEC017
Unbounded Input to LLM/External API
src/commands/thinkback/thinkback.tsx:385
· conf 0.80
[SEC017] Unbounded Input to LLM/External API: User input is passed to an LLM or external AI API (OpenAI, Anthropic, etc.) without any visible length or size validation. This creates two risks: (1) Co…SEC031
Catastrophic Backtracking Regex (ReDoS)
src/tools/BashTool/readOnlyValidation.ts:1358
· conf 1.00
[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit expon…SEC031
Catastrophic Backtracking Regex (ReDoS)
src/tools/shared/gitOperationTracking.ts:23
· conf 1.00
[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit expon…WEB003
Public web service has no security.txt
.well-known/security.txt
· conf 0.78
Public web service has no security.txtWEB015
Public web app has no Content Security Policy
index.html
· conf 0.70
Public web app has no Content Security PolicyDKR008
.dockerignore misses sensitive defaults
.dockerignore
· conf 0.72
.dockerignore misses sensitive defaultsWEB001
Public web app has no robots.txt
robots.txt
· conf 0.74
Public web app has no robots.txtWEB002
Public web app has no sitemap
sitemap.xml
· conf 0.72
Public web app has no sitemapWEB008
Public docs site has no llms.txt
llms.txt
· conf 0.64
Public docs site has no llms.txtWEB011
Public web app has no humans.txt
humans.txt
· conf 0.50
Public web app has no humans.txtReading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/9538c3bf-0f97-41c1-9ac9-c862f7f43a34/.