https://github.com/agentforce314/clawcodex ·
lang: python ·
LOC: ·
source: both
| Rule | Severity | Count |
|---|---|---|
MINED106 Phantom test coverage (assertion-free test) |
high | 25 |
MINED108 self.attribute used but never assigned in __init__ |
high | 25 |
MINED111 Bare except continues silently |
medium | 25 |
MINED107 Missing Python import (NameError at runtime) |
critical | 13 |
AIC003 Duplicated implementation block across source files |
low | 9 |
MINED050 Stub Only Function |
info | 4 |
MINED062 Python Dataclass No Fields |
info | 4 |
SEC136 AI-typical over-broad exception handler swallowing all erro… |
medium | 4 |
MINED064 Python Input Call |
info | 4 |
MINED001 Bare Except Pass |
high | 4 |
MINED107
Missing Python import (NameError at runtime)
CWE-1075
src/memdir/memory_scan.py:148
· conf 1.00
[MINED107] Missing import: `stat` used but not imported: The file uses `stat.something(...)` but never imports `stat`. This raises NameError at runtime the first time the line executes.MINED107
Missing Python import (NameError at runtime)
CWE-1075
src/permissions/setup.py:154
· conf 1.00
[MINED107] Missing import: `warnings` used but not imported: The file uses `warnings.something(...)` but never imports `warnings`. This raises NameError at runtime the first time the line executes.MINED107
Missing Python import (NameError at runtime)
CWE-1075
src/plugins/dependency.py:74
· conf 1.00
[MINED107] Missing import: `queue` used but not imported: The file uses `queue.something(...)` but never imports `queue`. This raises NameError at runtime the first time the line executes.MINED107
Missing Python import (NameError at runtime)
CWE-1075
src/services/mcp/doctor.py:122
· conf 1.00
[MINED107] Missing import: `warnings` used but not imported: The file uses `warnings.something(...)` but never imports `warnings`. This raises NameError at runtime the first time the line executes.MINED107
Missing Python import (NameError at runtime)
CWE-1075
src/services/session_resume.py:77
· conf 1.00
[MINED107] Missing import: `warnings` used but not imported: The file uses `warnings.something(...)` but never imports `warnings`. This raises NameError at runtime the first time the line executes.MINED107
Missing Python import (NameError at runtime)
CWE-1075
src/tool_system/context.py:237
· conf 1.00
[MINED107] Missing import: `stat` used but not imported: The file uses `stat.something(...)` but never imports `stat`. This raises NameError at runtime the first time the line executes.MINED107
Missing Python import (NameError at runtime)
CWE-1075
src/tool_system/tools/grep.py:59
· conf 1.00
[MINED107] Missing import: `glob` used but not imported: The file uses `glob.something(...)` but never imports `glob`. This raises NameError at runtime the first time the line executes.MINED107
Missing Python import (NameError at runtime)
CWE-1075
src/tool_system/tools/read.py:327
· conf 1.00
[MINED107] Missing import: `stat` used but not imported: The file uses `stat.something(...)` but never imports `stat`. This raises NameError at runtime the first time the line executes.MINED107
Missing Python import (NameError at runtime)
CWE-1075
tests/test_abort_controller_once.py:26
· conf 1.00
[MINED107] Missing import: `signal` used but not imported: The file uses `signal.something(...)` but never imports `signal`. This raises NameError at runtime the first time the line executes.MINED107
Missing Python import (NameError at runtime)
CWE-1075
tests/test_abort_controller.py:15
· conf 1.00
[MINED107] Missing import: `signal` used but not imported: The file uses `signal.something(...)` but never imports `signal`. This raises NameError at runtime the first time the line executes.MINED107
Missing Python import (NameError at runtime)
CWE-1075
tests/test_esc_cancel_propagation.py:128
· conf 1.00
[MINED107] Missing import: `signal` used but not imported: The file uses `signal.something(...)` but never imports `signal`. This raises NameError at runtime the first time the line executes.MINED107
Missing Python import (NameError at runtime)
CWE-1075
tests/transports/test_remote_io.py:452
· conf 1.00
[MINED107] Missing import: `io` used but not imported: The file uses `io.something(...)` but never imports `io`. This raises NameError at runtime the first time the line executes.MINED107
Missing Python import (NameError at runtime)
CWE-1075
tests/tui/test_a11y.py:199
· conf 1.00
[MINED107] Missing import: `select` used but not imported: The file uses `select.something(...)` but never imports `select`. This raises NameError at runtime the first time the line executes.AGT002
LLM memory extraction can be prompt-injected into storing fake facts
src/services/mcp/xaa_idp_login.py:1
· conf 0.82
LLM memory extraction can be prompt-injected into storing fake factsCOMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
eval/pick_batch.py:36
· conf 0.95
[COMP001] High cognitive complexity: Function `main` has cognitive complexity 40 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branche…MINED001
Bare Except Pass
CWE-755
src/agent/agent_tool_utils.py:292
· conf 1.00
[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.MINED001
Bare Except Pass
CWE-755
src/agent/foreground_promotion.py:194
· conf 1.00
[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.MINED001
Bare Except Pass
CWE-755
src/auth/auth.py:85
· conf 1.00
[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.MINED006
Overcatch Baseexception
CWE-705
scripts/diagnose_keys.py:96
· conf 1.00
[MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.MINED006
Overcatch Baseexception
CWE-705
src/entrypoints/tui.py:149
· conf 1.00
[MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.MINED006
Overcatch Baseexception
CWE-705
src/tool_system/registry.py:169
· conf 1.00
[MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.MINED009
Floats For Money
CWE-682
src/services/pricing.py:186
· conf 1.00
[MINED009] Floats For Money: Variable named price/amount/cost typed as float instead of Decimal.MINED014
Disabled Tls Verify
CWE-295
src/providers/deepseek_provider.py:56
· conf 1.00
[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go.MINED014
Disabled Tls Verify
CWE-295
src/providers/openai_provider.py:43
· conf 1.00
[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go.MINED014
Disabled Tls Verify
CWE-295
src/providers/openrouter_provider.py:65
· conf 1.00
[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go.MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_api_preconnect.py:142
· conf 1.00
[MINED106] Phantom test coverage: test_preconnect_does_not_raise_on_network_error: Test function `test_preconnect_does_not_raise_on_network_error` runs code but contains no assert / expect / should c…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_claude_md.py:278
· conf 1.00
[MINED106] Phantom test coverage: test_cache_clearing: Test function `test_cache_clearing` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line cover…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_claude_md.py:290
· conf 1.00
[MINED106] Phantom test coverage: test_bare_mode_disables: Test function `test_bare_mode_disables` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds li…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_clear_system_prompt_sections.py:57
· conf 1.00
[MINED106] Phantom test coverage: test_clear_is_safe_when_prompt_assembly_unavailable: Test function `test_clear_is_safe_when_prompt_assembly_unavailable` runs code but contains no assert / expect / …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_init.py:139
· conf 1.00
[MINED106] Phantom test coverage: test_pre_action_invokes_init: Test function `test_pre_action_invokes_init` runs code but contains no assert / expect / should call — it passes regardless of behaviou…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_integration_permission_system.py:56
· conf 1.00
[MINED106] Phantom test coverage: test_import_modes: Test function `test_import_modes` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_integration_permission_system.py:65
· conf 1.00
[MINED106] Phantom test coverage: test_import_rules: Test function `test_import_rules` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_mcp_phase4_callback_and_provider.py:68
· conf 1.00
[MINED106] Phantom test coverage: test_state_mismatch_raises: Test function `test_state_mismatch_raises` runs code but contains no assert / expect / should call — it passes regardless of behaviour. A…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_mcp_phase4_callback_and_provider.py:86
· conf 1.00
[MINED106] Phantom test coverage: test_error_param_raises_with_description: Test function `test_error_param_raises_with_description` runs code but contains no assert / expect / should call — it passe…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_mcp_phase4_callback_and_provider.py:107
· conf 1.00
[MINED106] Phantom test coverage: test_missing_code_raises: Test function `test_missing_code_raises` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_mcp_phase4_callback_and_provider.py:125
· conf 1.00
[MINED106] Phantom test coverage: test_timeout_raises: Test function `test_timeout_raises` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line cover…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_memdir_write_carve_out.py:90
· conf 1.00
[MINED106] Phantom test coverage: test_check_permissions_passes_through_for_memory_md: Test function `test_check_permissions_passes_through_for_memory_md` runs code but contains no assert / expect / …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_memdir_write_carve_out.py:97
· conf 1.00
[MINED106] Phantom test coverage: test_check_permissions_unchanged_for_outside_path: Test function `test_check_permissions_unchanged_for_outside_path` runs code but contains no assert / expect / shou…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_plugin_loader.py:66
· conf 1.00
[MINED106] Phantom test coverage: test_missing_manifest: Test function `test_missing_manifest` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line c…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_plugin_loader.py:72
· conf 1.00
[MINED106] Phantom test coverage: test_invalid_json: Test function `test_invalid_json` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_plugin_loader.py:79
· conf 1.00
[MINED106] Phantom test coverage: test_invalid_manifest: Test function `test_invalid_manifest` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line c…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_prefetch.py:125
· conf 1.00
[MINED106] Phantom test coverage: test_cli_module_import_populates_prefetch_handles: Test function `test_cli_module_import_populates_prefetch_handles` runs code but contains no assert / expect / shou…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_provider_abort_signal.py:105
· conf 1.00
[MINED106] Phantom test coverage: test_pre_aborted_signal_short_circuits_before_request: Test function `test_pre_aborted_signal_short_circuits_before_request` runs code but contains no assert / expec…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_repl.py:131
· conf 1.00
[MINED106] Phantom test coverage: test_handle_command_clear: Test function `test_handle_command_clear` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Add…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_repl.py:324
· conf 1.00
[MINED106] Phantom test coverage: test_chat_uses_query_engine_for_code_task: Test function `test_chat_uses_query_engine_for_code_task` runs code but contains no assert / expect / should call — it pas…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_repl.py:351
· conf 1.00
[MINED106] Phantom test coverage: test_chat_uses_query_engine_on_stream_init_failure: Test function `test_chat_uses_query_engine_on_stream_init_failure` runs code but contains no assert / expect / sh…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_repl.py:463
· conf 1.00
[MINED106] Phantom test coverage: test_save_session: Test function `test_save_session` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_settings.py:160
· conf 1.00
[MINED106] Phantom test coverage: test_returns_none_when_no_managed_file: Test function `test_returns_none_when_no_managed_file` runs code but contains no assert / expect / should call — it passes re…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_stream_watchdog.py:101
· conf 1.00
[MINED106] Phantom test coverage: test_disarm_after_fire_is_safe: Test function `test_disarm_after_fire_is_safe` runs code but contains no assert / expect / should call — it passes regardless of beha…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_tasks_core.py:157
· conf 1.00
[MINED106] Phantom test coverage: test_task_state_base_is_kw_only: Test function `test_task_state_base_is_kw_only` runs code but contains no assert / expect / should call — it passes regardless of be…MINED108
self.attribute used but never assigned in __init__
CWE-476
src/config.py:188
· conf 1.00
[MINED108] `self.load_global` used but never assigned in __init__: Method `get_merged` of class `ConfigManager` reads `self.load_global`, but no assignment to it exists in __init__ (and no class-leve…MINED108
self.attribute used but never assigned in __init__
CWE-476
src/config.py:189
· conf 1.00
[MINED108] `self.load_project` used but never assigned in __init__: Method `get_merged` of class `ConfigManager` reads `self.load_project`, but no assignment to it exists in __init__ (and no class-le…MINED108
self.attribute used but never assigned in __init__
CWE-476
src/config.py:190
· conf 1.00
[MINED108] `self.load_local` used but never assigned in __init__: Method `get_merged` of class `ConfigManager` reads `self.load_local`, but no assignment to it exists in __init__ (and no class-level …MINED108
self.attribute used but never assigned in __init__
CWE-476
src/config.py:216
· conf 1.00
[MINED108] `self.get_merged` used but never assigned in __init__: Method `get` of class `ConfigManager` reads `self.get_merged`, but no assignment to it exists in __init__ (and no class-level fallbac…MINED108
self.attribute used but never assigned in __init__
CWE-476
src/config.py:219
· conf 1.00
[MINED108] `self.load_global` used but never assigned in __init__: Method `set_global` of class `ConfigManager` reads `self.load_global`, but no assignment to it exists in __init__ (and no class-leve…MINED108
self.attribute used but never assigned in __init__
CWE-476
src/config.py:221
· conf 1.00
[MINED108] `self.save_global` used but never assigned in __init__: Method `set_global` of class `ConfigManager` reads `self.save_global`, but no assignment to it exists in __init__ (and no class-leve…MINED108
self.attribute used but never assigned in __init__
CWE-476
src/config.py:224
· conf 1.00
[MINED108] `self.load_project` used but never assigned in __init__: Method `set_project` of class `ConfigManager` reads `self.load_project`, but no assignment to it exists in __init__ (and no class-l…MINED108
self.attribute used but never assigned in __init__
CWE-476
src/config.py:226
· conf 1.00
[MINED108] `self.save_project` used but never assigned in __init__: Method `set_project` of class `ConfigManager` reads `self.save_project`, but no assignment to it exists in __init__ (and no class-l…MINED108
self.attribute used but never assigned in __init__
CWE-476
src/task_registry.py:114
· conf 1.00
[MINED108] `self.all` used but never assigned in __init__: Method `__iter__` of class `RuntimeTaskRegistry` reads `self.all`, but no assignment to it exists in __init__ (and no class-level fallback).…MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/test_image_processor.py:53
· conf 1.00
[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_detects_png` of class `TestMagicByteFormatDetection` reads `self.assertEqual`, but no assignment to it exists in __init…MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/test_image_processor.py:59
· conf 1.00
[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_detects_jpeg` of class `TestMagicByteFormatDetection` reads `self.assertEqual`, but no assignment to it exists in __ini…MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/test_image_processor.py:65
· conf 1.00
[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_detects_gif` of class `TestMagicByteFormatDetection` reads `self.assertEqual`, but no assignment to it exists in __init…MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/test_image_processor.py:71
· conf 1.00
[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_detects_webp` of class `TestMagicByteFormatDetection` reads `self.assertEqual`, but no assignment to it exists in __ini…MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/test_image_processor.py:77
· conf 1.00
[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_detects_real_pillow_png` of class `TestMagicByteFormatDetection` reads `self.assertEqual`, but no assignment to it exis…MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/test_image_processor.py:83
· conf 1.00
[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_detects_real_pillow_jpeg` of class `TestMagicByteFormatDetection` reads `self.assertEqual`, but no assignment to it exi…MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/test_image_processor.py:90
· conf 1.00
[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_unknown_falls_back_to_png` of class `TestMagicByteFormatDetection` reads `self.assertEqual`, but no assignment to it ex…MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/test_image_processor.py:94
· conf 1.00
[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_handles_truncated_buffer` of class `TestMagicByteFormatDetection` reads `self.assertEqual`, but no assignment to it exi…MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/test_image_processor.py:95
· conf 1.00
[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_handles_truncated_buffer` of class `TestMagicByteFormatDetection` reads `self.assertEqual`, but no assignment to it exi…MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/test_image_processor.py:96
· conf 1.00
[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_handles_truncated_buffer` of class `TestMagicByteFormatDetection` reads `self.assertEqual`, but no assignment to it exi…MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/test_image_processor.py:100
· conf 1.00
[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_base64_variant_decodes_and_sniffs` of class `TestMagicByteFormatDetection` reads `self.assertEqual`, but no assignment …MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/test_image_processor.py:107
· conf 1.00
[MINED108] `self.tmp` used but never assigned in __init__: Method `setUp` of class `TestReadFileBytes` reads `self.tmp`, but no assignment to it exists in __init__ (and no class-level fallback). This…MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/test_image_processor.py:108
· conf 1.00
[MINED108] `self.root` used but never assigned in __init__: Method `setUp` of class `TestReadFileBytes` reads `self.root`, but no assignment to it exists in __init__ (and no class-level fallback). Th…MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/test_image_processor.py:108
· conf 1.00
[MINED108] `self.tmp` used but never assigned in __init__: Method `setUp` of class `TestReadFileBytes` reads `self.tmp`, but no assignment to it exists in __init__ (and no class-level fallback). This…MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/test_image_processor.py:111
· conf 1.00
[MINED108] `self.tmp` used but never assigned in __init__: Method `tearDown` of class `TestReadFileBytes` reads `self.tmp`, but no assignment to it exists in __init__ (and no class-level fallback). T…MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/test_image_processor.py:115
· conf 1.00
[MINED108] `self.root` used but never assigned in __init__: Method `test_unbounded_returns_full_file` of class `TestReadFileBytes` reads `self.root`, but no assignment to it exists in __init__ (and n…MINED110
Blocking call inside async function
CWE-833
tests/bridge/test_session_runner.py:535
· conf 1.00
[MINED110] Blocking call `requests.append` inside async function `test_permission_request_fires_callback`: `requests.append` is a synchronous (blocking) call. When invoked inside an `async def` it st…MINED110
Blocking call inside async function
CWE-833
tests/test_hook_config.py:242
· conf 1.00
[MINED110] Blocking call `time.sleep` inside async function `test_reload_if_changed`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preve…SEC004
SQL Injection Risk
src/tool_system/tools/notebook_edit.py:99
· conf 0.50
[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection.SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
src/auth/oauth.py:134
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
src/bridge/work_secret.py:95
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
src/hooks/exec_http_hook.py:26
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC103
LDAP injection — non-constant search filter
src/services/api/errors.py:97
· conf 1.00
[SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.SEC103
LDAP injection — non-constant search filter
src/utils/git.py:200
· conf 1.00
[SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.SEC128
Async function without await — fire-and-forget Promise (AI mistake)
demos/linkedin-app/src/context/LinkedInContext.jsx:136
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
src/agent/foreground_promotion.py:75
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
src/agent/resume_agent.py:124
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…AGT013
Agent auto-approve or skip-permissions mode is easy to enable
src/entrypoints/headless.py:18
· conf 0.68
Agent auto-approve or skip-permissions mode is easy to enableAGT013
Agent auto-approve or skip-permissions mode is easy to enable
src/entrypoints/tui.py:38
· conf 0.68
Agent auto-approve or skip-permissions mode is easy to enableAGT013
Agent auto-approve or skip-permissions mode is easy to enable
src/permissions/modes.py:93
· conf 0.68
Agent auto-approve or skip-permissions mode is easy to enableAGT015
Remote install command pipes network code directly to a shell
claude-code-wiki/raw/claude-code-sourcemap-learning-notebook/en/03_permission_security.md:21
· conf 0.70
Remote install command pipes network code directly to a shellAGT016
Codex session log reader may expose prompts or tool-call content
src/services/session_storage.py:1
· conf 0.73
Codex session log reader may expose prompts or tool-call contentAUC001
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
eval/_clear_infra_errors.py:38
· conf 0.95
[COMP001] High cognitive complexity: Function `main` has cognitive complexity 18 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branche…CORE_NO_CI
No CI/CD configuration found
No CI/CD configuration foundERR001
[ERR001] Silent Exception Swallowing (and 2 more): Same pattern found in 2 additional files. Review if needed.
src/auth/auth.py:85
· conf 1.00
[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.ERR001
[ERR001] Silent Exception Swallowing (and 2 more): Same pattern found in 2 additional files. Review if needed.
src/auth/aws.py:55
· conf 1.00
[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.ERR001
[ERR001] Silent Exception Swallowing (and 2 more): Same pattern found in 2 additional files. Review if needed.
src/auth/gemini.py:28
· conf 1.00
[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.MINED111
Bare except continues silently
eval/run_compare.py:254
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
eval/run_compare.py:324
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
src/bridge/debug_utils.py:109
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
src/bridge/session_runner.py:739
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
src/bridge/session_runner.py:795
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
src/bridge/session_runner.py:810
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
src/cli.py:537
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
src/config.py:137
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
src/config.py:255
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
src/__init__.py:10
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
src/plugins/loader.py:46
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
src/skills/argument_substitution.py:13
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
src/skills/loader.py:168
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
src/skills/loader.py:273
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
src/skills/loader.py:563
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
src/skills/loader.py:1168
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
src/skills/loader.py:1174
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
src/token_estimation.py:36
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
src/token_estimation.py:252
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
src/token_estimation.py:394
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
src/tool_system/registry.py:169
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
src/tool_system/renderers.py:71
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
src/tool_system/renderers.py:95
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
tests/test_headless_sigint.py:409
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
tests/test_startup_profiler.py:178
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.SEC014
SSL Verification Disabled
src/providers/deepseek_provider.py:56
· conf 1.00
[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.SEC014
SSL Verification Disabled
src/providers/openai_provider.py:43
· conf 1.00
[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.SEC014
SSL Verification Disabled
src/providers/openrouter_provider.py:65
· conf 1.00
[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.SEC015
Insecure Randomness for Security
src/bridge/code_session_api.py:68
· conf 1.00
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.SEC015
Insecure Randomness for Security
src/server/direct_connect_session.py:40
· conf 1.00
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.SEC015
Insecure Randomness for Security
src/server/session_manager.py:58
· conf 1.00
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.SEC031
Catastrophic Backtracking Regex (ReDoS)
src/tool_system/tools/worktree.py:12
· conf 1.00
[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit expon…SEC087
JS: weak Math.random for crypto
demos/adopt-me-app/src/pages/Trade.jsx:31
· conf 1.00
[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes conce…SEC087
JS: weak Math.random for crypto
demos/minecraft-app/src/utils/terrain.js:86
· conf 1.00
[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes conce…SEC134
AI scaffold leftover — Lorem ipsum / example.com / John Doe in code
demos/crm-app/src/context/CRMContext.jsx:7
· conf 1.00
[SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't…SEC136
AI-typical over-broad exception handler swallowing all errors
src/config.py:246
· conf 1.00
[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unf…SEC136
AI-typical over-broad exception handler swallowing all errors
src/services/compact/post_compact_attachments.py:252
· conf 1.00
[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unf…SEC136
AI-typical over-broad exception handler swallowing all errors
src/services/mcp/xaa_idp_login.py:142
· conf 1.00
[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unf…AIC003
Duplicated implementation block across source files
src/entrypoints/tui.py:49
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/hooks/registry.py:125
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/memdir/team_mem_prompts.py:109
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/providers/anthropic_provider.py:305
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/providers/base.py:43
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/providers/minimax_provider.py:46
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/providers/openai_provider.py:41
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/providers/openrouter_provider.py:60
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/tool_system/tools/grep.py:11
· conf 0.86
Duplicated implementation block across source filesCOMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
eval/repair_preds.py:25
· conf 0.95
[COMP001] High cognitive complexity: Function `repair` has cognitive complexity 13 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branc…COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
[COMP001] High cognitive complexity (and 261 more): Same pattern found in 261 additional files. Review if needed.ERR001
[ERR001] Silent Exception Swallowing (and 2 more): Same pattern found in 2 additional files. Review if needed.
[ERR001] Silent Exception Swallowing (and 32 more): Same pattern found in 32 additional files. Review if needed.MINED001
Bare Except Pass
CWE-755
[MINED001] Bare Except Pass (and 59 more): Same pattern found in 59 additional files. Review if needed.MINED043
Http Not Https
CWE-319
[MINED043] Http Not Https (and 2 more): Same pattern found in 2 additional files. Review if needed.MINED043
Http Not Https
CWE-319
src/bridge/work_secret.py:109
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
src/services/mcp/doctor.py:148
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
src/services/mcp/oauth_callback_server.py:73
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED050
Stub Only Function
CWE-1188
[MINED050] Stub Only Function (and 86 more): Same pattern found in 86 additional files. Review if needed.MINED050
Stub Only Function
CWE-1188
src/agent/foreground_promotion.py:176
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED050
Stub Only Function
CWE-1188
src/auth/auth.py:86
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED050
Stub Only Function
CWE-1188
src/auth/aws.py:56
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED056
React Key As Index
CWE-682
demos/linkedin-app/src/pages/Profile.jsx:33
· conf 1.00
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.MINED062
Python Dataclass No Fields
[MINED062] Python Dataclass No Fields (and 111 more): Same pattern found in 111 additional files. Review if needed.MINED062
Python Dataclass No Fields
eval/compare_results.py:29
· conf 1.00
[MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model.MINED062
Python Dataclass No Fields
scripts/audit/architecture_stats.py:56
· conf 1.00
[MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model.MINED062
Python Dataclass No Fields
src/agent/agent_definitions.py:16
· conf 1.00
[MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model.MINED064
Python Input Call
[MINED064] Python Input Call (and 4 more): Same pattern found in 4 additional files. Review if needed.MINED064
Python Input Call
scripts/audit/legacy_cli_repl.py:246
· conf 1.00
[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services.MINED064
Python Input Call
src/command_system/engine.py:109
· conf 1.00
[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services.MINED064
Python Input Call
src/tool_system/tools/mcp.py:48
· conf 1.00
[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services.MINED072
Python Pass Only Class
CWE-1188
src/tool_system/errors.py:4
· conf 1.00
[MINED072] Python Pass Only Class: class Foo: pass — stub waiting to be filled in.MINED072
Python Pass Only Class
CWE-1188
src/tool_system/utils/ripgrep.py:49
· conf 1.00
[MINED072] Python Pass Only Class: class Foo: pass — stub waiting to be filled in.MINED072
Python Pass Only Class
CWE-1188
src/tui/widgets/select_list.py:98
· conf 1.00
[MINED072] Python Pass Only Class: class Foo: pass — stub waiting to be filled in.MINED077
Python Open No Context
CWE-772
src/services/swarm/mailbox.py:219
· conf 1.00
[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles.MINED077
Python Open No Context
CWE-772
src/tool_system/tools/bash/background.py:63
· conf 1.00
[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles.SEC016
LLM Prompt Injection — User Input in AI Prompt
src/hooks/exec_agent_hook.py:50
· conf 0.10
[SEC016] LLM Prompt Injection — User Input in AI Prompt: User-supplied text is interpolated directly into an AI/LLM prompt (e.g. OpenAI, Anthropic, or local model). This is the AI equivalent of SQL i…SEC020
Secret Printed to Logs
src/auth/oauth.py:146
· conf 0.15
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC020
Secret Printed to Logs
src/upstreamproxy/upstream_proxy.py:137
· conf 0.15
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 16 more): Same pattern found in 16 additional files. Review if needed.SEC128
Async function without await — fire-and-forget Promise (AI mistake)
[SEC128] Async function without await — fire-and-forget Promise (AI mistake) (and 13 more): Same pattern found in 13 additional files. Review if needed.SEC136
AI-typical over-broad exception handler swallowing all errors
[SEC136] AI-typical over-broad exception handler swallowing all errors (and 8 more): Same pattern found in 8 additional files. Review if needed.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/a323da9b-bb32-4324-b9e5-662ea243eca9/.