https://github.com/trpc-group/trpc-agent-go ·
lang: go ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
AIC003 Duplicated implementation block across source files |
low | 30 |
MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) |
high | 25 |
MINED128 go.mod replace directive points to local path or unrelated … |
high | 25 |
MINED111 Bare except continues silently |
medium | 16 |
DKC010 Compose service lacks no-new-privileges hardening |
low | 6 |
DKC006 Compose service does not declare a runtime user |
low | 6 |
MINED071 Go Panic Call |
info | 4 |
SEC132 String concat where the language has interpolation (AI styl… |
low | 4 |
SEC093 Go: exec.Command with non-literal |
high | 4 |
MINED049 Print Pii |
info | 4 |
COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
examples/a2aadk/adk/adk_codeexec_server.py:143
· conf 0.95
[COMP001] High cognitive complexity: Function `logging_event_converter` has cognitive complexity 29 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understa…MINED004
Weak Crypto
CWE-327
examples/tool/codeexec/main.go:372
· conf 1.00
[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).MINED004
Weak Crypto
CWE-327
knowledge/source/repo/graph_source.go:15
· conf 1.00
[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).MINED004
Weak Crypto
CWE-327
knowledge/source/source.go:91
· conf 1.00
[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).MINED009
Floats For Money
CWE-682
openclaw/skills/model-usage/scripts/model_usage.py:104
· conf 1.00
[MINED009] Floats For Money: Variable named price/amount/cost typed as float instead of Decimal.MINED016
Go Error Ignored
CWE-754
artifact/cos/client.go:37
· conf 1.00
[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern.MINED016
Go Error Ignored
CWE-754
evaluation/internal/rouge/scorer.go:109
· conf 1.00
[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern.MINED016
Go Error Ignored
CWE-754
evaluation/metric/criterion/json/json.go:124
· conf 1.00
[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern.MINED033
Go Recover Without Log
CWE-755
agent/extension/extension.go:109
· conf 1.00
[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic.MINED033
Go Recover Without Log
CWE-755
evaluation/internal/callback/callbacks.go:52
· conf 1.00
[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic.MINED033
Go Recover Without Log
CWE-755
graph/emitter.go:232
· conf 1.00
[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic.MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
examples/knowledge/reranker/infinity/deploy_infinity.py:68
· conf 0.80
[MINED112] FastAPI POST /rerank has no auth: Handler `rerank` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/cla.yml:21
· conf 0.90
[MINED115] Action `contributor-assistant/github-action` pinned to mutable ref `@v2.6.1`: `uses: contributor-assistant/[email protected]` resolves at workflow-run time. Tags and branches can be re-…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/deploy.yml:17
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/deploy.yml:24
· conf 0.90
[MINED115] Action `actions/setup-python` pinned to mutable ref `@v4`: `uses: actions/setup-python@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/deploy.yml:35
· conf 0.90
[MINED115] Action `peaceiris/actions-gh-pages` pinned to mutable ref `@v3`: `uses: peaceiris/actions-gh-pages@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/module-sum-check.yml:11
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/module-sum-check.yml:14
· conf 0.90
[MINED115] Action `actions/setup-go` pinned to mutable ref `@v5`: `uses: actions/setup-go@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/openclaw-release.yml:63
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/openclaw-release.yml:64
· conf 0.90
[MINED115] Action `actions/setup-go` pinned to mutable ref `@v5`: `uses: actions/setup-go@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/openclaw-release.yml:91
· conf 0.90
[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/openclaw-release.yml:103
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/openclaw-release.yml:105
· conf 0.90
[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/openclaw-release.yml:117
· conf 0.90
[MINED115] Action `softprops/action-gh-release` pinned to mutable ref `@v2`: `uses: softprops/action-gh-release@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action own…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/prc.yml:17
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/prc.yml:18
· conf 0.90
[MINED115] Action `actions/setup-go` pinned to mutable ref `@v5`: `uses: actions/setup-go@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/prc.yml:29
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/prc.yml:58
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/prc.yml:59
· conf 0.90
[MINED115] Action `actions/setup-go` pinned to mutable ref `@v5`: `uses: actions/setup-go@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/prc.yml:91
· conf 0.90
[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/prc.yml:100
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/prc.yml:101
· conf 0.90
[MINED115] Action `actions/setup-go` pinned to mutable ref `@v5`: `uses: actions/setup-go@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/prc.yml:115
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/prc.yml:117
· conf 0.90
[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/prc.yml:136
· conf 0.90
[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/prc.yml:141
· conf 0.90
[MINED115] Action `codecov/codecov-action` pinned to mutable ref `@v5`: `uses: codecov/codecov-action@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that m…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/prc.yml:150
· conf 0.90
[MINED115] Action `actions/setup-go` pinned to mutable ref `@v5`: `uses: actions/setup-go@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED128
go.mod replace directive points to local path or unrelated fork
CWE-829
agent/dify/go.mod:4
· conf 0.90
[MINED128] go.mod replaces `trpc.group/trpc-go/trpc-agent-go` — points to a LOCAL path: `replace trpc.group/trpc-go/trpc-agent-go => ../..` overrides the canonical dependency with a different source …MINED128
go.mod replace directive points to local path or unrelated fork
CWE-829
agent/extension/toolpipe/go.mod:4
· conf 0.90
[MINED128] go.mod replaces `trpc.group/trpc-go/trpc-agent-go` — points to a LOCAL path: `replace trpc.group/trpc-go/trpc-agent-go => ../../../` overrides the canonical dependency with a different sou…MINED128
go.mod replace directive points to local path or unrelated fork
CWE-829
agent/n8n/go.mod:4
· conf 0.90
[MINED128] go.mod replaces `trpc.group/trpc-go/trpc-agent-go` — points to a LOCAL path: `replace trpc.group/trpc-go/trpc-agent-go => ../..` overrides the canonical dependency with a different source …MINED128
go.mod replace directive points to local path or unrelated fork
CWE-829
agent/weknora/go.mod:4
· conf 0.90
[MINED128] go.mod replaces `trpc.group/trpc-go/trpc-agent-go` — points to a LOCAL path: `replace trpc.group/trpc-go/trpc-agent-go => ../..` overrides the canonical dependency with a different source …MINED128
go.mod replace directive points to local path or unrelated fork
CWE-829
codeexecutor/container/go.mod:4
· conf 0.90
[MINED128] go.mod replaces `trpc.group/trpc-go/trpc-agent-go` — points to a LOCAL path: `replace trpc.group/trpc-go/trpc-agent-go => ../..` overrides the canonical dependency with a different source …MINED128
go.mod replace directive points to local path or unrelated fork
CWE-829
codeexecutor/jupyter/go.mod:4
· conf 0.90
[MINED128] go.mod replaces `trpc.group/trpc-go/trpc-agent-go` — points to a LOCAL path: `replace trpc.group/trpc-go/trpc-agent-go => ../..` overrides the canonical dependency with a different source …MINED128
go.mod replace directive points to local path or unrelated fork
CWE-829
evaluation/go.mod:4
· conf 0.90
[MINED128] go.mod replaces `(` — points to a LOCAL path: `replace ( => ../` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monor…MINED128
go.mod replace directive points to local path or unrelated fork
CWE-829
examples/a2ui/go.mod:4
· conf 0.90
[MINED128] go.mod replaces `(` — points to a LOCAL path: `replace ( => ../../` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for mo…MINED128
go.mod replace directive points to local path or unrelated fork
CWE-829
examples/go.mod:4
· conf 0.90
[MINED128] go.mod replaces `(` — points to a LOCAL path: `replace ( => ../` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monor…MINED128
go.mod replace directive points to local path or unrelated fork
CWE-829
examples/graph/go.mod:4
· conf 0.90
[MINED128] go.mod replaces `(` — points to a LOCAL path: `replace ( => ../../` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for mo…MINED128
go.mod replace directive points to local path or unrelated fork
CWE-829
examples/knowledge/go.mod:4
· conf 0.90
[MINED128] go.mod replaces `(` — points to a LOCAL path: `replace ( => ../../` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for mo…MINED128
go.mod replace directive points to local path or unrelated fork
CWE-829
examples/session/go.mod:4
· conf 0.90
[MINED128] go.mod replaces `(` — points to a LOCAL path: `replace ( => ../..` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for mon…MINED128
go.mod replace directive points to local path or unrelated fork
CWE-829
examples/skill/go.mod:4
· conf 0.90
[MINED128] go.mod replaces `(` — points to a LOCAL path: `replace ( => ../..` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for mon…MINED128
go.mod replace directive points to local path or unrelated fork
CWE-829
examples/tailor/go.mod:6
· conf 0.90
[MINED128] go.mod replaces `(` — points to a LOCAL path: `replace ( => ../..` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for mon…MINED128
go.mod replace directive points to local path or unrelated fork
CWE-829
memory/mysql/go.mod:4
· conf 0.90
[MINED128] go.mod replaces `(` — points to a LOCAL path: `replace ( => ../..` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for mon…MINED128
go.mod replace directive points to local path or unrelated fork
CWE-829
memory/mysqlvec/go.mod:4
· conf 0.90
[MINED128] go.mod replaces `(` — points to a LOCAL path: `replace ( => ../..` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for mon…MINED128
go.mod replace directive points to local path or unrelated fork
CWE-829
memory/pgvector/go.mod:4
· conf 0.90
[MINED128] go.mod replaces `(` — points to a LOCAL path: `replace ( => ../..` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for mon…MINED128
go.mod replace directive points to local path or unrelated fork
CWE-829
memory/postgres/go.mod:4
· conf 0.90
[MINED128] go.mod replaces `(` — points to a LOCAL path: `replace ( => ../..` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for mon…MINED128
go.mod replace directive points to local path or unrelated fork
CWE-829
memory/redis/go.mod:4
· conf 0.90
[MINED128] go.mod replaces `(` — points to a LOCAL path: `replace ( => ../../` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for mo…MINED128
go.mod replace directive points to local path or unrelated fork
CWE-829
memory/sqlite/go.mod:4
· conf 0.90
[MINED128] go.mod replaces `trpc.group/trpc-go/trpc-agent-go` — points to a LOCAL path: `replace trpc.group/trpc-go/trpc-agent-go => ../..` overrides the canonical dependency with a different source …MINED128
go.mod replace directive points to local path or unrelated fork
CWE-829
memory/sqlitevec/go.mod:6
· conf 0.90
[MINED128] go.mod replaces `trpc.group/trpc-go/trpc-agent-go` — points to a LOCAL path: `replace trpc.group/trpc-go/trpc-agent-go => ../..` overrides the canonical dependency with a different source …MINED128
go.mod replace directive points to local path or unrelated fork
CWE-829
openclaw/go.mod:4
· conf 0.90
[MINED128] go.mod replaces `(` — points to a LOCAL path: `replace ( => ../` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monor…MINED128
go.mod replace directive points to local path or unrelated fork
CWE-829
openclaw/go.mod:30
· conf 0.90
[MINED128] go.mod replaces `trpc.group/trpc-go/trpc-agent-go/knowledge/vectorstore/elasticsearch` — points to a LOCAL path: `replace trpc.group/trpc-go/trpc-agent-go/knowledge/vectorstore/elasticsear…MINED128
go.mod replace directive points to local path or unrelated fork
CWE-829
test/go.mod:47
· conf 0.90
[MINED128] go.mod replaces `trpc.group/trpc-go/trpc-agent-go` — points to a LOCAL path: `replace trpc.group/trpc-go/trpc-agent-go => ../` overrides the canonical dependency with a different source (p…MINED128
go.mod replace directive points to local path or unrelated fork
CWE-829
test/go.mod:51
· conf 0.90
[MINED128] go.mod replaces `trpc.group/trpc-go/trpc-agent-go/server/agui` — points to a LOCAL path: `replace trpc.group/trpc-go/trpc-agent-go/server/agui => ../server/agui` overrides the canonical de…SEC013
Path Traversal — User Input in File Path
openclaw/skills/model-usage/scripts/model_usage.py:83
· conf 0.80
[SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
agent/a2aagent/a2a_agent_option.go:219
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
agent/dify/dify_agent_option.go:26
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
agent/n8n/n8n_agent_option.go:22
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC035
Unbounded Resource Allocation — DoS risk
internal/toolretry/runner.go:156
· conf 1.00
[SEC035] Unbounded Resource Allocation — DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust …SEC040
innerHTML XSS — template literal with server-supplied data
openclaw/browser-extension/popup.js:16
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC085
JS: child_process.exec with non-literal
evaluation/evalresult/mysql/mysql.go:114
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC085
JS: child_process.exec with non-literal
evaluation/internal/mysqldb/schema.go:160
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC085
JS: child_process.exec with non-literal
evaluation/metric/mysql/mysql.go:145
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC093
Go: exec.Command with non-literal
agent/claudecode/command.go:45
· conf 1.00
[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) — variable command name allows command injection. Ported from gosec G204 (Apache-2.0).SEC093
Go: exec.Command with non-literal
graph/visualize.go:323
· conf 1.00
[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) — variable command name allows command injection. Ported from gosec G204 (Apache-2.0).SEC093
Go: exec.Command with non-literal
openclaw/internal/channel/telegram/audio_input.go:129
· conf 1.00
[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) — variable command name allows command injection. Ported from gosec G204 (Apache-2.0).SEC100
CORS permissive Access-Control-Allow-Origin: *
examples/openapitool/mockserver/main.go:123
· conf 1.00
[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `A…SEC100
CORS permissive Access-Control-Allow-Origin: *
server/a2a/agent_card.go:147
· conf 1.00
[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `A…AGT007
localStorage write failures are swallowed silently
examples/agui/client/tdesign-chat/src/App.tsx:149
· conf 0.80
localStorage write failures are swallowed silentlyCOMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
examples/skill/scripts/download_gaia_2023_level1_validation.py:122
· conf 0.95
[COMP001] High cognitive complexity: Function `_fetch_rows` has cognitive complexity 17 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested …MINED111
Bare except continues silently
examples/a2aadk/adk/adk_server.py:48
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
examples/a2aadk/adk/adk_server.py:66
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
examples/skillrun/skills/python_math/scripts/fib.py:14
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
examples/skill/scripts/download_gaia_2023_level1_validation.py:76
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
examples/skill/scripts/download_gaia_2023_level1_validation.py:99
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
examples/skill/scripts/download_gaia_2023_level1_validation.py:342
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
examples/skill/skills/ocr/scripts/ocr.py:89
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
examples/skill/skills/ocr/scripts/ocr_url.py:73
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
openclaw/skills/model-usage/scripts/model_usage.py:119
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
openclaw/skills/model-usage/scripts/model_usage.py:287
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
openclaw/skills/nano-banana-pro/scripts/generate_image.py:106
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
openclaw/skills/nano-banana-pro/scripts/generate_image.py:179
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
openclaw/skills/skill-creator/scripts/init_skill.py:280
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
openclaw/skills/skill-creator/scripts/init_skill.py:292
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
openclaw/skills/skill-creator/scripts/init_skill.py:300
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
openclaw/skills/skill-creator/scripts/package_skill.py:109
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED124
requirements.txt entry has no version pin
CWE-1357
examples/a2aadk/adk/requirements.txt:2
· conf 0.90
[MINED124] requirements.txt: `uvicorn` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats,…MINED124
requirements.txt entry has no version pin
CWE-1357
examples/a2aadk/adk/requirements.txt:3
· conf 0.90
[MINED124] requirements.txt: `litellm` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats,…SEC002
Hardcoded API Key
examples/memory/compare/main.go:40
· conf 0.30
[SEC002] Hardcoded API Key: Hardcoded API key found in source code.SEC045
eval()/exec() on stored or user-supplied data
evaluation/evalresult/mysql/mysql.go:114
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
evaluation/internal/mysqldb/schema.go:160
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
evaluation/metric/mysql/mysql.go:145
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC089
Go: bind to all interfaces (0.0.0.0)
examples/mcptool/http_headers/mcpserver/main.go:51
· conf 1.00
[SEC089] Go: bind to all interfaces (0.0.0.0): Server binds to all network interfaces — exposes service beyond intended scope. Ported from gosec G102 (Apache-2.0).SEC089
Go: bind to all interfaces (0.0.0.0)
examples/openapitool/mockserver/main.go:66
· conf 1.00
[SEC089] Go: bind to all interfaces (0.0.0.0): Server binds to all network interfaces — exposes service beyond intended scope. Ported from gosec G102 (Apache-2.0).SEC091
Go: net/http server without timeouts
examples/a2amultipath/server/main.go:114
· conf 1.00
[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0).SEC091
Go: net/http server without timeouts
examples/a2ui/server/default/main.go:54
· conf 1.00
[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0).SEC091
Go: net/http server without timeouts
examples/a2ui/server/sbti/main.go:68
· conf 1.00
[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0).SEC123
Production stack trace / debug output exposed
codeexecutor/e2b/internal/codeinterpreter/client.go:82
· conf 1.00
[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals — sometimes triggers RCE (Django debug page w…SEC136
AI-typical over-broad exception handler swallowing all errors
openclaw/skills/model-usage/scripts/model_usage.py:117
· conf 1.00
[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unf…AIC003
Duplicated implementation block across source files
agent/cycleagent/cycle_agent.go:37
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
agent/cycleagent/structure_export.go:8
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
agent/dify/dify_agent.go:242
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
agent/graphagent/graph_agent.go:528
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
agent/llmagent/extension.go:109
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
agent/llmagent/option.go:36
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
agent/llmagent/structure_export.go:78
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
agent/llmagent/structure_export.go:98
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
agent/parallelagent/parallel_agent.go:79
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
agent/parallelagent/parallel_agent.go:165
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
agent/parallelagent/structure_export.go:8
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
agent/parallelagent/structure_export.go:25
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
artifact/s3/service.go:54
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
evaluation/evalresult/local/local.go:33
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
evaluation/evalresult/mysql/mysql.go:51
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
evaluation/evalset/local/local.go:82
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
evaluation/evalset/local/local.go:267
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
evaluation/evalset/locator.go:17
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
evaluation/evalset/mysql/mysql.go:23
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
evaluation/evalset/mysql/mysql.go:229
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
evaluation/evalset/mysql/options.go:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
evaluation/evaluator/llm/hallucination/hallucination.go:2
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
evaluation/evaluator/llm/hallucination/options.go:22
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
evaluation/evaluator/llm/operator/internal/rubrics/rubrics.go:78
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
evaluation/evaluator/llm/operator/messagesconstructor/rubricknowledgerecall/rubricknowledgerecall.go:2
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
evaluation/evaluator/llm/operator/messagesconstructor/rubricreferencecritic/rubricreferencecritic.go:2
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
evaluation/evaluator/llm/operator/messagesconstructor/rubricresponse/rubricresponse.go:2
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
evaluation/evaluator/llm/operator/messagesconstructor/rubricresponse/rubricresponse.go:67
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
evaluation/evaluator/llm/rubriccritic/options.go:22
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
evaluation/evaluator/llm/rubriccritic/rubriccritic.go:2
· conf 0.86
Duplicated implementation block across source filesCOMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
examples/a2aadk/adk/adk_server.py:27
· conf 0.95
[COMP001] High cognitive complexity: Function `calculator` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested br…DKC006
Compose service does not declare a runtime user
examples/callbacks/timer/docker-compose.yaml:1
· conf 0.56
Compose service does not declare a runtime userDKC006
Compose service does not declare a runtime user
examples/callbacks/timer/docker-compose.yaml:9
· conf 0.56
Compose service does not declare a runtime userDKC006
Compose service does not declare a runtime user
examples/callbacks/timer/docker-compose.yaml:16
· conf 0.56
Compose service does not declare a runtime userDKC006
Compose service does not declare a runtime user
examples/telemetry/jaeger-prometheus/docker-compose.yaml:1
· conf 0.56
Compose service does not declare a runtime userDKC006
Compose service does not declare a runtime user
examples/telemetry/jaeger-prometheus/docker-compose.yaml:10
· conf 0.56
Compose service does not declare a runtime userDKC006
Compose service does not declare a runtime user
examples/telemetry/jaeger-prometheus/docker-compose.yaml:17
· conf 0.56
Compose service does not declare a runtime userDKC010
Compose service lacks no-new-privileges hardening
examples/callbacks/timer/docker-compose.yaml:1
· conf 0.62
Compose service lacks no-new-privileges hardeningDKC010
Compose service lacks no-new-privileges hardening
examples/callbacks/timer/docker-compose.yaml:9
· conf 0.62
Compose service lacks no-new-privileges hardeningDKC010
Compose service lacks no-new-privileges hardening
examples/callbacks/timer/docker-compose.yaml:16
· conf 0.62
Compose service lacks no-new-privileges hardeningDKC010
Compose service lacks no-new-privileges hardening
examples/telemetry/jaeger-prometheus/docker-compose.yaml:1
· conf 0.62
Compose service lacks no-new-privileges hardeningDKC010
Compose service lacks no-new-privileges hardening
examples/telemetry/jaeger-prometheus/docker-compose.yaml:10
· conf 0.62
Compose service lacks no-new-privileges hardeningDKC010
Compose service lacks no-new-privileges hardening
examples/telemetry/jaeger-prometheus/docker-compose.yaml:17
· conf 0.62
Compose service lacks no-new-privileges hardeningERR003
[ERR003] Ignored Error (Go): Ignoring error return values.
codeexecutor/e2b/internal/codeinterpreter/example/main.go:50
· conf 1.00
[ERR003] Ignored Error (Go): Ignoring error return values.ERR003
[ERR003] Ignored Error (Go): Ignoring error return values.
codeexecutor/metadata.go:385
· conf 1.00
[ERR003] Ignored Error (Go): Ignoring error return values.ERR003
[ERR003] Ignored Error (Go): Ignoring error return values.
.github/scripts/check-current-module-sums.go:78
· conf 1.00
[ERR003] Ignored Error (Go): Ignoring error return values.SEC132
String concat where the language has interpolation (AI style drift)
examples/graph/io_conventions/main.go:231
· conf 1.00
[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template liter…SEC132
String concat where the language has interpolation (AI style drift)
examples/skill/scripts/download_gaia_2023_level1_validation.py:249
· conf 1.00
[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template liter…SEC132
String concat where the language has interpolation (AI style drift)
examples/summary/toolcalls/main.go:130
· conf 1.00
[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template liter…COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
[COMP001] High cognitive complexity (and 15 more): Same pattern found in 15 additional files. Review if needed.ERR003
[ERR003] Ignored Error (Go): Ignoring error return values.
[ERR003] Ignored Error (Go) (and 63 more): Same pattern found in 63 additional files. Review if needed.MINED016
Go Error Ignored
CWE-754
[MINED016] Go Error Ignored (and 33 more): Same pattern found in 33 additional files. Review if needed.MINED033
Go Recover Without Log
CWE-755
[MINED033] Go Recover Without Log (and 13 more): Same pattern found in 13 additional files. Review if needed.MINED043
Http Not Https
CWE-319
[MINED043] Http Not Https (and 29 more): Same pattern found in 29 additional files. Review if needed.MINED043
Http Not Https
CWE-319
codeexecutor/jupyter/jupyter_client.go:81
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
examples/a2aagent/error_handling/main.go:67
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
examples/a2amultipath/server/main.go:41
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED044
Js Console Log Prod
CWE-532
examples/agui/messagessnapshot/client/src/index.ts:32
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
openclaw/browser-server/scripts/smoke-relay.js:217
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
openclaw/browser-server/src/server.js:261
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED049
Print Pii
CWE-532
[MINED049] Print Pii (and 1 more): Same pattern found in 1 additional files. Review if needed.MINED049
Print Pii
CWE-532
examples/a2aadk/adk/adk_codeexec_server.py:42
· conf 1.00
[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.MINED049
Print Pii
CWE-532
examples/a2aadk/adk/adk_server.py:81
· conf 1.00
[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.MINED049
Print Pii
CWE-532
openclaw/skills/nano-banana-pro/scripts/generate_image.py:72
· conf 1.00
[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.MINED050
Stub Only Function
CWE-1188
examples/skill/scripts/download_gaia_2023_level1_validation.py:50
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED052
Ts Any Typed
CWE-704
examples/agui/client/copilotkit/app/api/copilotkit/route.ts:24
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED054
Ts As Any
CWE-704
examples/agui/client/copilotkit/app/api/copilotkit/route.ts:24
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED054
Ts As Any
CWE-704
examples/agui/client/tdesign-chat/src/agui/format.ts:29
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED055
Npm Install No Lockfile
CWE-1357
examples/knowledge/reranker/infinity/deploy_infinity.py:8
· conf 1.00
[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci.MINED060
Go Context No Cancel
CWE-401
[MINED060] Go Context No Cancel (and 230 more): Same pattern found in 230 additional files. Review if needed.MINED060
Go Context No Cancel
CWE-401
agent/completion_capture.go:20
· conf 1.00
[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines.MINED060
Go Context No Cancel
CWE-401
agent/invocationcontext.go:38
· conf 1.00
[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines.MINED060
Go Context No Cancel
CWE-401
agent/llmagent/surface_runtime.go:180
· conf 1.00
[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines.MINED067
Python Requests No Timeout
CWE-400
examples/skill/skills/ocr/scripts/ocr_url.py:37
· conf 1.00
[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.MINED069
Debug True Prod
CWE-489
codeexecutor/e2b/internal/codeinterpreter/client.go:82
· conf 1.00
[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files.MINED071
Go Panic Call
CWE-755
[MINED071] Go Panic Call (and 17 more): Same pattern found in 17 additional files. Review if needed.MINED071
Go Panic Call
CWE-755
evaluation/service/local/pool.go:57
· conf 1.00
[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases.MINED071
Go Panic Call
CWE-755
examples/graph/concurrency_race/main.go:52
· conf 1.00
[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases.MINED071
Go Panic Call
CWE-755
examples/graph/dag_engine/main.go:60
· conf 1.00
[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases.MINED072
Python Pass Only Class
CWE-1188
examples/skill/scripts/download_gaia_2023_level1_validation.py:49
· conf 1.00
[MINED072] Python Pass Only Class: class Foo: pass — stub waiting to be filled in.SEC020
Secret Printed to Logs
[SEC020] Secret Printed to Logs (and 1 more): Same pattern found in 1 additional files. Review if needed.SEC020
Secret Printed to Logs
examples/a2aadk/adk/adk_codeexec_server.py:42
· conf 0.15
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC020
Secret Printed to Logs
examples/a2aadk/adk/adk_server.py:81
· conf 0.15
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC020
Secret Printed to Logs
openclaw/skills/nano-banana-pro/scripts/generate_image.py:71
· conf 0.15
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 97 more): Same pattern found in 97 additional files. Review if needed.SEC045
eval()/exec() on stored or user-supplied data
[SEC045] eval()/exec() on stored or user-supplied data (and 12 more): Same pattern found in 12 additional files. Review if needed.SEC078
Python: requests without timeout
examples/skill/skills/ocr/scripts/ocr_url.py:37
· conf 0.10
[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-…SEC085
JS: child_process.exec with non-literal
[SEC085] JS: child_process.exec with non-literal (and 11 more): Same pattern found in 11 additional files. Review if needed.SEC091
Go: net/http server without timeouts
[SEC091] Go: net/http server without timeouts (and 23 more): Same pattern found in 23 additional files. Review if needed.SEC093
Go: exec.Command with non-literal
[SEC093] Go: exec.Command with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed.SEC114
path.join / Path() on user-controlled segment without containment check
[SEC114] path.join / Path() on user-controlled segment without containment check (and 2 more): Same pattern found in 2 additional files. Review if needed.SEC128
Async function without await — fire-and-forget Promise (AI mistake)
[SEC128] Async function without await — fire-and-forget Promise (AI mistake) (and 3 more): Same pattern found in 3 additional files. Review if needed.SEC132
String concat where the language has interpolation (AI style drift)
[SEC132] String concat where the language has interpolation (AI style drift) (and 4 more): Same pattern found in 4 additional files. Review if needed.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/a403e5be-55bf-4133-b7a5-6bc687c43c3b/.