← Legacy view v2 (rp.*)

bytedance/ui-tars-desktop

https://github.com/bytedance/UI-TARS-desktop · lang: typescript · LOC: · source: user_submitted

Quality
70.8
Grade B
Security
86.2
Findings
10
0 critical · 0 high
Status
completed
May 15, 2026 21:14
medium: 6 info: 3 low: 1
Top rules by occurrence
RuleSeverityCount
SEC015 Insecure Randomness for Security medium 4
SEC007 Unsafe Deserialization medium 3
SEC017 Unbounded Input to LLM/External API medium 2
SEC006 XSS Risk high 1
First 10 findings (severity-sorted)
medium SEC007 Unsafe Deserialization
apps/ui-tars/src/main/store/setting.ts:100 · conf 1.00 
[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.
medium SEC007 Unsafe Deserialization
packages/ui-tars/cli/src/cli/start.ts:40 · conf 1.00 
[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.
medium SEC007 Unsafe Deserialization
scripts/merge-yml/merge-yml.ts:25 · conf 1.00 
[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.
medium SEC015 Insecure Randomness for Security
packages/ui-tars/operators/browser-operator/src/browser-operator.ts:397 · conf 1.00 
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.
medium SEC017 Unbounded Input to LLM/External API
packages/agent-infra/browser-use/src/agent/agents/base.ts:142 · conf 0.80 
[SEC017] Unbounded Input to LLM/External API: User input is passed to an LLM or external AI API (OpenAI, Anthropic, etc.) without any visible length or size validation. This creates two risks: (1) Co…
medium SEC017 Unbounded Input to LLM/External API
packages/agent-infra/browser-use/src/agent/agents/navigator.ts:97 · conf 0.80 
[SEC017] Unbounded Input to LLM/External API: User input is passed to an LLM or external AI API (OpenAI, Anthropic, etc.) without any visible length or size validation. This creates two risks: (1) Co…
low SEC006 XSS Risk
packages/ui-tars/operators/browser-operator/src/ui-helper.ts:328 · conf 0.40 
[SEC006] XSS Risk: Direct HTML injection without sanitization.
info SEC015 Insecure Randomness for Security
· conf 0.20 
[SEC015] Insecure Randomness for Security (and 1 more): Same pattern found in 1 additional files. Review if needed.
info SEC015 Insecure Randomness for Security
apps/ui-tars/src/renderer/src/components/ui/sidebar.tsx:623 · conf 0.15 
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.
info SEC015 Insecure Randomness for Security
multimodal/tarko/agent-server-next/src/services/sandbox/SandboxManager.ts:86 · conf 0.25 
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.

Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/b8acb5fe-7d86-484e-ad15-3a3f42605a19/.