← Legacy view v2 (rp.*)

qingchencloud/clawpanel

https://github.com/qingchencloud/clawpanel · lang: javascript · LOC: · source: user_submitted

Quality
52.5
Grade C-
Security
41.6
Findings
13
0 critical · 1 high
Status
completed
May 15, 2026 17:15
info: 7 low: 3 medium: 2 high: 1
Top rules by occurrence
RuleSeverityCount
SEC006 XSS Risk high 4
SEC015 Insecure Randomness for Security medium 4
SEC001 Hardcoded Password critical 2
SEC020 Secret Printed to Logs high 2
SEC010 Cloud Provider Token critical 1
First 13 findings (severity-sorted)
high SEC020 Secret Printed to Logs
src/main.js:649 · conf 0.92 
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…
medium SEC001 Hardcoded Password
scripts/dev-api.js:9046 · conf 0.30 
[SEC001] Hardcoded Password: Hardcoded password found in source code.
medium SEC001 Hardcoded Password
src/pages/security.js:26 · conf 0.30 
[SEC001] Hardcoded Password: Hardcoded password found in source code.
low SEC006 XSS Risk
src/main.js:101 · conf 0.40 
[SEC006] XSS Risk: Direct HTML injection without sanitization.
low SEC006 XSS Risk
src/pages/settings.js:70 · conf 0.40 
[SEC006] XSS Risk: Direct HTML injection without sanitization.
low SEC006 XSS Risk
src/router.js:66 · conf 0.40 
[SEC006] XSS Risk: Direct HTML injection without sanitization.
info SEC006 XSS Risk
· conf 0.20 
[SEC006] XSS Risk (and 57 more): Same pattern found in 57 additional files. Review if needed.
info SEC010 Cloud Provider Token
src/pages/channels.js:142 · conf 0.10 
[SEC010] Cloud Provider Token: Cloud provider or SaaS API token found in source code.
info SEC015 Insecure Randomness for Security
· conf 0.20 
[SEC015] Insecure Randomness for Security (and 1 more): Same pattern found in 1 additional files. Review if needed.
info SEC015 Insecure Randomness for Security
src/engines/hermes/pages/group-chat.js:25 · conf 0.25 
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.
info SEC015 Insecure Randomness for Security
src/main.js:173 · conf 0.25 
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.
info SEC015 Insecure Randomness for Security
src/pages/assistant.js:1040 · conf 0.25 
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.
info SEC020 Secret Printed to Logs
scripts/dev-api.js:7719 · conf 0.10 
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…

Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/efdecec6-e2ef-4fec-829e-1a8beb5bdd4d/.