← Legacy view v2 (rp.*)

z4nzu/hackingtool

https://github.com/Z4nzu/hackingtool.git · lang: python · LOC: · source: user_submitted

Quality
60.4
Grade C+
Security
90.4
Findings
67
2 critical · 33 high
Status
completed
May 24, 2026 01:22
high: 33 medium: 18 low: 8 info: 6 critical: 2
Top rules by occurrence
RuleSeverityCount
MINED108 self.attribute used but never assigned in __init__ high 17
MINED111 Bare except continues silently medium 6
MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) high 4
MINED064 Python Input Call info 4
COMP001 [COMP001] High cognitive complexity: Function `load_yfinanc… low 3
DKR003 Dockerfile base image uses the latest tag medium 3
SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from use… high 3
SEC005 Command Injection Risk high 3
MINED034 Python Subprocess Shell True high 3
DKC006 Compose service does not declare a runtime user low 2
First 67 findings (severity-sorted)
critical MINED102 Shell Injection Via F-string CWE-78
install.py:119 · conf 1.00 
[MINED102] Shell Injection Via F-string: Shell command built via f-string or .format with non-constant input — command injection. An attacker controlling any interpolated value can execute arbitrary …
critical MINED102 Shell Injection Via F-string CWE-78
tools/tool_manager.py:29 · conf 1.00 
[MINED102] Shell Injection Via F-string: Shell command built via f-string or .format with non-constant input — command injection. An attacker controlling any interpolated value can execute arbitrary …
high CORE_NO_TESTS No test files found 
No test files found
high MINED001 Bare Except Pass CWE-755
os_detect.py:44 · conf 1.00 
[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.
high MINED004 Weak Crypto CWE-327
tools/others/hash_crack.py:12 · conf 1.00 
[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).
high MINED006 Overcatch Baseexception CWE-705
install.py:267 · conf 1.00 
[MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.
high MINED012 Curl Pipe Bash CWE-494
tools/xss_attack.py:131 · conf 1.00 
[MINED012] Curl Pipe Bash: curl ... | sh / bash — runs unverified network code.
high MINED034 Python Subprocess Shell True CWE-78
install.py:119 · conf 1.00 
[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection.
high MINED034 Python Subprocess Shell True CWE-78
os_detect.py:130 · conf 1.00 
[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection.
high MINED034 Python Subprocess Shell True CWE-78
tools/tool_manager.py:29 · conf 1.00 
[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection.
high MINED108 self.attribute used but never assigned in __init__ CWE-476
core.py:160 · conf 1.00 
[MINED108] `self.show_info` used but never assigned in __init__: Method `show_options` of class `HackingTool` reads `self.show_info`, but no assignment to it exists in __init__ (and no class-level fa…
high MINED108 self.attribute used but never assigned in __init__ CWE-476
core.py:198 · conf 1.00 
[MINED108] `self.show_project_page` used but never assigned in __init__: Method `show_options` of class `HackingTool` reads `self.show_project_page`, but no assignment to it exists in __init__ (and n…
high MINED108 self.attribute used but never assigned in __init__ CWE-476
core.py:211 · conf 1.00 
[MINED108] `self.before_install` used but never assigned in __init__: Method `install` of class `HackingTool` reads `self.before_install`, but no assignment to it exists in __init__ (and no class-lev…
high MINED108 self.attribute used but never assigned in __init__ CWE-476
core.py:216 · conf 1.00 
[MINED108] `self.after_install` used but never assigned in __init__: Method `install` of class `HackingTool` reads `self.after_install`, but no assignment to it exists in __init__ (and no class-level…
high MINED108 self.attribute used but never assigned in __init__ CWE-476
core.py:225 · conf 1.00 
[MINED108] `self.before_uninstall` used but never assigned in __init__: Method `uninstall` of class `HackingTool` reads `self.before_uninstall`, but no assignment to it exists in __init__ (and no cla…
high MINED108 self.attribute used but never assigned in __init__ CWE-476
core.py:230 · conf 1.00 
[MINED108] `self.after_uninstall` used but never assigned in __init__: Method `uninstall` of class `HackingTool` reads `self.after_uninstall`, but no assignment to it exists in __init__ (and no class…
high MINED108 self.attribute used but never assigned in __init__ CWE-476
core.py:236 · conf 1.00 
[MINED108] `self.is_installed` used but never assigned in __init__: Method `update` of class `HackingTool` reads `self.is_installed`, but no assignment to it exists in __init__ (and no class-level fa…
high MINED108 self.attribute used but never assigned in __init__ CWE-476
core.py:312 · conf 1.00 
[MINED108] `self._get_tool_dir` used but never assigned in __init__: Method `open_folder` of class `HackingTool` reads `self._get_tool_dir`, but no assignment to it exists in __init__ (and no class-l…
high MINED108 self.attribute used but never assigned in __init__ CWE-476
core.py:326 · conf 1.00 
[MINED108] `self.before_run` used but never assigned in __init__: Method `run` of class `HackingTool` reads `self.before_run`, but no assignment to it exists in __init__ (and no class-level fallback)…
high MINED108 self.attribute used but never assigned in __init__ CWE-476
core.py:331 · conf 1.00 
[MINED108] `self.after_run` used but never assigned in __init__: Method `run` of class `HackingTool` reads `self.after_run`, but no assignment to it exists in __init__ (and no class-level fallback). …
high MINED108 self.attribute used but never assigned in __init__ CWE-476
core.py:375 · conf 1.00 
[MINED108] `self._archived_tools` used but never assigned in __init__: Method `_show_archived_tools` of class `HackingToolsCollection` reads `self._archived_tools`, but no assignment to it exists in …
high MINED108 self.attribute used but never assigned in __init__ CWE-476
core.py:412 · conf 1.00 
[MINED108] `self.show_info` used but never assigned in __init__: Method `show_options` of class `HackingToolsCollection` reads `self.show_info`, but no assignment to it exists in __init__ (and no cla…
high MINED108 self.attribute used but never assigned in __init__ CWE-476
core.py:414 · conf 1.00 
[MINED108] `self._active_tools` used but never assigned in __init__: Method `show_options` of class `HackingToolsCollection` reads `self._active_tools`, but no assignment to it exists in __init__ (an…
high MINED108 self.attribute used but never assigned in __init__ CWE-476
core.py:415 · conf 1.00 
[MINED108] `self._incompatible_tools` used but never assigned in __init__: Method `show_options` of class `HackingToolsCollection` reads `self._incompatible_tools`, but no assignment to it exists in …
high MINED108 self.attribute used but never assigned in __init__ CWE-476
core.py:416 · conf 1.00 
[MINED108] `self._archived_tools` used but never assigned in __init__: Method `show_options` of class `HackingToolsCollection` reads `self._archived_tools`, but no assignment to it exists in __init__…
high MINED108 self.attribute used but never assigned in __init__ CWE-476
core.py:481 · conf 1.00 
[MINED108] `self._show_archived_tools` used but never assigned in __init__: Method `show_options` of class `HackingToolsCollection` reads `self._show_archived_tools`, but no assignment to it exists i…
high MINED108 self.attribute used but never assigned in __init__ CWE-476
tools/steganography.py:24 · conf 1.00 
[MINED108] `self.run` used but never assigned in __init__: Method `run` of class `SteganoHide` reads `self.run`, but no assignment to it exists in __init__ (and no class-level fallback). This raises …
high MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) CWE-829
.github/workflows/lint_python.yml:11 · conf 0.90 
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…
high MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) CWE-829
.github/workflows/lint_python.yml:12 · conf 0.90 
[MINED115] Action `actions/setup-python` pinned to mutable ref `@v5`: `uses: actions/setup-python@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …
high MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) CWE-829
.github/workflows/test_install.yml:13 · conf 0.90 
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…
high MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) CWE-829
.github/workflows/test_install.yml:14 · conf 0.90 
[MINED115] Action `actions/setup-python` pinned to mutable ref `@v5`: `uses: actions/setup-python@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …
high MINED118 Dockerfile FROM not pinned by sha256 digest CWE-829
Dockerfile:3 · conf 0.90 
[MINED118] Dockerfile FROM `kalilinux/kali-rolling:latest` not pinned by digest: `FROM kalilinux/kali-rolling:latest` resolves the tag at build time. The registry CAN re-push a different image for th…
high SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from user input
tools/others/homograph_attacks.py:8 · conf 1.00 
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…
high SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from user input
tools/phishing_attack.py:193 · conf 1.00 
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…
high SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from user input
tools/web_attack.py:51 · conf 1.00 
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…
medium AGT015 Remote install command pipes network code directly to a shell
tools/xss_attack.py:131 · conf 0.70 
Remote install command pipes network code directly to a shell
medium AUC001 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
· conf 0.92 
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
medium COMP001 [COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
os_detect.py:20 · conf 0.95 
[COMP001] High cognitive complexity: Function `detect` has cognitive complexity 19 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branc…
medium DKR001 Docker final stage has no non-root USER
Dockerfile:3 · conf 0.82 
Docker final stage has no non-root USER
medium DKR003 Dockerfile base image uses the latest tag
docker-compose.yml:9 · conf 0.94 
Compose service `hackingtool` image uses the latest tag
medium DKR003 Dockerfile base image uses the latest tag
docker-compose.yml:22 · conf 0.94 
Compose service `hackingtool-dev` image uses the latest tag
medium DKR003 Dockerfile base image uses the latest tag
Dockerfile:3 · conf 0.94 
Dockerfile base image uses the latest tag
medium DKR014 Dockerfile copies the entire context without .dockerignore
Dockerfile:29 · conf 0.76 
Dockerfile copies broad context with incomplete .dockerignore
medium MINED111 Bare except continues silently
core.py:202 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
core.py:477 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
core.py:485 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
hackingtool.py:187 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
hackingtool.py:209 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
hackingtool.py:649 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium SEC005 Command Injection Risk
install.py:119 · conf 0.50 
[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.
medium SEC005 Command Injection Risk
os_detect.py:130 · conf 0.50 
[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.
medium SEC005 Command Injection Risk
tools/tool_manager.py:29 · conf 0.50 
[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.
medium WEB003 Public web service has no security.txt
.well-known/security.txt · conf 0.78 
Public web service has no security.txt
low AUC005 [AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.
· conf 0.76 
[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.
low COMP001 [COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
generate_readme.py:29 · conf 0.95 
[COMP001] High cognitive complexity: Function `get_tools_toc` has cognitive complexity 10 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — neste…
low COMP001 [COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
install.py:52 · conf 0.95 
[COMP001] High cognitive complexity: Function `check_os_compatibility` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand…
low DKC006 Compose service does not declare a runtime user
docker-compose.yml:9 · conf 0.56 
Compose service does not declare a runtime user
low DKC006 Compose service does not declare a runtime user
docker-compose.yml:22 · conf 0.56 
Compose service does not declare a runtime user
low DKC010 Compose service lacks no-new-privileges hardening
docker-compose.yml:9 · conf 0.62 
Compose service lacks no-new-privileges hardening
low DKC010 Compose service lacks no-new-privileges hardening
docker-compose.yml:22 · conf 0.62 
Compose service lacks no-new-privileges hardening
low DKR008 .dockerignore misses sensitive defaults
.dockerignore · conf 0.72 
.dockerignore misses sensitive defaults
info MINED049 Print Pii CWE-532
tools/others/socialmedia_finder.py:35 · conf 1.00 
[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.
info MINED050 Stub Only Function CWE-1188
os_detect.py:45 · conf 1.00 
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.
info MINED064 Python Input Call
· conf 0.20 
[MINED064] Python Input Call (and 2 more): Same pattern found in 2 additional files. Review if needed.
info MINED064 Python Input Call
tools/others/socialmedia_finder.py:82 · conf 1.00 
[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services.
info MINED064 Python Input Call
tools/reverse_engineering.py:31 · conf 1.00 
[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services.
info MINED064 Python Input Call
tools/steganography.py:15 · conf 1.00 
[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services.

Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/f50c051f-a6b1-420d-86a0-2f826673808d/.