gitsafehub
github.com/datawhalechina/llm-cookbook ↗

datawhalechina/llm-cookbook

scanned 2026-05-29 · git 92440ed
3 of 6 checks flagged a security issue
🔴 Needs attention
Only 5 of 6 checks finished — treat this as provisional. Re-check ↻

Informational scan, not a security audit. How this is computed.

Leaked secrets103Vulnerable dependencies353Known OSS vulnerabilities530Risky code patternsMalicious dependenciesProject health11

Security checks

Leaked secrets — Gitleaks 103 found · 44 serious

API keys, passwords or tokens committed into the repo.

  • Serious openai-api-key Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation.
    docs/C3/2. 模型、提示和解析器 Models, Prompts and Output Parsers.md:122
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious openai-api-key Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation.
    content/LangChain for LLM Application Development/2.模型、提示和解析器 Models, Prompts and Output Parsers.ipynb:1
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious openai-api-key Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation.
    pdf-code/notebook/C3 LangChain for LLM Application Development/2.模型、提示和解析器 Models, Prompts and Output Parsers.ipynb:225
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious openai-api-key Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation.
    content/Functions, Tools and Agents with LangChain/3. LangChain表达式语言 LCEL.ipynb:184
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious openai-api-key Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation.
    content/LangChain for LLM Application Development/2.模型、提示和解析器 Models, Prompts and Output Parsers.ipynb:1
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious openai-api-key Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation.
    docs/C3/2. 模型、提示和解析器 Models, Prompts and Output Parsers.md:122
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious openai-api-key Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation.
    pdf-code/notebook/C3 LangChain for LLM Application Development/2.模型、提示和解析器 Models, Prompts and Output Parsers.ipynb:225
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious openai-api-key Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation.
    content/LangChain for LLM Application Development/2.模型、提示和解析器 Models, Prompts and Output Parsers.ipynb:1
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious openai-api-key Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation.
    docs/C3/2. 模型、提示和解析器 Models, Prompts and Output Parsers.md:122
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious openai-api-key Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation.
    pdf-code/notebook/C3 LangChain for LLM Application Development/2.模型、提示和解析器 Models, Prompts and Output Parsers.ipynb:225
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious openai-api-key Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation.
    content/LangChain for LLM Application Development/2.模型、提示和解析器 Models, Prompts and Output Parsers.ipynb:1
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious openai-api-key Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation.
    docs/C3/2. 模型、提示和解析器 Models, Prompts and Output Parsers.md:122
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious openai-api-key Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation.
    pdf-code/notebook/C3 LangChain for LLM Application Development/2.模型、提示和解析器 Models, Prompts and Output Parsers.ipynb:225
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious openai-api-key Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation.
    content/LangChain for LLM Application Development/2.模型、提示和解析器 Models, Prompts and Output Parsers.ipynb:1
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious openai-api-key Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation.
    docs/C3/2. 模型、提示和解析器 Models, Prompts and Output Parsers.md:122
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious square-access-token Detected a Square Access Token, risking unauthorized payment processing and financial transaction exposure.
    content/Evaluating and Debugging Generative AI/2.测量权重和偏差 W&B.ipynb:521
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious openai-api-key Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation.
    pdf-code/notebook/C3 LangChain for LLM Application Development/2.模型、提示和解析器 Models, Prompts and Output Parsers.ipynb:225
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious square-access-token Detected a Square Access Token, risking unauthorized payment processing and financial transaction exposure.
    content/Evaluating and Debugging Generative AI/2.测量权重和偏差 W&B.ipynb:521
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious openai-api-key Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation.
    content/LangChain for LLM Application Development/2.模型、提示和解析器 Models, Prompts and Output Parsers.ipynb:1
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious square-access-token Detected a Square Access Token, risking unauthorized payment processing and financial transaction exposure.
    content/Evaluating and Debugging Generative AI/2.测量权重和偏差 W&B.ipynb:521
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious openai-api-key Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation.
    docs/C3/2. 模型、提示和解析器 Models, Prompts and Output Parsers.md:122
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious openai-api-key Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation.
    pdf-code/notebook/C3 LangChain for LLM Application Development/2.模型、提示和解析器 Models, Prompts and Output Parsers.ipynb:225
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious square-access-token Detected a Square Access Token, risking unauthorized payment processing and financial transaction exposure.
    content/Evaluating and Debugging Generative AI/2.测量权重和偏差 W&B.ipynb:521
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious openai-api-key Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation.
    content/LangChain for LLM Application Development/2.模型、提示和解析器 Models, Prompts and Output Parsers.ipynb:1
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious openai-api-key Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation.
    docs/C3/2. 模型、提示和解析器 Models, Prompts and Output Parsers.md:122
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
… 78 more not shown

via Gitleaks v8.21.2 · MIT

Vulnerable dependencies — Trivy 353 found · 11 serious

Packages you depend on that have known security holes (CVEs).

  • Serious CVE-2025-43859 h11 is a Python implementation of HTTP/1.1. Prior to version 0.16.0, a ...
    content/选修-Building and Evaluating Advanced RAG Applications/requirements.txt
    A package you depend on has a known security hole (CVE-2025-43859). Fix: Update that package to its patched version.
  • Serious CVE-2025-68664 LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs
    content/选修-Building and Evaluating Advanced RAG Applications/requirements.txt
    A package you depend on has a known security hole (CVE-2025-68664). Fix: Update that package to its patched version.
  • Serious CVE-2023-39662 llama-index vulnerable to arbitrary code execution
    content/选修-Building and Evaluating Advanced RAG Applications/requirements.txt
    A package you depend on has a known security hole (CVE-2023-39662). Fix: Update that package to its patched version.
  • Serious CVE-2024-23751 SQL injection in llama-index
    content/选修-Building and Evaluating Advanced RAG Applications/requirements.txt
    A package you depend on has a known security hole (CVE-2024-23751). Fix: Update that package to its patched version.
  • Serious CVE-2025-1793 llama_index vulnerable to SQL Injection
    content/选修-Building and Evaluating Advanced RAG Applications/requirements.txt
    A package you depend on has a known security hole (CVE-2025-1793). Fix: Update that package to its patched version.
  • Serious CVE-2025-14009 nltk: Zip Slip Vulnerability in nltk Leading to Code Execution
    content/选修-Building and Evaluating Advanced RAG Applications/requirements.txt
    A package you depend on has a known security hole (CVE-2025-14009). Fix: Update that package to its patched version.
  • Serious CVE-2025-32434 PyTorch is a Python package that provides tensor computation with stro ...
    content/选修-Building and Evaluating Advanced RAG Applications/requirements.txt
    A package you depend on has a known security hole (CVE-2025-32434). Fix: Update that package to its patched version.
  • Serious CVE-2023-6730 transformers has a Deserialization of Untrusted Data vulnerability
    content/选修-Building and Evaluating Advanced RAG Applications/requirements.txt
    A package you depend on has a known security hole (CVE-2023-6730). Fix: Update that package to its patched version.
  • Serious CVE-2023-6730 transformers has a Deserialization of Untrusted Data vulnerability
    content/选修-Finetuning Large Language Models/requirements.txt
    A package you depend on has a known security hole (CVE-2023-6730). Fix: Update that package to its patched version.
  • Serious CVE-2025-68664 LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs
    uv.lock
    A package you depend on has a known security hole (CVE-2025-68664). Fix: Update that package to its patched version.
  • Serious CVE-2025-14009 nltk: Zip Slip Vulnerability in nltk Leading to Code Execution
    uv.lock
    A package you depend on has a known security hole (CVE-2025-14009). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-5150 docarray prototype pollution
    content/必修三-LangChain for LLM Application Development/requirements.txt
    A package you depend on has a known security hole (CVE-2025-5150). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-45134 LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning
    content/必修三-LangChain for LLM Application Development/requirements.txt
    A package you depend on has a known security hole (CVE-2026-45134). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-2965 Denial of service in langchain-community
    content/必修三-LangChain for LLM Application Development/requirements.txt
    A package you depend on has a known security hole (CVE-2024-2965). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-6984 Langchain Community Vulnerable to XML External Entity (XXE) Attacks
    content/必修三-LangChain for LLM Application Development/requirements.txt
    A package you depend on has a known security hole (CVE-2025-6984). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-2965 Denial of service in langchain-community
    content/必修三-LangChain for LLM Application Development/requirements.txt
    A package you depend on has a known security hole (CVE-2024-2965). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-3095 Server-Side Request Forgery in langchain-community.retrievers.web_research.WebResearchRetriever
    content/必修三-LangChain for LLM Application Development/requirements.txt
    A package you depend on has a known security hole (CVE-2024-3095). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-38459 langchain_experimental Code Execution via Python REPL access
    content/必修三-LangChain for LLM Application Development/requirements.txt
    A package you depend on has a known security hole (CVE-2024-38459). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-28684 python-dotenv: python-dotenv: Arbitrary file overwrite via symbolic link following
    content/必修三-LangChain for LLM Application Development/requirements.txt
    A package you depend on has a known security hole (CVE-2026-28684). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-5150 docarray prototype pollution
    content/必修四-LangChain Chat with Your Data/requirements.txt
    A package you depend on has a known security hole (CVE-2025-5150). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-45134 LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning
    content/必修四-LangChain Chat with Your Data/requirements.txt
    A package you depend on has a known security hole (CVE-2026-45134). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-2965 Denial of service in langchain-community
    content/必修四-LangChain Chat with Your Data/requirements.txt
    A package you depend on has a known security hole (CVE-2024-2965). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-6984 Langchain Community Vulnerable to XML External Entity (XXE) Attacks
    content/必修四-LangChain Chat with Your Data/requirements.txt
    A package you depend on has a known security hole (CVE-2025-6984). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-2965 Denial of service in langchain-community
    content/必修四-LangChain Chat with Your Data/requirements.txt
    A package you depend on has a known security hole (CVE-2024-2965). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-3095 Server-Side Request Forgery in langchain-community.retrievers.web_research.WebResearchRetriever
    content/必修四-LangChain Chat with Your Data/requirements.txt
    A package you depend on has a known security hole (CVE-2024-3095). Fix: Update that package to its patched version.
… 328 more not shown

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 530 found · 13 serious

Your dependencies cross-checked against the OSV vulnerability database.

  • Serious GHSA-c67j-w6g6-q2cm LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs
    /workdirs/scan-e30ae2f3-2faf-43f7-a79c-7602f3e4b7f5/content/必修三-LangChain for LLM Application Development/requirements.txt
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Serious GHSA-vqfr-h8mv-ghfj h11 accepts some malformed Chunked-Encoding bodies
    /workdirs/scan-e30ae2f3-2faf-43f7-a79c-7602f3e4b7f5/content/选修-Building and Evaluating Advanced RAG Applications/requirements.txt
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Serious GHSA-c67j-w6g6-q2cm LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs
    /workdirs/scan-e30ae2f3-2faf-43f7-a79c-7602f3e4b7f5/content/选修-Building and Evaluating Advanced RAG Applications/requirements.txt
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Serious GHSA-2jxw-4hm4-6w87 SQL injection in llama-index
    /workdirs/scan-e30ae2f3-2faf-43f7-a79c-7602f3e4b7f5/content/选修-Building and Evaluating Advanced RAG Applications/requirements.txt
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Serious GHSA-2xxc-73fv-36f7 llama-index vulnerable to arbitrary code execution
    /workdirs/scan-e30ae2f3-2faf-43f7-a79c-7602f3e4b7f5/content/选修-Building and Evaluating Advanced RAG Applications/requirements.txt
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Serious GHSA-v3c8-3pr6-gr7p llama_index vulnerable to SQL Injection
    /workdirs/scan-e30ae2f3-2faf-43f7-a79c-7602f3e4b7f5/content/选修-Building and Evaluating Advanced RAG Applications/requirements.txt
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Serious GHSA-7p94-766c-hgjp NLTK has a Zip Slip Vulnerability
    /workdirs/scan-e30ae2f3-2faf-43f7-a79c-7602f3e4b7f5/content/选修-Building and Evaluating Advanced RAG Applications/requirements.txt
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Serious GHSA-53q9-r3pm-6pq6 PyTorch: `torch.load` with `weights_only=True` leads to remote code execution
    /workdirs/scan-e30ae2f3-2faf-43f7-a79c-7602f3e4b7f5/content/选修-Building and Evaluating Advanced RAG Applications/requirements.txt
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Serious GHSA-3863-2447-669p transformers has a Deserialization of Untrusted Data vulnerability
    /workdirs/scan-e30ae2f3-2faf-43f7-a79c-7602f3e4b7f5/content/选修-Building and Evaluating Advanced RAG Applications/requirements.txt
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Serious GHSA-3863-2447-669p transformers has a Deserialization of Untrusted Data vulnerability
    /workdirs/scan-e30ae2f3-2faf-43f7-a79c-7602f3e4b7f5/content/选修-Finetuning Large Language Models/requirements.txt
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Serious GHSA-5wvp-7f3h-6wmm PyArrow: Arbitrary code execution when loading a malicious data file
    /workdirs/scan-e30ae2f3-2faf-43f7-a79c-7602f3e4b7f5/content/选修-Finetuning Large Language Models/requirements.txt
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Serious GHSA-c67j-w6g6-q2cm LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs
    /workdirs/scan-e30ae2f3-2faf-43f7-a79c-7602f3e4b7f5/uv.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Serious GHSA-7p94-766c-hgjp NLTK has a Zip Slip Vulnerability
    /workdirs/scan-e30ae2f3-2faf-43f7-a79c-7602f3e4b7f5/uv.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-3644-q5cj-c5c7 LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning
    /workdirs/scan-e30ae2f3-2faf-43f7-a79c-7602f3e4b7f5/content/必修三-LangChain for LLM Application Development/requirements.txt
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-pc6w-59fv-rh23 Langchain Community Vulnerable to XML External Entity (XXE) Attacks
    /workdirs/scan-e30ae2f3-2faf-43f7-a79c-7602f3e4b7f5/content/必修三-LangChain for LLM Application Development/requirements.txt
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-wmvm-9vqv-5qpp langchain_experimental Code Execution via Python REPL access
    /workdirs/scan-e30ae2f3-2faf-43f7-a79c-7602f3e4b7f5/content/必修三-LangChain for LLM Application Development/requirements.txt
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-6mq8-rvhq-8wgg AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb
    /workdirs/scan-e30ae2f3-2faf-43f7-a79c-7602f3e4b7f5/content/必修三-LangChain for LLM Application Development/requirements.txt
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-6qv9-48xg-fc7f LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates
    /workdirs/scan-e30ae2f3-2faf-43f7-a79c-7602f3e4b7f5/content/必修三-LangChain for LLM Application Development/requirements.txt
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-pjwx-r37v-7724 LangChain vulnerable to unsafe deserialization of attacker-controlled objects through overly broad `load()` allowlists
    /workdirs/scan-e30ae2f3-2faf-43f7-a79c-7602f3e4b7f5/content/必修三-LangChain for LLM Application Development/requirements.txt
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-qh6h-p6c9-ff54 LangChain Core has Path Traversal vulnerabilites in legacy `load_prompt` functions
    /workdirs/scan-e30ae2f3-2faf-43f7-a79c-7602f3e4b7f5/content/必修三-LangChain for LLM Application Development/requirements.txt
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-wmvm-9vqv-5qpp langchain_experimental Code Execution via Python REPL access
    /workdirs/scan-e30ae2f3-2faf-43f7-a79c-7602f3e4b7f5/content/必修三-LangChain for LLM Application Development/requirements.txt
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-m42m-m8cr-8m58 LangChain Text Splitters is vulnerable to XML External Entity (XXE) attacks due to unsafe XSLT parsing
    /workdirs/scan-e30ae2f3-2faf-43f7-a79c-7602f3e4b7f5/content/必修三-LangChain for LLM Application Development/requirements.txt
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-3644-q5cj-c5c7 LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning
    /workdirs/scan-e30ae2f3-2faf-43f7-a79c-7602f3e4b7f5/content/必修三-LangChain for LLM Application Development/requirements.txt
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-hx9q-6w63-j58v orjson does not limit recursion for deeply nested JSON documents
    /workdirs/scan-e30ae2f3-2faf-43f7-a79c-7602f3e4b7f5/content/必修三-LangChain for LLM Application Development/requirements.txt
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-r7q7-xcjw-qx8q TDQM Arbitrary Code Execution
    /workdirs/scan-e30ae2f3-2faf-43f7-a79c-7602f3e4b7f5/content/必修三-LangChain for LLM Application Development/requirements.txt
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
… 505 more not shown

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog timed out

Packages that look intentionally malicious — typosquats, sneaky install scripts.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Guarddog v2.10.0 · Apache-2.0

error: pypi:timeout

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard 11 notes

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

  • Worth fixing scorecard-overall OpenSSF Scorecard overall: 1.5/10
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-CI-Tests CI-Tests scored 0: 0 out of 3 merged PRs checked by a CI test -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Dependency-Update-Tool Dependency-Update-Tool scored 0: no update tool detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Fuzzing Fuzzing scored 0: project is not fuzzed
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-License License scored 0: license file not detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Maintained Maintained scored 0: 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-SAST SAST scored 0: SAST tool is not run on all commits -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Security-Policy Security-Policy scored 0: security policy file not detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Signed-Releases Signed-Releases scored 0: Project has not signed or included provenance with any releases.
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Vulnerabilities Vulnerabilities scored 0: 226 existing vulnerabilities detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.

via OpenSSF Scorecard v5.5.0 · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.