Informational scan, not a security audit. How this is computed.
API keys, passwords or tokens committed into the repo.
openai-api-key Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation.openai-api-key Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation.openai-api-key Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation.openai-api-key Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation.openai-api-key Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation.openai-api-key Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation.openai-api-key Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation.openai-api-key Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation.openai-api-key Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation.openai-api-key Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation.openai-api-key Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation.openai-api-key Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation.openai-api-key Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation.openai-api-key Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation.openai-api-key Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation.square-access-token Detected a Square Access Token, risking unauthorized payment processing and financial transaction exposure.openai-api-key Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation.square-access-token Detected a Square Access Token, risking unauthorized payment processing and financial transaction exposure.openai-api-key Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation.square-access-token Detected a Square Access Token, risking unauthorized payment processing and financial transaction exposure.openai-api-key Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation.openai-api-key Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation.square-access-token Detected a Square Access Token, risking unauthorized payment processing and financial transaction exposure.openai-api-key Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation.openai-api-key Found an OpenAI API Key, posing a risk of unauthorized access to AI services and data manipulation.Packages you depend on that have known security holes (CVEs).
CVE-2025-43859 h11 is a Python implementation of HTTP/1.1. Prior to version 0.16.0, a ...CVE-2025-68664 LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIsCVE-2023-39662 llama-index vulnerable to arbitrary code executionCVE-2024-23751 SQL injection in llama-indexCVE-2025-1793 llama_index vulnerable to SQL InjectionCVE-2025-14009 nltk: Zip Slip Vulnerability in nltk Leading to Code ExecutionCVE-2025-32434 PyTorch is a Python package that provides tensor computation with stro ...CVE-2023-6730 transformers has a Deserialization of Untrusted Data vulnerabilityCVE-2023-6730 transformers has a Deserialization of Untrusted Data vulnerabilityCVE-2025-68664 LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIsCVE-2025-14009 nltk: Zip Slip Vulnerability in nltk Leading to Code ExecutionCVE-2025-5150 docarray prototype pollutionCVE-2026-45134 LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warningCVE-2024-2965 Denial of service in langchain-communityCVE-2025-6984 Langchain Community Vulnerable to XML External Entity (XXE) AttacksCVE-2024-2965 Denial of service in langchain-communityCVE-2024-3095 Server-Side Request Forgery in langchain-community.retrievers.web_research.WebResearchRetrieverCVE-2024-38459 langchain_experimental Code Execution via Python REPL accessCVE-2026-28684 python-dotenv: python-dotenv: Arbitrary file overwrite via symbolic link followingCVE-2025-5150 docarray prototype pollutionCVE-2026-45134 LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warningCVE-2024-2965 Denial of service in langchain-communityCVE-2025-6984 Langchain Community Vulnerable to XML External Entity (XXE) AttacksCVE-2024-2965 Denial of service in langchain-communityCVE-2024-3095 Server-Side Request Forgery in langchain-community.retrievers.web_research.WebResearchRetrieverYour dependencies cross-checked against the OSV vulnerability database.
GHSA-c67j-w6g6-q2cm LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIsGHSA-vqfr-h8mv-ghfj h11 accepts some malformed Chunked-Encoding bodiesGHSA-c67j-w6g6-q2cm LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIsGHSA-2jxw-4hm4-6w87 SQL injection in llama-indexGHSA-2xxc-73fv-36f7 llama-index vulnerable to arbitrary code executionGHSA-v3c8-3pr6-gr7p llama_index vulnerable to SQL InjectionGHSA-7p94-766c-hgjp NLTK has a Zip Slip VulnerabilityGHSA-53q9-r3pm-6pq6 PyTorch: `torch.load` with `weights_only=True` leads to remote code executionGHSA-3863-2447-669p transformers has a Deserialization of Untrusted Data vulnerabilityGHSA-3863-2447-669p transformers has a Deserialization of Untrusted Data vulnerabilityGHSA-5wvp-7f3h-6wmm PyArrow: Arbitrary code execution when loading a malicious data fileGHSA-c67j-w6g6-q2cm LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIsGHSA-7p94-766c-hgjp NLTK has a Zip Slip VulnerabilityGHSA-3644-q5cj-c5c7 LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warningGHSA-pc6w-59fv-rh23 Langchain Community Vulnerable to XML External Entity (XXE) AttacksGHSA-wmvm-9vqv-5qpp langchain_experimental Code Execution via Python REPL accessGHSA-6mq8-rvhq-8wgg AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bombGHSA-6qv9-48xg-fc7f LangChain Vulnerable to Template Injection via Attribute Access in Prompt TemplatesGHSA-pjwx-r37v-7724 LangChain vulnerable to unsafe deserialization of attacker-controlled objects through overly broad `load()` allowlistsGHSA-qh6h-p6c9-ff54 LangChain Core has Path Traversal vulnerabilites in legacy `load_prompt` functionsGHSA-wmvm-9vqv-5qpp langchain_experimental Code Execution via Python REPL accessGHSA-m42m-m8cr-8m58 LangChain Text Splitters is vulnerable to XML External Entity (XXE) attacks due to unsafe XSLT parsingGHSA-3644-q5cj-c5c7 LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warningGHSA-hx9q-6w63-j58v orjson does not limit recursion for deeply nested JSON documentsGHSA-r7q7-xcjw-qx8q TDQM Arbitrary Code ExecutionCode that can be exploited — injection, hardcoded credentials and similar.
Nothing found by this check. ✓
Packages that look intentionally malicious — typosquats, sneaky install scripts.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.
Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.
scorecard-overall OpenSSF Scorecard overall: 1.5/10scorecard-CI-Tests CI-Tests scored 0: 0 out of 3 merged PRs checked by a CI test -- score normalized to 0scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detectedscorecard-Dependency-Update-Tool Dependency-Update-Tool scored 0: no update tool detectedscorecard-Fuzzing Fuzzing scored 0: project is not fuzzedscorecard-License License scored 0: license file not detectedscorecard-Maintained Maintained scored 0: 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0scorecard-SAST SAST scored 0: SAST tool is not run on all commits -- score normalized to 0scorecard-Security-Policy Security-Policy scored 0: security policy file not detectedscorecard-Signed-Releases Signed-Releases scored 0: Project has not signed or included provenance with any releases.scorecard-Vulnerabilities Vulnerabilities scored 0: 226 existing vulnerabilities detected