gitsafehub
github.com/magic-research/magic-animate ↗

magic-research/magic-animate

scanned 2026-06-30 · git d2bc3bc
2 of 6 checks flagged a security issue
🔴 Needs attention
Only 3 of 6 checks finished — treat this as provisional. Re-check ↻

Informational scan, not a security audit. How this is computed.

Leaked secrets1Vulnerable dependencies160Known OSS vulnerabilitiesRisky code patternsMalicious dependenciesProject health

Security checks

Leaked secrets — Gitleaks 1 found

API keys, passwords or tokens committed into the repo.

  • Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    environment.yaml:8
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.

via Gitleaks v8.21.2 · MIT

Vulnerable dependencies — Trivy 160 found · 9 serious

Packages you depend on that have known security holes (CVEs).

  • Serious CVE-2023-6572 Gradio Exposure of Sensitive Information to an Unauthorized Actor vulnerability
    requirements.txt
    A package you depend on has a known security hole (CVE-2023-6572). Fix: Update that package to its patched version.
  • Serious CVE-2024-1728 Gradio allows users to access arbitrary files
    requirements.txt
    A package you depend on has a known security hole (CVE-2024-1728). Fix: Update that package to its patched version.
  • Serious CVE-2025-23042 Gradio Blocked Path ACL Bypass Vulnerability
    requirements.txt
    A package you depend on has a known security hole (CVE-2025-23042). Fix: Update that package to its patched version.
  • Serious CVE-2025-43859 h11: h11 accepts some malformed Chunked-Encoding bodies
    requirements.txt
    A package you depend on has a known security hole (CVE-2025-43859). Fix: Update that package to its patched version.
  • Serious CVE-2023-50447 pillow: Arbitrary Code Execution via the environment parameter
    requirements.txt
    A package you depend on has a known security hole (CVE-2023-50447). Fix: Update that package to its patched version.
  • Serious CVE-2023-47248 PyArrow: Arbitrary code execution when loading a malicious data file
    requirements.txt
    A package you depend on has a known security hole (CVE-2023-47248). Fix: Update that package to its patched version.
  • Serious CVE-2024-8019 PyTorch Lightning path traversal vulnerability
    requirements.txt
    A package you depend on has a known security hole (CVE-2024-8019). Fix: Update that package to its patched version.
  • Serious CVE-2025-32434 PyTorch is a Python package that provides tensor computation with stro ...
    requirements.txt
    A package you depend on has a known security hole (CVE-2025-32434). Fix: Update that package to its patched version.
  • Serious CVE-2023-6730 transformers has a Deserialization of Untrusted Data vulnerability
    requirements.txt
    A package you depend on has a known security hole (CVE-2023-6730). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-23334 aiohttp: follow_symlinks directory traversal vulnerability
    requirements.txt
    A package you depend on has a known security hole (CVE-2024-23334). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-30251 aiohttp: DoS when trying to parse malformed POST requests
    requirements.txt
    A package you depend on has a known security hole (CVE-2024-30251). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-69223 aiohttp: AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb
    requirements.txt
    A package you depend on has a known security hole (CVE-2025-69223). Fix: Update that package to its patched version.
  • Worth fixing CVE-2023-47627 python-aiohttp: numerous issues in HTTP parser with header parsing
    requirements.txt
    A package you depend on has a known security hole (CVE-2023-47627). Fix: Update that package to its patched version.
  • Worth fixing CVE-2023-49081 aiohttp: HTTP request modification
    requirements.txt
    A package you depend on has a known security hole (CVE-2023-49081). Fix: Update that package to its patched version.
  • Worth fixing CVE-2023-49082 aiohttp: CRLF injection if user controls the HTTP method using aiohttp client
    requirements.txt
    A package you depend on has a known security hole (CVE-2023-49082). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-23829 python-aiohttp: http request smuggling
    requirements.txt
    A package you depend on has a known security hole (CVE-2024-23829). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-27306 aiohttp: XSS on index pages for static file handling
    requirements.txt
    A package you depend on has a known security hole (CVE-2024-27306). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-52304 aiohttp: aiohttp vulnerable to request smuggling due to incorrect parsing of chunk extensions
    requirements.txt
    A package you depend on has a known security hole (CVE-2024-52304). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-69227 aiohttp: aiohttp: Denial of Service via specially crafted POST request
    requirements.txt
    A package you depend on has a known security hole (CVE-2025-69227). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-69228 aiohttp: aiohttp: Denial of Service via memory exhaustion from crafted POST request
    requirements.txt
    A package you depend on has a known security hole (CVE-2025-69228). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-69229 aiohttp: AIOHTTP: Denial of Service via excessive CPU usage in chunked message handling
    requirements.txt
    A package you depend on has a known security hole (CVE-2025-69229). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-22815 aiohttp: AIOHTTP: Denial of Service via insufficient header/trailer handling
    requirements.txt
    A package you depend on has a known security hole (CVE-2026-22815). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-34515 aiohttp: AIOHTTP: Information disclosure via static resource handler on Windows
    requirements.txt
    A package you depend on has a known security hole (CVE-2026-34515). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-34516 aiohttp: AIOHTTP: Denial of Service via excessive multipart headers
    requirements.txt
    A package you depend on has a known security hole (CVE-2026-34516). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-34525 aiohttp: aiohttp: Security bypass via multiple Host headers
    requirements.txt
    A package you depend on has a known security hole (CVE-2026-34525). Fix: Update that package to its patched version.
… 135 more not shown

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner timed out

Your dependencies cross-checked against the OSV vulnerability database.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via OSV-Scanner v1.9.2 · Apache-2.0

error: timeout after 60s

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog timed out

Packages that look intentionally malicious — typosquats, sneaky install scripts.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Guarddog v2.10.0 · Apache-2.0

error: pypi:timeout

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard didn’t run

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via OpenSSF Scorecard · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.