gitsafehub
github.com/xiaomo-agi/xiaomo-skills ↗

xiaomo-agi/xiaomo-skills

scanned 2026-06-30 · git 9dc001f
2 of 6 checks flagged a security issue
🔴 Needs attention
6 checks ran. Start with known oss vulnerabilities below.

Informational scan, not a security audit. How this is computed.

Leaked secretsVulnerable dependencies51Known OSS vulnerabilities62Risky code patternsMalicious dependenciesProject health9

Security checks

Leaked secrets — Gitleaks none found ✓

API keys, passwords or tokens committed into the repo.

Nothing found by this check. ✓

via Gitleaks v8.21.2 · MIT

Vulnerable dependencies — Trivy 51 found · 1 serious

Packages you depend on that have known security holes (CVEs).

  • Serious CVE-2026-41242 protobufjs: protobufjs: Arbitrary code execution via injected protobuf definition type fields
    skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-41242). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-44288 protobufjs: protobufjs: Security control bypass due to improper handling of overlong UTF-8 sequences
    skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-44288). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42033 axios: Axios: HTTP Transport Hijacking via Prototype Pollution
    skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-42033). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42035 axios: Axios: Arbitrary HTTP header injection via prototype pollution
    skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-42035). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42043 axios: Axios: NO_PROXY bypass via crafted URL
    skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-42043). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42264 axios: Axios: Prototype pollution allows information disclosure and request manipulation
    skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-42264). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-44486 axios: Axios: Information disclosure of proxy credentials via HTTP redirects
    skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-44486). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-44487 axios: Axios: Information disclosure of proxy credentials via redirect flows
    skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-44487). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-44488 axios: Axios: Denial of Service due to unenforced request and response size limits
    skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-44488). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-44492 axios: Axios: Proxy bypass via IPv4-mapped IPv6 address non-normalization
    skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-44492). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-44494 axios: Axios: Man-in-the-Middle (MITM) attack via Prototype Pollution
    skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-44494). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-44495 axios: Axios: Information disclosure due to prototype pollution vulnerability
    skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-44495). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-44496 axios: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie name
    skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-44496). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-62718 axios: Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalization
    skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2025-62718). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-40175 axios: Axios: Remote Code Execution via Prototype Pollution escalation
    skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-40175). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42034 axios: Axios: Denial of Service via oversized streamed uploads bypassing body limits
    skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-42034). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42036 axios: Axios: Denial of Service via unbounded stream consumption when 'responseType: 'stream'' is used
    skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-42036). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42037 axios: Node.js: Axios: Information disclosure via CRLF injection in multipart Content-Type header
    skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-42037). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42038 axios: Axios: Information disclosure due to `no_proxy` bypass
    skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-42038). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42039 axios: Node.js: Axios: Denial of Service via unbounded recursion in toFormData with deeply nested request data
    skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-42039). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42041 axios: Axios: Authentication bypass due to prototype pollution of HTTP error handling
    skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-42041). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42042 axios: Axios: XSRF token bypass leading to information disclosure
    skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-42042). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42044 axios: Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget
    skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-42044). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-44490 axios: Axios: Information disclosure and denial of service due to prototype pollution
    skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-44490). Fix: Update that package to its patched version.
  • Worth fixing GHSA-r4q5-vmmm-2653 follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets
    skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (GHSA-r4q5-vmmm-2653). Fix: Update that package to its patched version.
… 26 more not shown

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 62 found · 2 serious

Your dependencies cross-checked against the OSV vulnerability database.

  • Serious GHSA-xq3m-2v4x-88gg Arbitrary code execution in protobufjs
    /workdirs/scan-6f6c8ada-565f-4266-bfff-9968e06ea2da/skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-41242). Fix: Update that package to its patched version.
  • Serious GHSA-5xrq-8626-4rwp When Vitest UI server is listening, arbitrary file can be read and executed
    /workdirs/scan-6f6c8ada-565f-4266-bfff-9968e06ea2da/skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-47429). Fix: Update that package to its patched version.
  • Worth fixing GHSA-q6x5-8v7m-xcrf protobufjs has overlong UTF-8 decoding
    /workdirs/scan-6f6c8ada-565f-4266-bfff-9968e06ea2da/skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-44288). Fix: Update that package to its patched version.
  • Worth fixing GHSA-35jp-ww65-95wh axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`
    /workdirs/scan-6f6c8ada-565f-4266-bfff-9968e06ea2da/skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-44494). Fix: Update that package to its patched version.
  • Worth fixing GHSA-3g43-6gmg-66jw axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge
    /workdirs/scan-6f6c8ada-565f-4266-bfff-9968e06ea2da/skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-44495). Fix: Update that package to its patched version.
  • Worth fixing GHSA-3p68-rc4w-qgx5 Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF
    /workdirs/scan-6f6c8ada-565f-4266-bfff-9968e06ea2da/skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2025-62718). Fix: Update that package to its patched version.
  • Worth fixing GHSA-3w6x-2g7m-8v23 Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`
    /workdirs/scan-6f6c8ada-565f-4266-bfff-9968e06ea2da/skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-42044). Fix: Update that package to its patched version.
  • Worth fixing GHSA-445q-vr5w-6q77 Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream
    /workdirs/scan-6f6c8ada-565f-4266-bfff-9968e06ea2da/skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-42037). Fix: Update that package to its patched version.
  • Worth fixing GHSA-5c9x-8gcm-mpgx Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0
    /workdirs/scan-6f6c8ada-565f-4266-bfff-9968e06ea2da/skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-42034). Fix: Update that package to its patched version.
  • Worth fixing GHSA-62hf-57xw-28j9 Axios: unbounded recursion in toFormData causes DoS via deeply nested request data
    /workdirs/scan-6f6c8ada-565f-4266-bfff-9968e06ea2da/skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-42039). Fix: Update that package to its patched version.
  • Worth fixing GHSA-6chq-wfr3-2hj9 Axios: Header Injection via Prototype Pollution
    /workdirs/scan-6f6c8ada-565f-4266-bfff-9968e06ea2da/skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-42035). Fix: Update that package to its patched version.
  • Worth fixing GHSA-777c-7fjr-54vf Allocation of Resources Without Limits or Throttling in Axios
    /workdirs/scan-6f6c8ada-565f-4266-bfff-9968e06ea2da/skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-44488). Fix: Update that package to its patched version.
  • Worth fixing GHSA-898c-q2cr-xwhg axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions
    /workdirs/scan-6f6c8ada-565f-4266-bfff-9968e06ea2da/skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-44490). Fix: Update that package to its patched version.
  • Worth fixing GHSA-fvcv-3m26-pcqx Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain
    /workdirs/scan-6f6c8ada-565f-4266-bfff-9968e06ea2da/skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-40175). Fix: Update that package to its patched version.
  • Worth fixing GHSA-hfxv-24rg-xrqf Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection
    /workdirs/scan-6f6c8ada-565f-4266-bfff-9968e06ea2da/skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-44496). Fix: Update that package to its patched version.
  • Worth fixing GHSA-j5f8-grm9-p9fc Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection
    /workdirs/scan-6f6c8ada-565f-4266-bfff-9968e06ea2da/skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-44486). Fix: Update that package to its patched version.
  • Worth fixing GHSA-m7pr-hjqh-92cm Axios: no_proxy bypass via IP alias allows SSRF
    /workdirs/scan-6f6c8ada-565f-4266-bfff-9968e06ea2da/skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-42038). Fix: Update that package to its patched version.
  • Worth fixing GHSA-p92q-9vqr-4j8v Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter
    /workdirs/scan-6f6c8ada-565f-4266-bfff-9968e06ea2da/skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-44487). Fix: Update that package to its patched version.
  • Worth fixing GHSA-pf86-5x62-jrwf Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking
    /workdirs/scan-6f6c8ada-565f-4266-bfff-9968e06ea2da/skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-42033). Fix: Update that package to its patched version.
  • Worth fixing GHSA-pjwm-pj3p-43mv axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)
    /workdirs/scan-6f6c8ada-565f-4266-bfff-9968e06ea2da/skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-44492). Fix: Update that package to its patched version.
  • Worth fixing GHSA-pmwg-cvhr-8vh7 Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0
    /workdirs/scan-6f6c8ada-565f-4266-bfff-9968e06ea2da/skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-42043). Fix: Update that package to its patched version.
  • Worth fixing GHSA-q8qp-cvcw-x6jj Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking
    /workdirs/scan-6f6c8ada-565f-4266-bfff-9968e06ea2da/skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-42264). Fix: Update that package to its patched version.
  • Worth fixing GHSA-vf2m-468p-8v99 Axios: HTTP adapter streamed responses bypass maxContentLength
    /workdirs/scan-6f6c8ada-565f-4266-bfff-9968e06ea2da/skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-42036). Fix: Update that package to its patched version.
  • Worth fixing GHSA-w9j2-pvgh-6h63 Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy
    /workdirs/scan-6f6c8ada-565f-4266-bfff-9968e06ea2da/skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-42041). Fix: Update that package to its patched version.
  • Worth fixing GHSA-xx6v-rp6x-q39c Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion
    /workdirs/scan-6f6c8ada-565f-4266-bfff-9968e06ea2da/skills/mycc/scripts/package-lock.json
    A package you depend on has a known security hole (CVE-2026-42042). Fix: Update that package to its patched version.
… 37 more not shown

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog none found ✓

Packages that look intentionally malicious — typosquats, sneaky install scripts.

Nothing found by this check. ✓

via Guarddog v2.10.0 · Apache-2.0

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard 9 notes

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

  • Worth fixing scorecard-overall OpenSSF Scorecard overall: 1.9/10
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Code-Review Code-Review scored 0: Found 0/30 approved changesets -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Contributors Contributors scored 0: project has 0 contributing companies or organizations -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Dependency-Update-Tool Dependency-Update-Tool scored 0: no update tool detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Fuzzing Fuzzing scored 0: project is not fuzzed
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Maintained Maintained scored 0: project was created within the last 90 days. Please review its contents carefully
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-SAST SAST scored 0: no SAST tool detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Security-Policy Security-Policy scored 0: security policy file not detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.

via OpenSSF Scorecard v5.5.0 · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.