<< Back to security report
Repositorydicklesworthstone/pi_agent_rust →
Commita0e3384 →
VerdictFAIL
Score0
DateMay 23, 2026
| Severity | Rule | Message | File:Line |
|---|---|---|---|
| HIGH | yaml.github-actions.security.run-shell-injection.run-shell-injection | Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR". | dicklesworthstone/pi_agent_rust/postgresql-09df2b5a/.github/workflows/publish.yml:31 → |
| HIGH | yaml.github-actions.security.run-shell-injection.run-shell-injection | Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR". | dicklesworthstone/pi_agent_rust/postgresql-09df2b5a/.github/workflows/release.yml:32 → |
| HIGH | yaml.github-actions.security.run-shell-injection.run-shell-injection | Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR". | dicklesworthstone/pi_agent_rust/postgresql-09df2b5a/.github/workflows/semver.yml:83 → |
| HIGH | javascript.lang.security.detect-child-process.detect-child-process | Detected calls to child_process from a function argument `url`. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed ensure user input is correctly sanitized or sandboxed. | dicklesworthstone/pi_agent_rust/postgresql-09df2b5a/legacy_pi_mono_code/pi-mono/packages/coding-agent/src/modes/interactive/components/login-dialog.ts:100 → |
| HIGH | javascript.lang.security.detect-child-process.detect-child-process | Detected calls to child_process from a function argument `command`. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed ensure user input is correctly sanitized or sandboxed. | dicklesworthstone/pi_agent_rust/postgresql-09df2b5a/legacy_pi_mono_code/pi-mono/packages/coding-agent/src/utils/clipboard-image.ts:92 → |
| HIGH | javascript.lang.security.detect-child-process.detect-child-process | Detected calls to child_process from a function argument `cmd`. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed ensure user input is correctly sanitized or sandboxed. | dicklesworthstone/pi_agent_rust/postgresql-09df2b5a/legacy_pi_mono_code/pi-mono/packages/coding-agent/src/utils/tools-manager.ts:66 → |
| HIGH | javascript.lang.security.detect-child-process.detect-child-process | Detected calls to child_process from a function argument `cmd`. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed ensure user input is correctly sanitized or sandboxed. | dicklesworthstone/pi_agent_rust/postgresql-09df2b5a/legacy_pi_mono_code/pi-mono/packages/mom/src/sandbox.ts:53 → |
| HIGH | javascript.lang.security.detect-child-process.detect-child-process | Detected calls to child_process from a function argument `options`. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed ensure user input is correctly sanitized or sandboxed. | dicklesworthstone/pi_agent_rust/postgresql-09df2b5a/legacy_pi_mono_code/pi-mono/packages/pods/src/commands/models.ts:281 → |
| HIGH | javascript.lang.security.detect-child-process.detect-child-process | Detected calls to child_process from a function argument `options`. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed ensure user input is correctly sanitized or sandboxed. | dicklesworthstone/pi_agent_rust/postgresql-09df2b5a/legacy_pi_mono_code/pi-mono/packages/pods/src/commands/models.ts:577 → |
| HIGH | javascript.lang.security.detect-child-process.detect-child-process | Detected calls to child_process from a function argument `sshCmd`. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed ensure user input is correctly sanitized or sandboxed. | dicklesworthstone/pi_agent_rust/postgresql-09df2b5a/legacy_pi_mono_code/pi-mono/packages/pods/src/ssh.ts:32 → |
| HIGH | javascript.lang.security.detect-child-process.detect-child-process | Detected calls to child_process from a function argument `sshCmd`. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed ensure user input is correctly sanitized or sandboxed. | dicklesworthstone/pi_agent_rust/postgresql-09df2b5a/legacy_pi_mono_code/pi-mono/packages/pods/src/ssh.ts:98 → |
| HIGH | javascript.lang.security.detect-child-process.detect-child-process | Detected calls to child_process from a function argument `fdPath`. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed ensure user input is correctly sanitized or sandboxed. | dicklesworthstone/pi_agent_rust/postgresql-09df2b5a/legacy_pi_mono_code/pi-mono/packages/tui/src/autocomplete.ts:111 → |
| MEDIUM | javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration | The target origin of the window.postMessage() API is set to "*". This could allow for information disclosure due to the possibility of any origin allowed to receive the message. | dicklesworthstone/pi_agent_rust/postgresql-09df2b5a/legacy_pi_mono_code/pi-mono/packages/web-ui/src/components/SandboxedIframe.ts:171 → |
| MEDIUM | javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration | The target origin of the window.postMessage() API is set to "*". This could allow for information disclosure due to the possibility of any origin allowed to receive the message. | dicklesworthstone/pi_agent_rust/postgresql-09df2b5a/legacy_pi_mono_code/pi-mono/packages/web-ui/src/components/SandboxedIframe.ts:190 → |
| MEDIUM | javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration | The target origin of the window.postMessage() API is set to "*". This could allow for information disclosure due to the possibility of any origin allowed to receive the message. | dicklesworthstone/pi_agent_rust/postgresql-09df2b5a/legacy_pi_mono_code/pi-mono/packages/web-ui/src/components/SandboxedIframe.ts:364 → |
| MEDIUM | javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration | The target origin of the window.postMessage() API is set to "*". This could allow for information disclosure due to the possibility of any origin allowed to receive the message. | dicklesworthstone/pi_agent_rust/postgresql-09df2b5a/legacy_pi_mono_code/pi-mono/packages/web-ui/src/components/SandboxedIframe.ts:381 → |
| MEDIUM | javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration | The target origin of the window.postMessage() API is set to "*". This could allow for information disclosure due to the possibility of any origin allowed to receive the message. | dicklesworthstone/pi_agent_rust/postgresql-09df2b5a/legacy_pi_mono_code/pi-mono/packages/web-ui/src/components/sandbox/RuntimeMessageRouter.ts:137 → |
| HIGH | javascript.lang.security.detect-child-process.detect-child-process | Detected calls to child_process from a function argument `cmd`. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed ensure user input is correctly sanitized or sandboxed. | dicklesworthstone/pi_agent_rust/postgresql-09df2b5a/legacy_pi_mono_code/pi-mono/scripts/release.mjs:31 → |
| MEDIUM | python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected | Detected a dynamic value being used with urllib. urllib supports 'file://' schemes, so a dynamic value controlled by a malicious actor may allow them to read arbitrary files. Audit uses of urllib calls to ensure user data cannot control the URLs, or consider using the 'requests' library instead. | dicklesworthstone/pi_agent_rust/postgresql-09df2b5a/scripts/run_swarm_smoke_harness.py:352 → |