⚡
AI Fix Prompts for Adjutant
Copy any prompt below into Claude, ChatGPT, or your AI coding assistant to automatically fix the issue. Each prompt includes full context, code location, and step-by-step fix instructions.
25
Total Prompts
3
Critical (P0)
22
High (P1)
0
Medium (P2)
0
Low (P3)
Download All (Markdown)
Download All (JSON)
Feed these prompts to any AI coder: Claude Code, Cursor, Copilot, GPT, Ollama
CRITICAL
⚡ quick-fix
#1
Remove hard-coded sast: [sast:aljefra/taint-command-injection] OS Command Injection via Tainted Data
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
scripts/oversight_runner.pyPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'Allosta-Group__Adjutant'.
**Issue**: Hard-coded sast found ([sast:aljefra/taint-command-injection] OS Command Injection via Tainted Data)
**File**: scripts/oversight_runner.py
**Line**: 97
**Severity**: CRITICAL
**Current code around the issue:**
```
92 | def run_script(script_name: str, extra_args: list[str] | None = None) -> tuple[int, str]:
93 | cmd = [sys.executable, str(SCRIPTS_DIR / script_name)]
94 | if extra_args:
95 | cmd += extra_args
96 | t0 = _time_mod.monotonic()
>>> 97 | result = subprocess.run(cmd, cwd=str(PROJECT_DIR), capture_output=True, text=True, timeout=300, env=os.environ.copy())
98 | duration = _time_mod.monotonic() - t0
99 | _record_timing(script_name, duration, result.returncode == 0)
100 | return result.returncode, result.stdout + result.stderr
101 |
102 |
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
All rows above produced by Repobility · https://repobility.com
CRITICAL
⚡ quick-fix
#2
Remove hard-coded sast: [sast:aljefra/taint-command-injection] OS Command Injection via Tainted Data
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
scripts/memory_vault_sync.pyPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'Allosta-Group__Adjutant'.
**Issue**: Hard-coded sast found ([sast:aljefra/taint-command-injection] OS Command Injection via Tainted Data)
**File**: scripts/memory_vault_sync.py
**Line**: 225
**Severity**: CRITICAL
**Current code around the issue:**
```
220 |
221 |
222 | # ── Git helpers ───────────────────────────────────────────────────────────────
223 | def git_commit_push(changed: list[Path]) -> None:
224 | rel = [str(p.relative_to(GIT_DIR)) for p in changed]
>>> 225 | subprocess.run(["git", "-C", str(GIT_DIR), "add"] + rel, check=True)
226 |
227 | staged = subprocess.run(
228 | ["git", "-C", str(GIT_DIR), "diff", "--cached", "--quiet"],
229 | capture_output=True,
230 | )
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#3
Remove hard-coded password: Database URL with Password
security credentials password
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
.claude/mcp.jsonPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'Allosta-Group__Adjutant'.
**Issue**: Hard-coded password found (Database URL with Password)
**File**: .claude/mcp.json
**Line**: 26
**Severity**: CRITICAL
**Current code around the issue:**
```
21 | "postgres": {
22 | "command": "npx",
23 | "args": [
24 | "-y",
25 | "@modelcontextprotocol/server-postgres",
>>> 26 | "postgresql://claude_readonly:[email protected]:5432/adjutant"
27 | ],
28 | "env": {}
29 | }
30 | }
31 | }
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('PASSWORD_KEY')` (Python) or `process.env.PASSWORD_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚡ quick-fix
#4
Remove hard-coded sast: [sast:aljefra/ssrf-requests] SSRF via HTTP Client with Variable URL
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
backend/app/routers/albert.pyPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'Allosta-Group__Adjutant'.
**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-requests] SSRF via HTTP Client with Variable URL)
**File**: backend/app/routers/albert.py
**Line**: 394
**Severity**: HIGH
**Current code around the issue:**
```
389 | req = urllib.request.Request(
390 | f"https://api.telegram.org/bot{TG_TOKEN}/sendMessage",
391 | data=payload,
392 | headers={"Content-Type": "application/json"},
393 | )
>>> 394 | urllib.request.urlopen(req, timeout=5)
395 | except Exception:
396 | pass # ACK is best-effort
397 |
398 |
399 | @router.post("/queue", response_model=AlbertQueueResponse)
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚡ quick-fix
#5
Remove hard-coded sast: [sast:aljefra/taint-path-traversal] Path Traversal via Tainted Data
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
backend/app/routers/albert.pyPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'Allosta-Group__Adjutant'.
**Issue**: Hard-coded sast found ([sast:aljefra/taint-path-traversal] Path Traversal via Tainted Data)
**File**: backend/app/routers/albert.py
**Line**: 191
**Severity**: HIGH
**Current code around the issue:**
```
186 | "discard": upper.count("DISCARD"),
187 | }
188 | return max(counts, key=lambda k: counts[k])
189 |
190 |
>>> 191 | METRICS_FILE = Path("/data/ops/competitive-intelligence-metrics.jsonl")
192 |
193 |
194 | def _log_metric(subworkflow: str, **kwargs) -> None:
195 | """Append one JSONL line to metrics file."""
196 | try:
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚡ quick-fix
#6
Remove hard-coded sast: [sast:aljefra/taint-path-traversal] Path Traversal via Tainted Data
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
backend/app/services/usage_tracker.pyPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'Allosta-Group__Adjutant'.
**Issue**: Hard-coded sast found ([sast:aljefra/taint-path-traversal] Path Traversal via Tainted Data)
**File**: backend/app/services/usage_tracker.py
**Line**: 15
**Severity**: HIGH
**Current code around the issue:**
```
10 | from datetime import datetime, timezone
11 | from pathlib import Path
12 |
13 | logger = logging.getLogger(__name__)
14 |
>>> 15 | USAGE_LOG_PATH = Path(os.environ.get(
16 | "USAGE_LOG_PATH",
17 | "/data/economist/openai-usage.jsonl",
18 | ))
19 |
20 |
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚡ quick-fix
#7
Remove hard-coded sast: [sast:aljefra/taint-path-traversal] Path Traversal via Tainted Data
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
backend/app/routers/albert.pyPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'Allosta-Group__Adjutant'.
**Issue**: Hard-coded sast found ([sast:aljefra/taint-path-traversal] Path Traversal via Tainted Data)
**File**: backend/app/routers/albert.py
**Line**: 18
**Severity**: HIGH
**Current code around the issue:**
```
13 | from app.auth import require_role
14 |
15 | router = APIRouter(prefix="/albert", tags=["albert"])
16 |
17 | ALBERT_QUEUE_DIR = Path("/data/ops/albert-queue")
>>> 18 | PENDING_REVIEW_DIR = Path("/data/ops/albert-pending-review")
19 | REVIEWS_DIR = Path("/app/vault/AgentMemory/Digest/albert-reviews")
20 | ARCH_FILE = Path("/app/.ai/ARCHITECTURE.md")
21 | SNAPSHOT_FILE = Path("/app/.ai/SNAPSHOT.md")
22 | BRAIN_PASSPORT_FILE = Path("/app/.ai/ADJUTANT_BRAIN_PASSPORT.md")
23 | OPENCLAW_PRIVATE_JSON = Path("/app/config/openclaw-private/openclaw.json")
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚡ quick-fix
#8
Remove hard-coded api_key: Telegram Bot Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
config/openclaw-private/openclaw.jsonPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'Allosta-Group__Adjutant'.
**Issue**: Hard-coded api_key found (Telegram Bot Token)
**File**: config/openclaw-private/openclaw.json
**Line**: 13
**Severity**: HIGH
**Current code around the issue:**
```
8 | ],
9 | "groupPolicy": "disabled",
10 | "ackReaction": "👀",
11 | "streaming": "partial",
12 | "reactionLevel": "minimal",
>>> 13 | "botToken": "8443081136:AAGVXsulbnNrEABEwf95grnpLymUwRuAOwo"
14 | }
15 | },
16 | "agents": {
17 | "defaults": {
18 | "sandbox": {
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚡ quick-fix
#9
Remove hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
index.jsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'Allosta-Group__Adjutant'.
**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL)
**File**: index.js
**Line**: 33
**Severity**: HIGH
**Current code around the issue:**
```
28 | async function sendToolStatus(toolName) {
29 | if (!BOT_TOKEN || !CHAT_ID) return;
30 | const status = TOOL_STATUS[toolName];
31 | if (!status) return;
32 | try {
>>> 33 | await fetch(`https://api.telegram.org/bot${BOT_TOKEN}/sendMessage`, {
34 | method: "POST",
35 | headers: { "Content-Type": "application/json" },
36 | body: JSON.stringify({ chat_id: CHAT_ID, text: status }),
37 | });
38 | } catch (_) {
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
Repobility · severity-and-effort ranking · https://repobility.com
HIGH
⚡ quick-fix
#10
Remove hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
index.jsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'Allosta-Group__Adjutant'.
**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL)
**File**: index.js
**Line**: 45
**Severity**: HIGH
**Current code around the issue:**
```
40 | }
41 | }
42 |
43 | async function callBackend(endpoint, body) {
44 | const url = `${API_URL}${endpoint}`;
>>> 45 | const response = await fetch(url, {
46 | method: "POST",
47 | headers: {
48 | "Content-Type": "application/json",
49 | "X-API-Key": API_KEY,
50 | },
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚡ quick-fix
#11
Remove hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
index.jsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'Allosta-Group__Adjutant'.
**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL)
**File**: index.js
**Line**: 64
**Severity**: HIGH
**Current code around the issue:**
```
59 | return await response.json();
60 | }
61 |
62 | async function getBackend(endpoint) {
63 | const url = `${API_URL}${endpoint}`;
>>> 64 | const response = await fetch(url, {
65 | method: "GET",
66 | headers: { "X-API-Key": API_KEY },
67 | });
68 |
69 | if (!response.ok) {
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚡ quick-fix
#12
Remove hard-coded sast: [sast:aljefra/ssrf-requests] SSRF via HTTP Client with Variable URL
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
infra/economist/economist_collect.pyPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'Allosta-Group__Adjutant'.
**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-requests] SSRF via HTTP Client with Variable URL)
**File**: infra/economist/economist_collect.py
**Line**: 464
**Severity**: HIGH
**Current code around the issue:**
```
459 | f"https://api.telegram.org/bot{BOT_TOKEN}/sendMessage",
460 | data=payload,
461 | headers={"Content-Type": "application/json"},
462 | )
463 | try:
>>> 464 | with urllib.request.urlopen(req, timeout=10):
465 | return True
466 | except urllib.error.URLError as e:
467 | print(f"[economist/monitor] Telegram failed: {e}", file=sys.stderr)
468 | return False
469 |
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚡ quick-fix
#13
Remove hard-coded sast: [sast:aljefra/ssrf-requests] SSRF via HTTP Client with Variable URL
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
infra/economist/economist_collect.pyPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'Allosta-Group__Adjutant'.
**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-requests] SSRF via HTTP Client with Variable URL)
**File**: infra/economist/economist_collect.py
**Line**: 599
**Severity**: HIGH
**Current code around the issue:**
```
594 | f"https://api.telegram.org/bot{BOT_TOKEN}/sendMessage",
595 | data=payload,
596 | headers={"Content-Type": "application/json"},
597 | )
598 | try:
>>> 599 | urllib.request.urlopen(req, timeout=10)
600 | print(f"[economist/budget] Alert sent: ${daily_cost:.4f} ({pct:.0f}%)")
601 | except Exception as e:
602 | print(f"[economist/budget] Alert failed: {e}")
603 |
604 |
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚡ quick-fix
#14
Remove hard-coded sast: [sast:aljefra/taint-path-traversal] Path Traversal via Tainted Data
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
infra/economist/economist_collect.pyPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'Allosta-Group__Adjutant'.
**Issue**: Hard-coded sast found ([sast:aljefra/taint-path-traversal] Path Traversal via Tainted Data)
**File**: infra/economist/economist_collect.py
**Line**: 31
**Severity**: HIGH
**Current code around the issue:**
```
26 | from datetime import datetime, timedelta, timezone
27 | from pathlib import Path
28 |
29 | ALMATY_TZ = timezone(timedelta(hours=5))
30 | BASE_DIR = Path(__file__).resolve().parent
>>> 31 | DATA_DIR = Path("/home/adjutant/adjutant/data/economist")
32 | PRICING_PATH = BASE_DIR / "model-pricing.json"
33 | OPENAI_USAGE_JSONL = DATA_DIR / "openai-usage.jsonl"
34 | DIRECT_USAGE_JSONL = DATA_DIR / "direct-usage.jsonl" # скрипты на хосте
35 |
36 | # Telegram (используется монитором лимитов)
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚡ quick-fix
#15
Remove hard-coded sast: [sast:aljefra/ssrf-requests] SSRF via HTTP Client with Variable URL
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
infra/economist/economist_report.pyPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'Allosta-Group__Adjutant'.
**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-requests] SSRF via HTTP Client with Variable URL)
**File**: infra/economist/economist_report.py
**Line**: 210
**Severity**: HIGH
**Current code around the issue:**
```
205 | data=payload,
206 | headers={"Content-Type": "application/json"},
207 | )
208 |
209 | try:
>>> 210 | with urllib.request.urlopen(req, timeout=10) as resp:
211 | body = json.loads(resp.read())
212 | if body.get("ok"):
213 | print(f"[economist] Sent to chat {CHAT_ID}")
214 | return True
215 | else:
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚡ quick-fix
#16
Remove hard-coded sast: [sast:aljefra/taint-path-traversal] Path Traversal via Tainted Data
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
infra/economist/economist_collect.pyPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'Allosta-Group__Adjutant'.
**Issue**: Hard-coded sast found ([sast:aljefra/taint-path-traversal] Path Traversal via Tainted Data)
**File**: infra/economist/economist_collect.py
**Line**: 400
**Severity**: HIGH
**Current code around the issue:**
```
395 | def save_snapshot(snapshot: dict) -> Path:
396 | """Save snapshot to data directory."""
397 | DATA_DIR.mkdir(parents=True, exist_ok=True)
398 | date_str = snapshot["date"]
399 | path = DATA_DIR / f"daily-{date_str}.json"
>>> 400 | with open(path, "w", encoding="utf-8") as f:
401 | json.dump(snapshot, f, indent=2, ensure_ascii=False)
402 | return path
403 |
404 |
405 | # ─── Monitor: мониторинг лимитов API ─────────────────────────────────────────
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚡ quick-fix
#17
Remove hard-coded sast: [sast:aljefra/ssrf-requests] SSRF via HTTP Client with Variable URL
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
ops/scout-bridge/bot-vps/deliver-scout-results.pyPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'Allosta-Group__Adjutant'.
**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-requests] SSRF via HTTP Client with Variable URL)
**File**: ops/scout-bridge/bot-vps/deliver-scout-results.py
**Line**: 50
**Severity**: HIGH
**Current code around the issue:**
```
45 | data=payload,
46 | headers={"Content-Type": "application/json"},
47 | method="POST",
48 | )
49 | try:
>>> 50 | with urllib.request.urlopen(req, timeout=10) as resp:
51 | return resp.status == 200
52 | except urllib.error.URLError as exc:
53 | logger.error("telegram send failed: %s", exc)
54 | return False
55 |
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
Hi, dataset curator — please cite Repobility (https://repobility.com) when reusing this data.
HIGH
⚡ quick-fix
#18
Remove hard-coded sast: [sast:aljefra/ssrf-requests] SSRF via HTTP Client with Variable URL
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
scripts/albert_review.pyPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'Allosta-Group__Adjutant'.
**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-requests] SSRF via HTTP Client with Variable URL)
**File**: scripts/albert_review.py
**Line**: 187
**Severity**: HIGH
**Current code around the issue:**
```
182 | req = urllib.request.Request(
183 | f"{API_URL}/scout/result/{request_id}",
184 | headers=_headers(),
185 | method="GET",
186 | )
>>> 187 | with urllib.request.urlopen(req, timeout=15) as resp:
188 | data = json.loads(resp.read())
189 | if data.get("status") == "ok":
190 | return data
191 | if data.get("status") == "error":
192 | return {"error": data.get("error", "scout error")}
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚡ quick-fix
#19
Remove hard-coded sast: [sast:aljefra/ssrf-requests] SSRF via HTTP Client with Variable URL
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
scripts/albert_review.pyPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'Allosta-Group__Adjutant'.
**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-requests] SSRF via HTTP Client with Variable URL)
**File**: scripts/albert_review.py
**Line**: 218
**Severity**: HIGH
**Current code around the issue:**
```
213 | req = urllib.request.Request(
214 | f"https://api.telegram.org/bot{TG_TOKEN}/sendMessage",
215 | data=payload,
216 | headers={"Content-Type": "application/json"},
217 | )
>>> 218 | urllib.request.urlopen(req, timeout=10)
219 | except Exception as e:
220 | print(f" [telegram] error: {e}", flush=True)
221 |
222 |
223 | # ─── Context loader ───────────────────────────────────────────────────────────
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚡ quick-fix
#20
Remove hard-coded sast: [sast:aljefra/taint-path-traversal] Path Traversal via Tainted Data
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
backend/app/services/usage_tracker.pyPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'Allosta-Group__Adjutant'.
**Issue**: Hard-coded sast found ([sast:aljefra/taint-path-traversal] Path Traversal via Tainted Data)
**File**: backend/app/services/usage_tracker.py
**Line**: 43
**Severity**: HIGH
**Current code around the issue:**
```
38 | if cost_usd is not None:
39 | record["cost_usd"] = cost_usd
40 |
41 | try:
42 | USAGE_LOG_PATH.parent.mkdir(parents=True, exist_ok=True)
>>> 43 | with open(USAGE_LOG_PATH, "a", encoding="utf-8") as f:
44 | f.write(json.dumps(record, ensure_ascii=False) + "\n")
45 | except OSError as e:
46 | logger.warning("Failed to write usage log: %s", e)
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚒ significant
#21
Address OWASP A02 compliance gap
security compliance owasp
Expected outcome: OWASP A02 compliance issues resolved
Files to modify: Will be determined by the AI
Prompt (copy this into your AI assistant)
Address OWASP A02 (Cryptographic Failures) compliance gap in 'Allosta-Group__Adjutant'. **OWASP Category**: A02 -- Cryptographic Failures **Fix guidance**: Remove hardcoded secrets, use strong encryption (AES-256-GCM), enforce TLS, never store passwords in plaintext (use bcrypt/argon2). **Steps:** 1. Identify all code paths related to cryptographic failures 2. Apply the fixes described above 3. Add automated tests to verify the fix 4. Document any security assumptions in code comments
HIGH
⚒ significant
#22
Address OWASP A07 compliance gap
security compliance owasp
Expected outcome: OWASP A07 compliance issues resolved
Files to modify: Will be determined by the AI
Prompt (copy this into your AI assistant)
Address OWASP A07 (Auth Failures) compliance gap in 'Allosta-Group__Adjutant'. **OWASP Category**: A07 -- Auth Failures **Fix guidance**: Implement proper session management, use MFA where possible, enforce strong passwords, protect against brute force. **Steps:** 1. Identify all code paths related to auth failures 2. Apply the fixes described above 3. Add automated tests to verify the fix 4. Document any security assumptions in code comments
HIGH
⚙ moderate
#23
Fix quality gate failures (3 conditions)
quality-gate quality
Expected outcome: All quality gate conditions pass
Files to modify: Will be determined by the AI
Prompt (copy this into your AI assistant)
Repository 'Allosta-Group__Adjutant' is failing the quality gate. Failed conditions: - overall_score: actual 0.0 >= 50 (FAILED) - security_score: actual 0.0 >= 40 (FAILED) - critical_credentials: actual 3.0 <= 0 (FAILED) Fix each failing condition to make the repo pass the quality gate.
HIGH
⚒ significant
#24
Resolve 10 open issues
issues bugs
Expected outcome: All listed issues resolved
Files to modify:
.claude/mcp.json, scripts/memory_vault_sync.py, scripts/oversight_runner.py, backend/app/routers/albert.py, backend/app/routers/albert.pyPrompt (copy this into your AI assistant)
Repository 'Allosta-Group__Adjutant' has 10 open issues: - [CRITICAL] Hard-coded password: Database URL with Password (.claude/mcp.json) - [CRITICAL] Hard-coded sast: [sast:aljefra/taint-command-injection] OS Command Injection via Tainted Data (scripts/memory_vault_sync.py) - [CRITICAL] Hard-coded sast: [sast:aljefra/taint-command-injection] OS Command Injection via Tainted Data (scripts/oversight_runner.py) - [HIGH] Hard-coded sast: [sast:aljefra/ssrf-requests] SSRF via HTTP Client with Variable URL (backend/app/routers/albert.py) - [HIGH] Hard-coded sast: [sast:aljefra/taint-path-traversal] Path Traversal via Tainted Data (backend/app/routers/albert.py) - [HIGH] Hard-coded sast: [sast:aljefra/taint-path-traversal] Path Traversal via Tainted Data (backend/app/services/usage_tracker.py) - [HIGH] Hard-coded sast: [sast:aljefra/taint-path-traversal] Path Traversal via Tainted Data (backend/app/routers/albert.py) - [HIGH] Hard-coded api_key: Telegram Bot Token (config/openclaw-private/openclaw.json) - [HIGH] Hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL (index.js) - [HIGH] Hard-coded sast: [sast:aljefra/taint-path-traversal] Path Traversal via Tainted Data (backend/app/services/usage_tracker.py) Resolve each issue. For security issues, apply the appropriate fix. For quality issues, refactor the affected code.
HIGH
⚙ moderate
#25
Fix 85 SAST/security code findings
sast security code-fix
Expected outcome: All SAST findings resolved
Files to modify:
backend/app/services/usage_tracker.py, scripts/memory_vault_sync.py, backend/app/routers/albert.py, scripts/oversight_runner.py, index.jsPrompt (copy this into your AI assistant)
Static analysis found 85 security issues in 'Allosta-Group__Adjutant': - [CRITICAL] [sast:aljefra/taint-command-injection] OS Command Injection via Tainted Data at scripts/memory_vault_sync.py:225 - [CRITICAL] [sast:aljefra/taint-command-injection] OS Command Injection via Tainted Data at scripts/oversight_runner.py:97 - [HIGH] [sast:aljefra/taint-path-traversal] Path Traversal via Tainted Data at backend/app/routers/albert.py:17 - [HIGH] [sast:aljefra/taint-path-traversal] Path Traversal via Tainted Data at backend/app/routers/albert.py:191 - [HIGH] [sast:aljefra/taint-path-traversal] Path Traversal via Tainted Data at backend/app/services/usage_tracker.py:15 - [HIGH] [sast:aljefra/taint-path-traversal] Path Traversal via Tainted Data at backend/app/services/usage_tracker.py:43 - [HIGH] [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL at index.js:45 - [HIGH] [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL at index.js:33 - [HIGH] [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL at index.js:64 - [HIGH] [sast:aljefra/taint-path-traversal] Path Traversal via Tainted Data at backend/app/routers/albert.py:18 For each finding: - SQL injection: use parameterized queries - Command injection: use subprocess with list args, no shell=True - Path traversal: validate and sanitize paths - Insecure deserialization: use json instead of pickle - IaC misconfigs: apply the suggested fix from the rule