⚡
AI Fix Prompts for Openclaw N8N Blueprint
Copy any prompt below into Claude, ChatGPT, or your AI coding assistant to automatically fix the issue. Each prompt includes full context, code location, and step-by-step fix instructions.
25
Total Prompts
14
Critical (P0)
11
High (P1)
0
Medium (P2)
0
Low (P3)
Download All (Markdown)
Download All (JSON)
Feed these prompts to any AI coder: Claude Code, Cursor, Copilot, GPT, Ollama
CRITICAL
⚡ quick-fix
#1
Remove hard-coded sast: [sast:aljefra/taint-command-injection] OS Command Injection via Tainted Data
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
docker/sync/openclaw_n8n_sync_worker.pyPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'TommyKammy__openclaw-n8n-blueprint'.
**Issue**: Hard-coded sast found ([sast:aljefra/taint-command-injection] OS Command Injection via Tainted Data)
**File**: docker/sync/openclaw_n8n_sync_worker.py
**Line**: 30
**Severity**: CRITICAL
**Current code around the issue:**
```
25 | }
26 | LOCK = threading.Lock()
27 |
28 |
29 | def run(cmd):
>>> 30 | p = subprocess.run(cmd, capture_output=True, text=True)
31 | if p.returncode != 0:
32 | raise RuntimeError(f"command failed: {' '.join(cmd)}\n{p.stderr.strip()}")
33 | stdout = p.stdout
34 | # Strip any UI/text output before the JSON starts
35 | json_start = stdout.find('{')
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
Repobility · open methodology · https://repobility.com/research/
CRITICAL
⚡ quick-fix
#2
Remove hard-coded sast: [sast:aljefra/taint-sql-injection] SQL Injection via Tainted Data
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
guest_automation_service.pyPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'TommyKammy__openclaw-n8n-blueprint'.
**Issue**: Hard-coded sast found ([sast:aljefra/taint-sql-injection] SQL Injection via Tainted Data)
**File**: guest_automation_service.py
**Line**: 49
**Severity**: CRITICAL
**Current code around the issue:**
```
44 |
45 | def init_db(path):
46 | os.makedirs(os.path.dirname(path), exist_ok=True)
47 | con = sqlite3.connect(path)
48 | try:
>>> 49 | con.execute(
50 | """
51 | CREATE TABLE IF NOT EXISTS slack_channels (
52 | channel_name TEXT PRIMARY KEY,
53 | channel_id TEXT NOT NULL,
54 | updated_at INTEGER NOT NULL
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#3
Remove hard-coded sast: [sast:aljefra/taint-sql-injection] SQL Injection via Tainted Data
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
guest_automation_service.pyPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'TommyKammy__openclaw-n8n-blueprint'.
**Issue**: Hard-coded sast found ([sast:aljefra/taint-sql-injection] SQL Injection via Tainted Data)
**File**: guest_automation_service.py
**Line**: 68
**Severity**: CRITICAL
**Current code around the issue:**
```
63 | def cache_slack_channel(channel_name, channel_id):
64 | if not channel_name or not channel_id:
65 | return
66 | con = sqlite3.connect(CFG.DB_PATH)
67 | try:
>>> 68 | con.execute(
69 | """
70 | INSERT INTO slack_channels (channel_name, channel_id, updated_at)
71 | VALUES (?, ?, ?)
72 | ON CONFLICT(channel_name) DO UPDATE SET
73 | channel_id=excluded.channel_id,
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#4
Remove hard-coded sast: [sast:aljefra/taint-sql-injection] SQL Injection via Tainted Data
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
guest_automation_service.pyPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'TommyKammy__openclaw-n8n-blueprint'.
**Issue**: Hard-coded sast found ([sast:aljefra/taint-sql-injection] SQL Injection via Tainted Data)
**File**: guest_automation_service.py
**Line**: 87
**Severity**: CRITICAL
**Current code around the issue:**
```
82 |
83 | def get_cached_slack_channel_id(channel_name):
84 | con = sqlite3.connect(CFG.DB_PATH)
85 | con.row_factory = sqlite3.Row
86 | try:
>>> 87 | row = con.execute(
88 | "SELECT channel_id FROM slack_channels WHERE channel_name=? LIMIT 1",
89 | (channel_name,),
90 | ).fetchone()
91 | return row["channel_id"] if row else None
92 | finally:
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#5
Remove hard-coded sast: [sast:aljefra/taint-command-injection] OS Command Injection via Tainted Data
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
scripts/guest-platform/full_guest_automation.pyPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'TommyKammy__openclaw-n8n-blueprint'.
**Issue**: Hard-coded sast found ([sast:aljefra/taint-command-injection] OS Command Injection via Tainted Data)
**File**: scripts/guest-platform/full_guest_automation.py
**Line**: 130
**Severity**: CRITICAL
**Current code around the issue:**
```
125 |
126 |
127 | def set_repo_secret(repo: str, key: str, value: str) -> None:
128 | if not value:
129 | return
>>> 130 | subprocess.run(["gh", "secret", "set", key, "--repo", repo, "--body", value], check=True)
131 |
132 |
133 | def create_vercel_project(repo_name: str, team_id: str, vercel_token: str) -> str:
134 | url = f"https://api.vercel.com/v10/projects?teamId={urllib.parse.quote(team_id)}"
135 | payload = {
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#6
Remove hard-coded sast: [sast:aljefra/taint-command-injection] OS Command Injection via Tainted Data
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
scripts/guest-platform/full_guest_automation.pyPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'TommyKammy__openclaw-n8n-blueprint'.
**Issue**: Hard-coded sast found ([sast:aljefra/taint-command-injection] OS Command Injection via Tainted Data)
**File**: scripts/guest-platform/full_guest_automation.py
**Line**: 158
**Severity**: CRITICAL
**Current code around the issue:**
```
153 | return res["id"]
154 |
155 |
156 | def trigger_author_linked_deploy(repo_https: str, branch: str, author_name: str, author_email: str) -> None:
157 | with tempfile.TemporaryDirectory(prefix="guest-auto-") as tmpdir:
>>> 158 | subprocess.run(["git", "clone", repo_https, tmpdir], check=True)
159 | subprocess.run(["git", "checkout", branch], cwd=tmpdir, check=True)
160 | subprocess.run(
161 | ["git", "commit", "--allow-empty", "--author", f"{author_name} <{author_email}>", "-m", "Trigger initial deployment"],
162 | cwd=tmpdir,
163 | check=True,
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#7
Remove hard-coded sast: [sast:aljefra/taint-command-injection] OS Command Injection via Tainted Data
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
scripts/guest-platform/full_guest_automation.pyPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'TommyKammy__openclaw-n8n-blueprint'.
**Issue**: Hard-coded sast found ([sast:aljefra/taint-command-injection] OS Command Injection via Tainted Data)
**File**: scripts/guest-platform/full_guest_automation.py
**Line**: 170
**Severity**: CRITICAL
**Current code around the issue:**
```
165 | subprocess.run(["git", "push", "origin", branch], cwd=tmpdir, check=True)
166 |
167 |
168 | def run_register_script(guest_slug: str, app_slug: str, description: str, env: dict) -> str:
169 | script = Path(__file__).parent / "register_guest_app.sh"
>>> 170 | subprocess.run([str(script), guest_slug, app_slug, description], check=True, env=env)
171 | owner = env.get("GITHUB_OWNER", "TommyKammy")
172 | return f"{owner}/{guest_slug}-{app_slug}"
173 |
174 |
175 | def main() -> None:
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#8
Remove hard-coded sast: [sast:aljefra/taint-command-injection] OS Command Injection via Tainted Data
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
scripts/guest-platform/full_guest_automation_service.pyPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'TommyKammy__openclaw-n8n-blueprint'.
**Issue**: Hard-coded sast found ([sast:aljefra/taint-command-injection] OS Command Injection via Tainted Data)
**File**: scripts/guest-platform/full_guest_automation_service.py
**Line**: 65
**Severity**: CRITICAL
**Current code around the issue:**
```
60 | cmd += ["--guest-slack-user-id", str(payload.get("guest_slack_user_id"))]
61 | if payload.get("skip_workspace_invite"):
62 | cmd += ["--skip-workspace-invite"]
63 |
64 | try:
>>> 65 | res = subprocess.run(cmd, capture_output=True, text=True, check=True, env=os.environ.copy(), timeout=300)
66 | stdout = res.stdout.strip() or "{}"
67 | self._json(200, json.loads(stdout))
68 | except subprocess.CalledProcessError as e:
69 | self._json(500, {"ok": False, "error": "automation_failed", "detail": (e.stderr or e.stdout or "")[:1000]})
70 | except subprocess.TimeoutExpired:
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#9
Remove hard-coded sast: [sast:aljefra/taint-sql-injection] SQL Injection via Tainted Data
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
slack_n8n_provisioner.pyPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'TommyKammy__openclaw-n8n-blueprint'.
**Issue**: Hard-coded sast found ([sast:aljefra/taint-sql-injection] SQL Injection via Tainted Data)
**File**: slack_n8n_provisioner.py
**Line**: 92
**Severity**: CRITICAL
**Current code around the issue:**
```
87 |
88 | def init_db(path):
89 | os.makedirs(os.path.dirname(path), exist_ok=True)
90 | conn = sqlite3.connect(path)
91 | try:
>>> 92 | conn.execute(
93 | """
94 | CREATE TABLE IF NOT EXISTS events (
95 | id TEXT PRIMARY KEY,
96 | provider TEXT NOT NULL,
97 | received_at INTEGER NOT NULL,
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
All rows above produced by Repobility · https://repobility.com
CRITICAL
⚡ quick-fix
#10
Remove hard-coded sast: [sast:aljefra/taint-sql-injection] SQL Injection via Tainted Data
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
slack_n8n_provisioner.pyPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'TommyKammy__openclaw-n8n-blueprint'.
**Issue**: Hard-coded sast found ([sast:aljefra/taint-sql-injection] SQL Injection via Tainted Data)
**File**: slack_n8n_provisioner.py
**Line**: 106
**Severity**: CRITICAL
**Current code around the issue:**
```
101 | attempts INTEGER NOT NULL DEFAULT 0,
102 | reason TEXT
103 | )
104 | """
105 | )
>>> 106 | conn.execute(
107 | """
108 | CREATE TABLE IF NOT EXISTS mappings (
109 | provider TEXT NOT NULL,
110 | external_user_id TEXT NOT NULL,
111 | tenant_or_team_id TEXT,
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#11
Remove hard-coded sast: [sast:aljefra/taint-sql-injection] SQL Injection via Tainted Data
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
slack_n8n_provisioner.pyPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'TommyKammy__openclaw-n8n-blueprint'.
**Issue**: Hard-coded sast found ([sast:aljefra/taint-sql-injection] SQL Injection via Tainted Data)
**File**: slack_n8n_provisioner.py
**Line**: 121
**Severity**: CRITICAL
**Current code around the issue:**
```
116 | reason TEXT,
117 | PRIMARY KEY(provider, external_user_id)
118 | )
119 | """
120 | )
>>> 121 | conn.execute(
122 | """
123 | CREATE TABLE IF NOT EXISTS full_onboarding_runs (
124 | provider TEXT NOT NULL,
125 | external_user_id TEXT NOT NULL,
126 | requested_at INTEGER NOT NULL,
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#12
Remove hard-coded sast: [sast:aljefra/taint-sql-injection] SQL Injection via Tainted Data
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
slack_n8n_provisioner.pyPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'TommyKammy__openclaw-n8n-blueprint'.
**Issue**: Hard-coded sast found ([sast:aljefra/taint-sql-injection] SQL Injection via Tainted Data)
**File**: slack_n8n_provisioner.py
**Line**: 133
**Severity**: CRITICAL
**Current code around the issue:**
```
128 | detail TEXT,
129 | PRIMARY KEY(provider, external_user_id)
130 | )
131 | """
132 | )
>>> 133 | conn.execute(
134 | """
135 | CREATE TABLE IF NOT EXISTS offboarding_runs (
136 | provider TEXT NOT NULL,
137 | external_user_id TEXT NOT NULL,
138 | requested_at INTEGER NOT NULL,
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#13
Remove hard-coded sast: [sast:aljefra/taint-sql-injection] SQL Injection via Tainted Data
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
slack_n8n_provisioner.pyPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'TommyKammy__openclaw-n8n-blueprint'.
**Issue**: Hard-coded sast found ([sast:aljefra/taint-sql-injection] SQL Injection via Tainted Data)
**File**: slack_n8n_provisioner.py
**Line**: 154
**Severity**: CRITICAL
**Current code around the issue:**
```
149 |
150 | def db_exec(query, params=(), fetch=False):
151 | conn = sqlite3.connect(CFG.DB_PATH)
152 | conn.row_factory = sqlite3.Row
153 | try:
>>> 154 | cur = conn.execute(query, params)
155 | rows = cur.fetchall() if fetch else None
156 | conn.commit()
157 | return rows
158 | finally:
159 | conn.close()
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#14
Remove hard-coded sast: [sast:aljefra/taint-command-injection] OS Command Injection via Tainted Data
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
slack_n8n_provisioner.pyPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'TommyKammy__openclaw-n8n-blueprint'.
**Issue**: Hard-coded sast found ([sast:aljefra/taint-command-injection] OS Command Injection via Tainted Data)
**File**: slack_n8n_provisioner.py
**Line**: 283
**Severity**: CRITICAL
**Current code around the issue:**
```
278 | "--plain",
279 | ]
280 | env = os.environ.copy()
281 | if CFG.GOG_KEYRING_PASSWORD:
282 | env["GOG_KEYRING_PASSWORD"] = CFG.GOG_KEYRING_PASSWORD
>>> 283 | res = subprocess.run(cmd, env=env, capture_output=True, text=True, timeout=CFG.GOG_SEND_TIMEOUT)
284 | stderr = (res.stderr or "").strip()
285 | stdout = (res.stdout or "").strip()
286 | # `gog` sometimes prints errors but still exits 0.
287 | if res.returncode != 0 or "not installed" in (stderr + " " + stdout).lower():
288 | msg = (stderr or stdout or "unknown")[:300]
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚡ quick-fix
#15
Remove hard-coded sast: [sast:aljefra/ssrf-requests] SSRF via HTTP Client with Variable URL
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
slack_n8n_provisioner.pyPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'TommyKammy__openclaw-n8n-blueprint'.
**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-requests] SSRF via HTTP Client with Variable URL)
**File**: slack_n8n_provisioner.py
**Line**: 231
**Severity**: HIGH
**Current code around the issue:**
```
226 | url = CFG.N8N_BASE_URL.rstrip("/") + CFG.N8N_USER_CREATE_PATH
227 | req = urllib.request.Request(url, data=json.dumps(payload).encode("utf-8"), method="POST")
228 | req.add_header("Content-Type", "application/json")
229 | req.add_header("X-N8N-API-KEY", CFG.N8N_API_KEY)
230 | try:
>>> 231 | with urllib.request.urlopen(req, timeout=15) as resp:
232 | out = json.loads(resp.read().decode("utf-8"))
233 | if isinstance(out, list) and out:
234 | user = out[0].get("user", {})
235 | return {
236 | "id": user.get("id") or "created",
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚡ quick-fix
#16
Remove hard-coded sast: [sast:aljefra/ssrf-requests] SSRF via HTTP Client with Variable URL
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
slack_n8n_provisioner.pyPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'TommyKammy__openclaw-n8n-blueprint'.
**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-requests] SSRF via HTTP Client with Variable URL)
**File**: slack_n8n_provisioner.py
**Line**: 305
**Severity**: HIGH
**Current code around the issue:**
```
300 | data=urllib.parse.urlencode({"users": slack_user_id}).encode(),
301 | method="POST",
302 | )
303 | open_req.add_header("Authorization", f"Bearer {CFG.SLACK_BOT_TOKEN}")
304 | open_req.add_header("Content-Type", "application/x-www-form-urlencoded")
>>> 305 | with urllib.request.urlopen(open_req, timeout=10) as r:
306 | out = json.loads(r.read().decode("utf-8"))
307 | if not out.get("ok"):
308 | return {"ok": False, "error": out.get("error") or "conversations_open_failed", "needed": out.get("needed"), "provided": out.get("provided")}
309 | channel_id = (out.get("channel") or {}).get("id")
310 | if not channel_id:
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚡ quick-fix
#17
Remove hard-coded sast: [sast:aljefra/ssrf-requests] SSRF via HTTP Client with Variable URL
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
slack_n8n_provisioner.pyPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'TommyKammy__openclaw-n8n-blueprint'.
**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-requests] SSRF via HTTP Client with Variable URL)
**File**: slack_n8n_provisioner.py
**Line**: 319
**Severity**: HIGH
**Current code around the issue:**
```
314 | data=json.dumps({"channel": channel_id, "text": text}).encode("utf-8"),
315 | method="POST",
316 | )
317 | msg_req.add_header("Authorization", f"Bearer {CFG.SLACK_BOT_TOKEN}")
318 | msg_req.add_header("Content-Type", "application/json")
>>> 319 | urllib.request.urlopen(msg_req, timeout=10)
320 | return {"ok": True}
321 |
322 |
323 | def post_slack_message(channel, text):
324 | if not CFG.SLACK_BOT_TOKEN or not channel:
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
Same scanner, your repo: https://repobility.com — Repobility
HIGH
⚡ quick-fix
#18
Remove hard-coded sast: [sast:aljefra/ssrf-requests] SSRF via HTTP Client with Variable URL
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
scripts/guest-platform/full_guest_automation.pyPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'TommyKammy__openclaw-n8n-blueprint'.
**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-requests] SSRF via HTTP Client with Variable URL)
**File**: scripts/guest-platform/full_guest_automation.py
**Line**: 26
**Severity**: HIGH
**Current code around the issue:**
```
21 | req = urllib.request.Request(url, data=data, method="POST")
22 | req.add_header("Content-Type", "application/json; charset=utf-8")
23 | if headers:
24 | for k, v in headers.items():
25 | req.add_header(k, v)
>>> 26 | with urllib.request.urlopen(req, timeout=30) as resp:
27 | return json.loads(resp.read().decode("utf-8"))
28 |
29 |
30 | def slack_api(method: str, payload: dict, token: str) -> dict:
31 | url = f"https://slack.com/api/{method}"
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚡ quick-fix
#19
Remove hard-coded sast: [sast:aljefra/ssrf-requests] SSRF via HTTP Client with Variable URL
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
scripts/guest-platform/full_guest_automation.pyPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'TommyKammy__openclaw-n8n-blueprint'.
**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-requests] SSRF via HTTP Client with Variable URL)
**File**: scripts/guest-platform/full_guest_automation.py
**Line**: 149
**Severity**: HIGH
**Current code around the issue:**
```
144 | except urllib.error.HTTPError as e:
145 | body = e.read().decode("utf-8", errors="ignore")
146 | if e.code == 409:
147 | query = f"https://api.vercel.com/v9/projects/{urllib.parse.quote(repo_name)}?teamId={urllib.parse.quote(team_id)}"
148 | req = urllib.request.Request(query, headers={"Authorization": f"Bearer {vercel_token}"})
>>> 149 | with urllib.request.urlopen(req, timeout=30) as resp:
150 | existing = json.loads(resp.read().decode("utf-8"))
151 | return existing["id"]
152 | raise RuntimeError(f"failed to create vercel project: {e.code} {body[:400]}")
153 | return res["id"]
154 |
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚡ quick-fix
#20
Remove hard-coded sast: [sast:aljefra/ssrf-requests] SSRF via HTTP Client with Variable URL
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
slack_n8n_provisioner.pyPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'TommyKammy__openclaw-n8n-blueprint'.
**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-requests] SSRF via HTTP Client with Variable URL)
**File**: slack_n8n_provisioner.py
**Line**: 333
**Severity**: HIGH
**Current code around the issue:**
```
328 | data=json.dumps({"channel": channel, "text": text}).encode("utf-8"),
329 | method="POST",
330 | )
331 | req.add_header("Authorization", f"Bearer {CFG.SLACK_BOT_TOKEN}")
332 | req.add_header("Content-Type", "application/json")
>>> 333 | with urllib.request.urlopen(req, timeout=10) as r:
334 | out = json.loads(r.read().decode("utf-8"))
335 | return out
336 |
337 |
338 | def find_slack_channel_id(channel_name):
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚒ significant
#21
Address OWASP A02 compliance gap
security compliance owasp
Expected outcome: OWASP A02 compliance issues resolved
Files to modify: Will be determined by the AI
Prompt (copy this into your AI assistant)
Address OWASP A02 (Cryptographic Failures) compliance gap in 'TommyKammy__openclaw-n8n-blueprint'. **OWASP Category**: A02 -- Cryptographic Failures **Fix guidance**: Remove hardcoded secrets, use strong encryption (AES-256-GCM), enforce TLS, never store passwords in plaintext (use bcrypt/argon2). **Steps:** 1. Identify all code paths related to cryptographic failures 2. Apply the fixes described above 3. Add automated tests to verify the fix 4. Document any security assumptions in code comments
HIGH
⚒ significant
#22
Address OWASP A06 compliance gap
security compliance owasp
Expected outcome: OWASP A06 compliance issues resolved
Files to modify: Will be determined by the AI
Prompt (copy this into your AI assistant)
Address OWASP A06 (Vulnerable Components) compliance gap in 'TommyKammy__openclaw-n8n-blueprint'. **OWASP Category**: A06 -- Vulnerable Components **Fix guidance**: Update all dependencies to latest stable versions, remove unused dependencies, monitor for new CVEs. **Steps:** 1. Identify all code paths related to vulnerable components 2. Apply the fixes described above 3. Add automated tests to verify the fix 4. Document any security assumptions in code comments
HIGH
⚙ moderate
#23
Fix quality gate failures (4 conditions)
quality-gate quality
Expected outcome: All quality gate conditions pass
Files to modify: Will be determined by the AI
Prompt (copy this into your AI assistant)
Repository 'TommyKammy__openclaw-n8n-blueprint' is failing the quality gate. Failed conditions: - overall_score: actual 0.0 >= 50 (FAILED) - security_score: actual 0.0 >= 40 (FAILED) - critical_vulnerabilities: actual 2.0 <= 0 (FAILED) - critical_credentials: actual 14.0 <= 0 (FAILED) Fix each failing condition to make the repo pass the quality gate.
HIGH
⚒ significant
#24
Resolve 10 open issues
issues bugs
Expected outcome: All listed issues resolved
Files to modify:
scripts/guest-platform/full_guest_automation.py, slack_n8n_provisioner.py, guest_automation_service.py, scripts/guest-platform/full_guest_automation.py, scripts/guest-platform/full_guest_automation.pyPrompt (copy this into your AI assistant)
Repository 'TommyKammy__openclaw-n8n-blueprint' has 10 open issues: - [CRITICAL] Hard-coded sast: [sast:aljefra/taint-command-injection] OS Command Injection via Tainted Data (scripts/guest-platform/full_guest_automation.py) - [CRITICAL] Hard-coded sast: [sast:aljefra/taint-sql-injection] SQL Injection via Tainted Data (slack_n8n_provisioner.py) - [CRITICAL] Hard-coded sast: [sast:aljefra/taint-sql-injection] SQL Injection via Tainted Data (guest_automation_service.py) - [CRITICAL] Hard-coded sast: [sast:aljefra/taint-command-injection] OS Command Injection via Tainted Data (scripts/guest-platform/full_guest_automation.py) - [CRITICAL] Hard-coded sast: [sast:aljefra/taint-command-injection] OS Command Injection via Tainted Data (scripts/guest-platform/full_guest_automation.py) - [CRITICAL] Hard-coded sast: [sast:aljefra/taint-command-injection] OS Command Injection via Tainted Data (scripts/guest-platform/full_guest_automation_service.py) - [CRITICAL] Hard-coded sast: [sast:aljefra/taint-command-injection] OS Command Injection via Tainted Data (docker/sync/openclaw_n8n_sync_worker.py) - [CRITICAL] Hard-coded sast: [sast:aljefra/taint-sql-injection] SQL Injection via Tainted Data (guest_automation_service.py) - [CRITICAL] Hard-coded sast: [sast:aljefra/taint-sql-injection] SQL Injection via Tainted Data (guest_automation_service.py) - [CRITICAL] Hard-coded sast: [sast:aljefra/taint-sql-injection] SQL Injection via Tainted Data (slack_n8n_provisioner.py) Resolve each issue. For security issues, apply the appropriate fix. For quality issues, refactor the affected code.
HIGH
⚙ moderate
#25
Fix 39 SAST/security code findings
sast security code-fix
Expected outcome: All SAST findings resolved
Files to modify:
scripts/guest-platform/full_guest_automation_service.py, slack_n8n_provisioner.py, docker/sync/openclaw_n8n_sync_worker.py, guest_automation_service.py, scripts/guest-platform/full_guest_automation.pyPrompt (copy this into your AI assistant)
Static analysis found 39 security issues in 'TommyKammy__openclaw-n8n-blueprint': - [CRITICAL] [sast:aljefra/taint-command-injection] OS Command Injection via Tainted Data at scripts/guest-platform/full_guest_automation.py:170 - [CRITICAL] [sast:aljefra/taint-sql-injection] SQL Injection via Tainted Data at slack_n8n_provisioner.py:92 - [CRITICAL] [sast:aljefra/taint-sql-injection] SQL Injection via Tainted Data at guest_automation_service.py:87 - [CRITICAL] [sast:aljefra/taint-command-injection] OS Command Injection via Tainted Data at scripts/guest-platform/full_guest_automation.py:158 - [CRITICAL] [sast:aljefra/taint-command-injection] OS Command Injection via Tainted Data at docker/sync/openclaw_n8n_sync_worker.py:30 - [CRITICAL] [sast:aljefra/taint-command-injection] OS Command Injection via Tainted Data at scripts/guest-platform/full_guest_automation_service.py:65 - [CRITICAL] [sast:aljefra/taint-sql-injection] SQL Injection via Tainted Data at guest_automation_service.py:49 - [CRITICAL] [sast:aljefra/taint-sql-injection] SQL Injection via Tainted Data at guest_automation_service.py:68 - [CRITICAL] [sast:aljefra/taint-command-injection] OS Command Injection via Tainted Data at scripts/guest-platform/full_guest_automation.py:130 - [CRITICAL] [sast:aljefra/taint-sql-injection] SQL Injection via Tainted Data at slack_n8n_provisioner.py:106 For each finding: - SQL injection: use parameterized queries - Command injection: use subprocess with list args, no shell=True - Path traversal: validate and sanitize paths - Insecure deserialization: use json instead of pickle - IaC misconfigs: apply the suggested fix from the rule