Security: Tradingagents Improved

316

Vulnerabilities

Credential Leaks

FAIL

Quality Gate

OWASP Grade

225.8h

Tech Debt (E)

High

DORA Rating

⚡

AI Fix Prompts

Auto-generated prompts to fix every issue — copy into Claude, GPT, or any AI coder

View AI Prompts

About: code-quality intelligence by Repobility · https://repobility.com

Quality Gate: Default Gate

Source: Repobility analyzer (https://repobility.com)
	Metric	Condition
✗	overall_score	0.0 >= 50
✗	security_score	0.0 >= 40
✗	critical_vulnerabilities	29.0 <= 0
✓	critical_credentials	0.0 <= 0
✗	duplication_pct	32.4 <= 20

DORA Metrics

Repobility · code-quality intelligence · https://repobility.com
Deploy Frequency	unknown (0.0/week)
Lead Time	2.6 hours
MTTR	0.0 hours
Change Failure Rate	0.0%
Total Commits	53
Overall Rating	HIGH

Vulnerabilities (316)

Data scored by Repobility · https://repobility.com
Severity	ID	Package	Version	Summary
critical	`GHSA-cgcg-p68q-3w7v`	langchain-experimental	-	langchain-experimental vulnerable to Arbitrary Code Execution
critical	`GHSA-x32c-59v5-h7fg`	langchain	-	Langchain OS Command Injection vulnerability
critical	`GHSA-p2qj-r53j-h3xj`	langchain-experimental	-	LangChain Experimental Eval Injection vulnerability
critical	`GHSA-3pqx-4fqf-j49f`	pyyaml	-	Deserialization of Untrusted Data in PyYAML
critical	`GHSA-6757-jp84-gxfx`	pyyaml	-	Improper Input Validation in PyYAML
critical	`GHSA-8q59-q68h-6hv4`	pyyaml	-	Improper Input Validation in PyYAML
critical	`GHSA-rprw-h62v-c2w7`	pyyaml	-	PyYAML insecurely deserializes YAML strings leading to arbitrary code execution
critical	`GHSA-v8vj-cv27-hjv8`	langchain-experimental	-	LangChain Experimental vulnerable to arbitrary code execution
critical	`GHSA-887w-45rq-vxgf`	sqlalchemy	-	SQLAlchemy vulnerable to SQL Injection via order_by parameter
critical	`GHSA-fj32-q626-pjjc`	langchain	-	LangChain vulnerable to arbitrary code execution
critical	`GHSA-57fc-8q82-gfp3`	langchain	-	langchain vulnerable to arbitrary code execution
critical	`GHSA-fff8-4w9p-7v76`	pygments	-	Command Injection in Pygments
critical	`GHSA-www2-v7xj-xrc6`	urllib3	-	Exposure of Sensitive Information to an Unauthorized Actor in urllib3
critical	`GHSA-vqfr-h8mv-ghfj`	h11	-	h11 accepts some malformed Chunked-Encoding bodies
critical	`GHSA-6643-h7h5-x9wh`	langchain	-	Langchain vulnerable to arbitrary code execution
critical	`GHSA-2qmj-7962-cjq8`	langchain	-	langchain arbitrary code execution vulnerability
critical	`GHSA-9fq2-x9r6-wfmf`	numpy	-	Numpy Deserialization of Untrusted Data
critical	`GHSA-h8pj-cxx2-jfg2`	httpx	-	Improper Input Validation in httpx
critical	`GHSA-fprp-p869-w6q2`	langchain	-	LangChain vulnerable to code injection
critical	`GHSA-38fc-9xqv-7f7q`	sqlalchemy	-	SQLAlchemy is vulnerable to SQL Injection via group_by parameter
critical	`GHSA-8h5w-f6q9-wg35`	langchain	-	Langchain SQL Injection vulnerability
critical	`GHSA-gwqq-6vq7-5j86`	langchain	-	langchain Code Injection vulnerability
critical	`GHSA-gjjr-63x4-v8cq`	langchain-experimental	-	langchain_experimental vulnerable to arbitrary code execution via PALChain in the python exec method
critical	`GHSA-hfg2-wf6j-x53p`	sqlalchemy	-	SQLAlchemy vulnerable to SQL injection
critical	`GHSA-92j5-3459-qgp4`	langchain	-	LangChain vulnerable to arbitrary code execution
critical	`GHSA-c67j-w6g6-q2cm`	langchain-core	-	LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs
critical	`GHSA-f73w-4m7g-ch9x`	langchain	-	Langchain vulnerable to arbitrary code execution via the evaluate function in the numexpr library
critical	`GHSA-prgp-w7vf-ch62`	langchain	-	LangChain vulnerable to arbitrary code execution
critical	`GHSA-7gfq-f96f-g85j`	langchain	-	langchain vulnerable to arbitrary code execution
high	`GHSA-jrwr-5x3p-hvc3`	markdown-it-py	-	markdown-it-py Denial of Service vulnerability in the command line interface
high	`GHSA-vrjv-mxr7-vjf8`	markdown-it-py	-	markdown-it-py Denial of Service vulnerability
high	`GHSA-5rv5-6h4r-h22v`	opentelemetry-instrumentation	-	opentelemetry-instrumentation Denial of Service vulnerability due to unbound cardinality metrics
high	`GHSA-7gcm-g887-7qv7`	protobuf	-	protobuf affected by a JSON recursion depth bypass
high	`GHSA-8gq9-2x98-w8hf`	protobuf	-	protobuf-cpp and protobuf-python have potential Denial of Service issue
high	`GHSA-8qvm-5x2c-j2w7`	protobuf	-	protobuf-python has a potential Denial of Service issue
high	`GHSA-jwvw-v7c5-m82h`	protobuf	-	protobuf susceptible to buffer overflow
high	`GHSA-3qhf-m339-9g5v`	mcp	-	MCP Python SDK vulnerability in the FastMCP Server causes validation error, leading to DoS
high	`GHSA-9h52-p55h-vw2f`	mcp	-	Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection by default
high	`GHSA-63vm-454h-vhhq`	pyasn1	-	pyasn1 has a DoS vulnerability in decoder
high	`GHSA-jr27-m4p2-rc6r`	pyasn1	-	Denial of Service in pyasn1 via Unbounded Recursion
high	`GHSA-j975-95f5-7wqh`	mcp	-	MCP Python SDK has Unhandled Exception in Streamable HTTP Transport, Leading to Denial of Service
high	`GHSA-2fc2-6r4j-p65h`	numpy	-	Numpy arbitrary file write via symlink attack
high	`GHSA-5545-2q6w-2gh6`	numpy	-	NumPy NULL Pointer Dereference
high	`GHSA-27x4-j476-jp5f`	setuptools	-	Setuptools vulnerable to Man-in-the-middle attacks
high	`GHSA-9w8r-397f-prfh`	pygments	-	Infinite Loop in Pygments
high	`GHSA-496j-2rq6-j6cc`	grpcio	-	Excessive Iteration in gRPC
high	`GHSA-pq64-v7f5-gqh8`	pygments	-	Pygments vulnerable to Regular Expression Denial of Service (ReDoS)
high	`GHSA-cw6w-4rcx-xphc`	numpy	-	Arbitrary file write in NumPy
high	`GHSA-33c7-2mpw-hg34`	uvicorn	-	Log injection in uvicorn
high	`GHSA-752w-5fwx-jx9f`	pyjwt	-	PyJWT accepts unknown `crit` header extensions

Credential Findings (13)

Source-of-truth: Repobility · https://repobility.com
Severity	Pattern	File	Line
high	[sast:aljefra/ssrf-requests] SSRF via HTTP Client with Variable URL	`tradingagents/dataflows/alpha_vantage_common.py`	68
high	[sast:aljefra/info-debug-prod] Debug Mode Enabled in Production Config	`cli/main.py`	926
high	[sast:aljefra/info-debug-prod] Debug Mode Enabled in Production Config	`crypto_main.py`	30
high	[sast:aljefra/info-debug-prod] Debug Mode Enabled in Production Config	`main.py`	24
high	[sast:aljefra/info-debug-prod] Debug Mode Enabled in Production Config	`scripts/dashboard.py`	872
high	[sast:aljefra/taint-path-traversal] Path Traversal via Tainted Data	`scripts/fetch_all_data.py`	102
high	[sast:aljefra/taint-path-traversal] Path Traversal via Tainted Data	`scripts/fetch_all_data.py`	103
high	[sast:aljefra/ssrf-requests] SSRF via HTTP Client with Variable URL	`scripts/polymarket/latency_measure.py`	26
high	[sast:aljefra/ssrf-requests] SSRF via HTTP Client with Variable URL	`scripts/polymarket/latency_measure_v2.py`	43
high	[sast:aljefra/ssrf-requests] SSRF via HTTP Client with Variable URL	`scripts/polymarket/penny_scanner.py`	35
high	[sast:aljefra/ssrf-requests] SSRF via HTTP Client with Variable URL	`cli/announcements.py`	16
medium	Ethereum Address	`scripts/polymarket/latency_scalper.py`	33
medium	Ethereum Address	`scripts/polymarket/negrisk_arb.py`	26

Export

SARIF SBOM (CycloneDX) SBOM (SPDX) Vulns CSV Generate AI Fix Prompts (5)