Close Open Privacy Scan
App Privacy Score
High risk · 302 finding(s)
Dependency score: 97 (Low risk)
bar_chart Score Breakdown
list Scan Summary
swap_horiz Confirmed data exfiltration in application code
External domains:
169.254.169.254169.254.170.2192.168.0.10::ffff:192.168.0.1a.coabc.comabc123.atlassian.netaka.msalice.contoso.comaomedia.orgapiapi-inference.huggingface.coapi.cloudflare.comapi.github.comapi.gradio.appapi.mswjs.ioapi.sql.cloudflarestorage.comassets.babylonjs.comaws.amazon.combabel.devbabeljs.iobec81a83-5b5c-471e.gradio.livebrotlipy.readthedocs.iocas.cocas.localcatalog-staging.cloudflarestorage.comcatalog.cloudflarestorage.comcdn-avatars.huggingface.cocdn-media.huggingface.cocdn-thumbnails.huggingface.cocdn.babylonjs.comcdn.bokeh.orgcdn.jsdelivr.netcdn.pixabay.comcdn.pydata.orgcdnjs.cloudflare.comchallenges.cloudflare.comcloud.google.comcommonmark.orgcompat.spec.whatwg.orgcontacts.contoso.comcustom.github.comdash.cloudflare.comdashboard.contoso.comdatasets-server.huggingface.codatatracker.ietf.orgdeveloper.mozilla.orgdevelopers.cloudflare.comdevtools.devprod.cloudflare.devdocker.iodocs.aws.amazon.comdocs.docker.comdocs.iodocs.python.orgdogs.are.greatdrafts.csswg.orgdummydummy.comen.wikipedia.orgeslint.orgeslint.styleevilmartians.comexample-image-search.orgfd00:ec2::254fetch.coffmpeg.orgfonts.googleapis.comfoo.comfoor.barframework-info.netlify.appgit-lfs.github.comgit.iogithub.comgoogle.comgradio-builds.s3.amazonaws.comgradio-docs-json.s3.us-west-2.amazonaws.comgradio-lite-previews.s3.amazonaws.comgradio-space-api-fetcher-v2.hf.spacegradio-static-files.s3.us-west-2.amazonaws.comgradio.appgradio.livegradio.s3-us-west-2.amazonaws.comhandlebarsjs.comhf.cohf.spacehosthttpbin.orghub-ci.huggingface.cohub.localhuggingface.coiconscout.comiframe-resizer.comimage_url.jpgimg.shields.iojestjs.iojigsaw.w3.orgjson-schema.orgkatex.orgkit.svelte.devkroki.iolezer.codemirror.netmermaid-js.github.iomermaid.js.orgmermaidjs.github.iomsdn.microsoft.commswjs.commswjs.iomy-malicious-site.examplemy.sitemydomain.commüller.denodejs.orgnot-the-base-url.comnotify.bugsnag.comnotify.insighthub.smartbear.comnpmjs.comoidcoidc-fipsoncall.contoso.comopencode.aiother.comowasp.orgowner-repo.hf.spaceowner-some-repo-name.hf.spacepillow.readthedocs.ioplaceholderplatform.dash.cloudflare.complayground-worker.pages.devplaywright.devportal.ssoportal.sso-fipsprettier.iopypi.orgraw.githubusercontent.comreact-native.canny.ioregistry.cloudflare.comregistry.npmjs.orgrepo.contoso.comrollupjs.orgrouter.huggingface.cos3s3-fipss3-fips.dualstacks3-fips.dualstack.us-east-1s3-fips.us-east-1s3-object-lambdas3-object-lambda-fipss3.amazonaws.coms3.dualstacks3.dualstack.us-east-1s3express-controls3express-control-fipssentry10.cfdata.orgsessions.bugsnag.comsessions.insighthub.smartbear.comsnippet.babylonjs.comstackoverflow.comstatic.cloudflareinsights.comstatus.gradio.appstssts-fipssts.amazonaws.comsvelte.devsveltejs.github.iosvgwg.orgswagger.contoso.comtailwindcss.comtest.mswjs.iotests.contoso.comthis-base-url-works.comtools.ietf.orgtransformer.huggingface.cotry.cloudflare.comtseslint.comtwitter.comtypescript-eslint.iounpkg.comupdate.argotunnel.comv4.svelte.devvega.github.iovolta.shw3c.github.iowebplatform.github.iowelcome.developers.workers.devwiki.contoso.comworkers.cloudflare.comwww.cloudflare.comwww.contoso.comwww.domain.comwww.ffmpeg.orgwww.geeksforgeeks.orgwww.github.comwww.gradio.appwww.huggingface.cowww.mozilla.orgwww.npmjs.comwww.rfc-editor.orgwww.typescriptlang.orgwww.w3.orgwww.w3ctech.comxxn--fiqs8s.icom.museumyargs.js.orgyarnpkg.com中国.icom.museum
repo/gradio/blocks.py:2837 → repo/gradio/blocks.py:3066</> First-Party Code
first-party (npm): gradio
python first-party resp = httpx.get(
f"{self.local_api_url}startup-events",
verify=ssl_verify,
timeout=None,
)
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
reloader.track(demo)
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
self.track(upload_id)
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
self.track(upload_id)
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
upload_progress.track(upload_id)
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
expand_more 197 low-confidence finding(s)
return os.getenv("GRADIO_ANALYTICS_ENABLED", "True") == "True"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ["HF_HUB_DISABLE_TELEMETRY"] = "True"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
self.dev_mode = bool(os.getenv("GRADIO_WATCH_DIRS", ""))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
self.vibe_mode = bool(os.getenv("GRADIO_VIBE_MODE", ""))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
self.root_path = os.environ.get("GRADIO_ROOT_PATH", "")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(css_path, encoding="utf-8") as css_file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(head_path, encoding="utf-8") as head_file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
else os.getenv("GRADIO_SSR_MODE", "False").lower() == "true"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
self.root_path = os.environ.get("GRADIO_ROOT_PATH", "")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
allowed_paths_env = os.environ.get("GRADIO_ALLOWED_PATHS", "")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
blocked_paths_env = os.environ.get("GRADIO_BLOCKED_PATHS", "")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env_val = os.environ.get("GRADIO_NUM_WORKERS")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
self.node_path = os.environ.get("GRADIO_NODE_PATH", get_node_path())
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
is_dev_mode = os.getenv("GRADIO_LOCAL_DEV_MODE") is not None
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.getenv("GRADIO_SERVER_PORT", str(INITIAL_PORT_VALUE))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
python_host = server_name or os.getenv(
"GRADIO_SERVER_NAME", "127.0.0.1"
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
share_env = os.getenv("GRADIO_SHARE")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
or int(os.getenv("GRADIO_DEBUG", "0")) == 1
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
flagging_mode = os.getenv("GRADIO_CHAT_FLAGGING_MODE", "never") # type: ignore
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ["GRADIO_VIBE_MODE"] = "1"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(demo_path, "w") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
Path(local_js_dir / name.split("/")[1] / "package.json").read_text()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
source_package_json = json.loads(Path(frontend / "package.json").read_text())
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
(frontend / "package.json").write_text(json.dumps(source_package_json, indent=2))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
(directory / "README.md").write_text(readme_contents)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
gitignore_contents = gitignore.read_text()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
gitignore_dest.write_text(gitignore_contents)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
pyproject_contents = pyproject.read_text()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
pyproject_dest.write_text(pyproject_contents)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
(demo_dir / "app.py").write_text(
f"""
import gradio as gr
from {package_name} import {name}
{component.demo_code.format(name=name)}
if __name__ == "__main__":
demo.launch()
"""
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
init.write_text(
f"""
from .{name.lower()} import {name}
__all__ = ['{name}']
"""
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
content = python_file.read_text()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
python_file.write_text(content)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
pyi_content = pyi_file.read_text()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
pyi_file.write_text(pyi_content)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
pyproject_toml = parse((path / "pyproject.toml").read_text())
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
pyproject_toml = parse((path / "pyproject.toml").read_text())
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(path / "pyproject.toml", "w", encoding="utf-8") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
pyproject_toml = parse((directory / "pyproject.toml").read_text())
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(directory / "pyproject.toml", "w", encoding="utf-8") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
(directory / "demo" / "requirements.txt").write_text(package_name)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readme_contents = readme_path.read_text()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
(directory / "README.md").write_text(readme_contents)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(_component_dir / "pyproject.toml", encoding="utf-8") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(_demo_path, encoding="utf-8") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(_demo_dir / "space.py", "w", encoding="utf-8") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(_demo_dir / "css.css", "w", encoding="utf-8") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readme_content = Path(_readme_path).read_text()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(_readme_path, "w", encoding="utf-8") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
pyproject_toml = parse(pyproject_toml_path.read_text())
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(file_path, encoding="utf-8", errors="ignore") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(requirements_file, "a", encoding="utf-8") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(github_action_template, encoding="utf-8") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(github_action_file, "w", encoding="utf-8") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(requirements_file, "w", encoding="utf-8") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(requirements_file, encoding="utf-8") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(requirements_file, "a", encoding="utf-8") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if os.getenv("SYSTEM") == "spaces":
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ["GRADIO_AUTO_LOGOUT"] = "false"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ["GRADIO_AUTO_LOGOUT"] = "true"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ["GRADIO_AUTO_LOGOUT"] = "true"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if os.getenv("HF_TOKEN"):
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
user = whoami(token=os.getenv("HF_TOKEN")).get("name")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
resolved_token = token or os.getenv("OPENAI_API_KEY")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if os.getenv("GRADIO_VIBE_MODE") and os.getenv("GRADIO_AUTO_LOGOUT") == "true":
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if "GRADIO_VIBE_MODE" in os.environ:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env_vars["GRADIO_VIBE_MODE"] = os.environ["GRADIO_VIBE_MODE"]
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
(dest / fname).write_text(content, encoding="utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
(references_dir / fname).write_text(content, encoding="utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
(dest / fname).write_text(content, encoding="utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
(dest / "SKILL.md").write_text(content, encoding="utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(target_path, "rb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
source_code = source_file.read_text(encoding="utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
pyi_file.write_text("\n".join(lines))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
pyi_file.read_text(), class_name
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(str(pyi_file), mode="a") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
contents = pyi_file.read_text()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
current_contents = pyi_file.read_text()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
pyi_file.write_text(contents)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(file_path, "rb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(file_path, encoding="utf-8") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(file_name, "rb") as file_data:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(manifest_path) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return LabelData(**json.loads(Path(value).read_text()))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(file_name, "rb") as file_data:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
open(srt_file_path, encoding="utf-8") as srt_file,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
open(vtt_file_path, "w", encoding="utf-8") as vtt_file,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(file_path, encoding="utf-8") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
"data": Path(ts_file).read_bytes(),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
and os.environ.get("HF_TOKEN") is not None
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
token = os.environ.get("HF_TOKEN")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
GRADIO_CACHE = os.environ.get("GRADIO_TEMP_DIR") or str( # noqa: N806
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
f"\n## {Path(file).name}\n{Path(file).read_text()}"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(openapi_spec) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(log_filepath, "a", encoding="utf-8", newline="") as csvfile:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(log_filepath, encoding="utf-8") as csvfile:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(log_filepath, "a", newline="", encoding="utf-8") as csvfile:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(log_filepath, encoding="utf-8") as csvfile:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(latest_file, newline="", encoding="utf-8") as csvfile:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(
self.dataset_filepath, "w", newline="", encoding="utf-8"
) as csvfile:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(
self.dataset_filepath, "a", newline="", encoding="utf-8"
) as csvfile:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(self.dataset_filepath, encoding="utf-8") as csvfile:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(log_filepath, "a", encoding="utf-8", newline="") as csvfile:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.getenv("GRADIO_CACHE_EXAMPLES", "").lower() in ["true", "lazy"]
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (cache_mode_env := os.getenv("GRADIO_CACHE_MODE")) and cache_mode is None:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(Path(examples) / LOG_FILE) as logs:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ.get("GRADIO_RESET_EXAMPLES_CACHE") == "True"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(self.cached_indices_file) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(self.cached_indices_file, "a") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(self.cached_indices_file) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(self.cached_file, encoding="utf-8") as cache:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
kwargs["file"] = open(os.devnull, "w") # noqa: SIM115
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
INITIAL_PORT_VALUE = int(os.getenv("GRADIO_SERVER_PORT", "7860"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
TRY_NUM_PORTS = int(os.getenv("GRADIO_NUM_PORTS", "100"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
LOCALHOST_NAME = os.getenv("GRADIO_SERVER_NAME", "127.0.0.1")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
GRADIO_HOT_RELOAD = os.getenv("GRADIO_HOT_RELOAD", "false").lower()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
should_watch = bool(os.getenv("GRADIO_WATCH_DIRS", ""))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.getenv("GRADIO_WATCH_DIRS", "").split(",") if should_watch else []
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
GRADIO_WATCH_MODULE_NAME = os.getenv("GRADIO_WATCH_MODULE_NAME", "app")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
GRADIO_WATCH_DEMO_NAME = os.getenv("GRADIO_WATCH_DEMO_NAME", "")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
GRADIO_WATCH_DEMO_PATH = os.getenv("GRADIO_WATCH_DEMO_PATH", "")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
encoding=os.getenv("GRADIO_WATCH_ENCODING", "utf-8"),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(image_file, "rb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(image_file) as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
self.flagging_mode = os.getenv("GRADIO_FLAGGING_MODE", "manual")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
DEFAULT_TEMP_DIR = os.environ.get("GRADIO_TEMP_DIR") or str(
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
GRADIO_SHARE_SERVER_ADDRESS = os.getenv("GRADIO_SHARE_SERVER_ADDRESS")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
response = httpx.get(GRADIO_API_SERVER, timeout=30)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
with open(CERTIFICATE_PATH, "w") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
INITIAL_PORT_VALUE = int(os.getenv("GRADIO_SERVER_PORT", "7860"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
TRY_NUM_PORTS = int(os.getenv("GRADIO_NODE_NUM_PORTS", "100"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
LOCALHOST_NAME = os.getenv(
"GRADIO_NODE_SERVER_NAME", os.getenv("GRADIO_SERVER_NAME", "127.0.0.1")
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
"GRADIO_NODE_SERVER_NAME", os.getenv("GRADIO_SERVER_NAME", "127.0.0.1")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
node_path=node_path or os.getenv("GRADIO_NODE_PATH"),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
GRADIO_LOCAL_DEV_MODE = os.getenv("GRADIO_LOCAL_DEV_MODE") is not None
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env = os.environ
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
OAUTH_CLIENT_ID = os.environ.get("OAUTH_CLIENT_ID")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
OAUTH_CLIENT_SECRET = os.environ.get("OAUTH_CLIENT_SECRET")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
OAUTH_SCOPES = os.environ.get("OAUTH_SCOPES")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
OPENID_PROVIDER_URL = os.environ.get("OPENID_PROVIDER_URL")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
host = os.environ.get("SPACE_HOST")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if space_host := os.getenv("SPACE_HOST"):
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(file_path, "rb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
open(full_temp_file_path, "wb") as f,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(full_temp_file_path, "wb") as fb:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
PROFILING_ENABLED = os.environ.get("GRADIO_PROFILING", "").strip() in ("1", "true")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.getenv("GRADIO_ANALYTICS_CACHE_FREQUENCY", "1")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if default_concurrency_limit_env := os.environ.get(
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if default_concurrency_limit_env := os.environ.get(
"GRADIO_DEFAULT_CONCURRENCY_LIMIT"
):
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if not strict_cors or os.getenv("GRADIO_LOCAL_DEV_MODE") is not None: # type: ignore
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
DEFAULT_TEMP_DIR = os.environ.get("GRADIO_TEMP_DIR") or str(
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
mcp_server = os.environ.get("GRADIO_MCP_SERVER", "False").lower() == "true"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
components = orjson.loads(path.read_bytes())
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(directory / "state.json", "wb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
Path(path).read_text(encoding="utf-8").encode()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(GRADIO_WATCH_DEMO_PATH) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(snapshot_file, "w") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(GRADIO_WATCH_DEMO_PATH, "w") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(snapshot_file) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(GRADIO_WATCH_DEMO_PATH, "w") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(GRADIO_WATCH_DEMO_PATH) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(GRADIO_WATCH_DEMO_PATH, "w") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(GRADIO_WATCH_DEMO_PATH) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
blocks.node_path = os.environ.get("GRADIO_NODE_PATH", get_node_path())
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
DEFAULT_TEMP_DIR = os.environ.get("GRADIO_TEMP_DIR") or str(
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(concat_file, "w") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ["GRADIO_SERVER_MODE_ENABLED"] = "1"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
1 if os.getenv("GRADIO_IS_E2E_TEST", None) else 3600
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(path, encoding="utf-8") as fp:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
Path(filename).write_text(json.dumps(self.to_dict(), cls=fonts.FontEncoder))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
contents = (Path(__file__).parent / "app.py").read_text()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(BINARY_PATH, "wb") as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(BINARY_PATH, "rb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
no_reload_source_code = Path(str(reloader.demo_file)).read_text(
encoding=reloader.encoding
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
no_reload_source_code = Path(str(reloader.demo_file)).read_text(
encoding=reloader.encoding
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os.environ.get("KAGGLE_KERNEL_RUN_TYPE")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if os.getenv("SYSTEM") == "spaces":
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return os.getenv("SPACE_ID")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return os.getenv("SPACES_ZERO_GPU") == "true"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(HASH_SEED_PATH) as j:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(HASH_SEED_PATH, "w") as j:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return Path(os.environ.get("GRADIO_EXAMPLES_CACHE", ".gradio/cached_examples"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return os.environ.get("GRADIO_TEMP_DIR") or str(
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
interval = os.getenv("GRADIO_HEARTBEAT_INTERVAL")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return 0.25 if os.getenv("GRADIO_IS_E2E_TEST") else 15
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env_node_path = os.environ.get("GRADIO_NODE_PATH")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env_path = os.environ.get("PATH", "")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(_bundled_snapshot_path(), encoding="utf-8") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(local, encoding="utf-8") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
owner = os.getenv("SPACE_AUTHOR_NAME") or space_id.split("/")[0]
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(path, "wb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if get_space() is not None and bool(os.getenv("OAUTH_CLIENT_ID"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(self._workflow_file, encoding="utf-8") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(workflow_file, "w", encoding="utf-8") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if get_space() is not None and os.getenv("OAUTH_CLIENT_ID"):
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
or int(os.getenv("GRADIO_DEBUG", "0")) == 1
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): client/python/gradio_client
python first-partyexpand_more 9 low-confidence finding(s)
DEFAULT_TEMP_DIR = os.environ.get("GRADIO_TEMP_DIR") or str(
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
analytics_enabled or os.getenv("GRADIO_ANALYTICS_ENABLED", "True") == "True"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(file_path, "rb") as f_:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(temp_dir / Path(url_path).name, "wb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
DISCORD_TOKEN = os.getenv("DISCORD_TOKEN")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
client = grc.Client("<<app-src>>", token=os.getenv("HF_TOKEN"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(file_path, "wb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(f, "rb") as file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(file_path) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): js/_website
python first-partyexpand_more 25 low-confidence finding(s)
with open(os.path.join("demo", demo, "requirements.txt"), "r") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
url = os.getenv("TURSO_DATABASE_URL")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
auth_token = os.getenv("TURSO_AUTH_TOKEN")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.path.join("demo", demo, "requirements.txt"), "r") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(make_dir(ROOT_DIR, "client/js/package.json")) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(make_dir(GRADIO_DIR, "package.json")) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(make_dir(WEBSITE_DIR, "src/lib/json/version.json"), "w+") as j:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(make_dir(WEBSITE_DIR, "src/lib/json/wheel.json"), "w+") as j:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(make_dir(WEBSITE_DIR, "src/lib/json/system_prompt.json"), "w+") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(CHANGELOG_FILE) as change_file:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(json_path, 'w+') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(json_path, "w+") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(demo_file) as run_py:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.path.join(JS_DIR, js_component, "package.json")) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.path.join(JS_DIR, js_component, "README.md")) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(JS_CLIENT_README) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(demo_file) as run_py:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(demo_file) as run_py:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(demo_file) as run_py:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(json_path, "w+") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(runfile) as run_py:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.path.join(GUIDES_DIR, guide_folder, guide_file)) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(json_path + "guides_by_category.json", "w+") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(json_path + guide["name"] + ".json", "w+") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(json_path + "guide_names.json", "w+") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): js/preview
python first-partyexpand_more 2 low-confidence finding(s)
with open("../pyproject.toml") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open("../pyproject.toml", "w") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (python)
python first-partyexpand_more 59 low-confidence finding(s)
os.environ["GRADIO_ANALYTICS_ENABLED"] = "False"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
building_image = requests.get("https://gradio-docs-json.s3.us-west-2.amazonaws.com/buildings.png")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
hf_token = os.getenv("hf_token")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
hf_token = os.getenv("hf_token")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
log_file.write_text("")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
DB_USER = os.getenv("DB_USER")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
DB_PASSWORD = os.getenv("DB_PASSWORD")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
DB_HOST = os.getenv("DB_HOST")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return gr.Code(open(css_file).read(), language="css")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
port = int(os.environ.get("GRADIO_SERVER_PORT", 8000))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return Path(file).read_text()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
view_content_btn.click(lambda path: Path(path).read_text(), file_uploader, upload_content)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
response = requests.get("https://git.io/JJkYN")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = requests.get("https://git.io/JJkYN")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = requests.get("https://git.io/JJkYN")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
with open(path, "wb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
f.write(Path(im["composite"]).read_bytes())
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
api_key = os.getenv("HYPERBOLIC_API_KEY")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
api_key = os.getenv("MINIMAX_API_KEY")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
api_key = os.getenv("SAMBANOVA_API_KEY")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
client = InferenceClient(token=os.getenv("HF_TOKEN"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
auth_token = os.getenv("HF_TOKEN")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(audio_file, "rb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(log_file, "a") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
demo.load(lambda: log_file.write_text(""))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
requests.get(
"https://live.staticflickr.com/13/19041780_d6fd803de0_3k.jpg"
).content
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
account_sid = os.environ.get("TWILIO_ACCOUNT_SID")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
auth_token = os.environ.get("TWILIO_AUTH_TOKEN")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readme_template = Path(README_TEMPLATE_FILEPATH).read_text()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
getting_started_template = Path(GETTING_STARTED_TEMPLATE_FILEPATH).read_text()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
context = Path(f"demo/{src}/run.py").read_text()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
Path("README.md").write_text(f"{EDITING_NOTE}\n\n{readme_template}")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(args.out, "w", encoding="utf-8") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
pathlib.Path(reqs_file_path).write_text(textwrap.dedent(requirements))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(f"{artifact_name}.zip", "wb") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(upcoming, "r") as latest:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(upcoming, "w") as latest:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
content = GUIDE_PATH.read_text()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
GUIDE_PATH.write_text(content)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(runfile) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.path.join(output_dir, "SKILL.md"), "w") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.path.join(references_dir, "examples.md"), "w") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.path.join(references_dir, "api-signatures.md"), "w") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.path.join(references_dir, "event-listeners.md"), "w") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(path1) as f1, open(path2) as f2:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(path) as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(j, "w") as fp:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return json.loads(path.read_text())
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
version = json.load(open(pathlib.Path(root) / "gradio" / "package.json"))["version"]
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readme.write_text(textwrap.dedent(readme_content))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
html = file.read_text(encoding="utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
markdown = file.read_text(encoding="utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open((ROOT / "scripts/docs.json").resolve(), "w") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.path.join(requirements_path), "w") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.path.join(requirements_path), "r") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(os.path.join(requirements_path), "w") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(local_path, encoding="utf-8") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
with open(local, encoding="utf-8") as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
hf_token = os.environ.get("HF_TOKEN") or os.environ.get("HF_JOBS_TOKEN")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
</> Dependencies
httpx
python dependencyexpand_more 4 low-confidence finding(s)
if trust_env and os.environ.get("SSL_CERT_FILE"): # pragma: nocover
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
ctx = ssl.create_default_context(cafile=os.environ["SSL_CERT_FILE"])
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
elif trust_env and os.environ.get("SSL_CERT_DIR"): # pragma: nocover
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
ctx = ssl.create_default_context(capath=os.environ["SSL_CERT_DIR"])
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
katex
python dependencyexpand_more 1 low-confidence finding(s)
with open(file_name, 'rb') as f:
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
Skipped dependencies
Production
- @csstools/postcss-global-data prod — dist-only: no readable source
- @self/build prod — registry 404
- @self/tootils prod — registry 404
- @types/testing-library__jest-dom prod — no javascript source
- plotly.js-dist-min prod — dist-only: no readable source
- postcss-custom-media prod — dist-only: no readable source
- svelte-i18n prod — dist-only: no readable source
- typescript-svelte-plugin prod — dist-only: no readable source
- @self/spa prod — registry 404
- @codemirror/autocomplete prod — dist-only: no readable source
- @codemirror/commands prod — dist-only: no readable source
- @codemirror/language prod — dist-only: no readable source
- @codemirror/lint prod — dist-only: no readable source
- @codemirror/search prod — dist-only: no readable source
- @codemirror/state prod — dist-only: no readable source
- @codemirror/view prod — dist-only: no readable source
- cm6-theme-basic-dark prod — dist-only: no readable source
- cm6-theme-basic-light prod — dist-only: no readable source
- @ffmpeg/util prod — dist-only: no readable source
- anyio prod — scan budget exceeded
- audioop-lts prod — scan budget exceeded
- brotli prod — scan budget exceeded
- fastapi prod — scan budget exceeded
- groovy prod — scan budget exceeded
- gradio_client prod — scan budget exceeded
- hf-gradio prod — scan budget exceeded
- huggingface_hub prod — scan budget exceeded
- Jinja2 prod — scan budget exceeded
- markupsafe prod — scan budget exceeded
- numpy prod — scan budget exceeded
- orjson prod — scan budget exceeded
- packaging prod — scan budget exceeded
- pandas prod — scan budget exceeded
- pillow prod — scan budget exceeded
- pydantic prod — scan budget exceeded
- python-multipart prod — scan budget exceeded
- pydub prod — scan budget exceeded
- pyyaml prod — scan budget exceeded
- safehttpx prod — scan budget exceeded
- semantic_version prod — scan budget exceeded
- starlette prod — scan budget exceeded
- tomlkit prod — scan budget exceeded
- typer prod — scan budget exceeded
- typing_extensions prod — scan budget exceeded
- uvicorn prod — scan budget exceeded
- pytz prod — scan budget exceeded
- fsspec prod — scan budget exceeded
- gradio prod — scan budget exceeded