Close Open Privacy Scan

bolt Snapshot: commit d31124c
science engine v1.14
schedule 2026-07-17T02:07:15.788069+00:00

verified_user No application data leak found

No high-confidence exfiltration was found in application code. Dependency data flows are listed separately and do not affect this verdict.

smart_toy MCP server detected: @modelcontextprotocol/sdk, @modelcontextprotocol/server-everything, @modelcontextprotocol/server-filesystem, @modelcontextprotocol/server-memory +2 more — detected in dependencies, not a safety judgment.

App Privacy Score

97 /100
Low privacy risk

Low risk · 161 finding(s)

Dependency score: 67 (Medium risk)

bar_chart Score Breakdown

env_fs −3

list Scan Summary

0 high 1 medium 160 low
First-party packages: 1
Dependency packages: 8
Ecosystem: python

swap_horiz Application data flows

No application data flows were found. See dependency data flows below.

hub Dependency data flows (1)
medium mcp dependency A credential read from the environment/filesystem is applied as authorization on the same outbound request (auth header). This is intentional authentication, not unexpected data exfiltration.
pkgs/python/[email protected]/src/mcp/client/auth/oauth2.py:433 pkgs/python/[email protected]/src/mcp/client/auth/oauth2.py:452

</> First-Party Code

first-party (npm)

python first-party
expand_more 5 low-confidence finding(s)
low env_fs test-only #3ce1a1a8135635f7 Filesystem access.
repo/scripts/release.py:67
        with open(self.path / "package.json", "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5c46444edbd8ba6b Filesystem access.
repo/scripts/release.py:71
        with open(self.path / "package.json", "r+") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #aed24480252dbc56 Filesystem access.
repo/scripts/release.py:84
        with open(self.path / "pyproject.toml") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d7fc9ccb6e0d4662 Filesystem access.
repo/scripts/release.py:93
        with open(self.path / "pyproject.toml") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2b53e78060b13dac Filesystem access.
repo/scripts/release.py:97
        with open(self.path / "pyproject.toml", "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

</> Dependencies

mcp

python dependency
medium pii_flow dependency Excluded from app score #ef387d1cbf58ed7c A credential read from the environment/filesystem is applied as authorization on the same outbound request (auth header). This is intentional authentication, not unexpected data exfiltration.
pkgs/python/[email protected]/src/mcp/client/auth/oauth2.py:452 · flow /tmp/closeopen-pdr1c2cm/pkgs/python/[email protected]/src/mcp/client/auth/oauth2.py:433 → /tmp/closeopen-pdr1c2cm/pkgs/python/[email protected]/src/mcp/client/auth/oauth2.py:452
        return httpx.Request("POST", token_url, data=refresh_data, headers=headers)

A credential read from the environment/filesystem is applied as authorization on the same outbound request (an auth header). This is intentional authentication to the service the credential belongs to, not unexpected data exfiltration.

Fix: Confirm the destination is the credential's own service; scope the credential and avoid logging it. No action if this is the intended authenticated API call.

expand_more 35 low-confidence finding(s)
low env_fs tooling Excluded from app score unreachable #32314161b737c7d5 Environment-variable access.
pkgs/python/[email protected]/.github/actions/conformance/client.py:72
    context_json = os.environ.get("MCP_CONFORMANCE_CONTEXT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #6dc8f68d35df799c Environment-variable access.
pkgs/python/[email protected]/.github/actions/conformance/client.py:281
    context_json = os.environ.get("MCP_CONFORMANCE_CONTEXT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #9602ae6f9ce7b963 Environment-variable access.
pkgs/python/[email protected]/.github/actions/conformance/client.py:349
    scenario = os.environ.get("MCP_CONFORMANCE_SCENARIO")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #0f6257a86634b4d6 Environment-variable access.
pkgs/python/[email protected]/examples/clients/conformance-auth-client/mcp_conformance_auth_client/__init__.py:50
    context_json = os.environ.get("MCP_CONFORMANCE_CONTEXT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #00a74bc872fd116a Environment-variable access.
pkgs/python/[email protected]/examples/clients/simple-auth-client/mcp_simple_auth_client/main.py:343
    server_url = os.getenv("MCP_SERVER_PORT", 8000)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #4870fa0217ee1944 Environment-variable access.
pkgs/python/[email protected]/examples/clients/simple-auth-client/mcp_simple_auth_client/main.py:344
    transport_type = os.getenv("MCP_TRANSPORT_TYPE", "streamable-http")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #b2e8fc180e8cd7c2 Environment-variable access.
pkgs/python/[email protected]/examples/clients/simple-auth-client/mcp_simple_auth_client/main.py:345
    client_metadata_url = os.getenv("MCP_CLIENT_METADATA_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #0feb9e09baeab976 Environment-variable access.
pkgs/python/[email protected]/examples/clients/simple-chatbot/mcp_simple_chatbot/main.py:24
        self.api_key = os.getenv("LLM_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #9f556d98c99bc5e1 Filesystem access.
pkgs/python/[email protected]/examples/clients/simple-chatbot/mcp_simple_chatbot/main.py:45
        with open(file_path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #71c3d8f496506448 Environment-variable access.
pkgs/python/[email protected]/examples/clients/simple-chatbot/mcp_simple_chatbot/main.py:83
            env={**os.environ, **self.config["env"]} if self.config.get("env") else None,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress tooling Excluded from app score unreachable #8da91fab57092cd6 Outbound request to a variable or assembled URL on a network client. Review what data is sent to this destination.
pkgs/python/[email protected]/examples/clients/simple-chatbot/mcp_simple_chatbot/main.py:251
                response = client.post(url, headers=headers, json=payload)

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs tooling Excluded from app score unreachable #d6666e563b240326 Filesystem access.
pkgs/python/[email protected]/examples/fastmcp/icons_demo.py:14
icon_data = base64.standard_b64encode(icon_path.read_bytes()).decode()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #63b109ef13c60bba Environment-variable access.
pkgs/python/[email protected]/examples/fastmcp/memory.py:52
PROFILE_DIR = (Path.home() / ".fastmcp" / os.environ.get("USER", "anon") / "memory").resolve()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress tooling Excluded from app score unreachable #b827db299b662ac7 Outbound request to a variable or assembled URL on a network client. Review what data is sent to this destination.
pkgs/python/[email protected]/examples/fastmcp/text_me.py:49
        response = client.post(
            "https://api.surgemsg.com/messages",
            headers={
                "Authorization": f"Bearer {surge_settings.api_key}",
                "Surge-Account": surge_settings.account_id,
                "Content-Type": "application/json",
            },
            json={
                "body": text_content,
                "conversation": {
                    "contact": {
                        "first_name": surge_settings.my_first_name,
                        "last_name": surge_settings.my_last_name,
                        "phone_number": surge_settings.my_phone_number,
                    }
                },
            },
        )

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress tooling Excluded from app score unreachable #ac225305cf2200d9 Outbound request to a variable or assembled URL on a network client. Review what data is sent to this destination.
pkgs/python/[email protected]/examples/servers/simple-auth/mcp_simple_auth/token_verifier.py:53
                response = await client.post(
                    self.introspection_endpoint,
                    data={"token": token},
                    headers={"Content-Type": "application/x-www-form-urlencoded"},
                )

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs tooling Excluded from app score unreachable #72b0a29e350c3b3d Environment-variable access.
pkgs/python/[email protected]/examples/snippets/clients/completion_client.py:17
    env={"UV_INDEX": os.environ.get("UV_INDEX", "")},

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #c45faa4e5d870c50 Environment-variable access.
pkgs/python/[email protected]/examples/snippets/clients/display_utilities.py:17
    env={"UV_INDEX": os.environ.get("UV_INDEX", "")},

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #383429e36d6fb6c3 Environment-variable access.
pkgs/python/[email protected]/examples/snippets/clients/stdio_client.py:19
    env={"UV_INDEX": os.environ.get("UV_INDEX", "")},

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #a5fd84bb2096e17f Filesystem access.
pkgs/python/[email protected]/examples/snippets/servers/binary_resources.py:9
    with open("logo.png", "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #074a310acde402d6 Filesystem access.
pkgs/python/[email protected]/examples/snippets/servers/embedded_resource_results.py:10
    with open(path) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #2ccd7da1ebe278b5 Filesystem access.
pkgs/python/[email protected]/examples/snippets/servers/embedded_resource_results_binary.py:12
    with open(path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #ede60122ac7ae8d3 Filesystem access.
pkgs/python/[email protected]/examples/snippets/servers/prompt_embedded_resources.py:11
    file_content = open(filename).read()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #5dfc4e3c208905e4 Filesystem access.
pkgs/python/[email protected]/examples/snippets/servers/tool_errors.py:27
    with open(path) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #39113dd3e9fe6da3 Filesystem access.
pkgs/python/[email protected]/scripts/update_doc_snippets.py:53
        code = file.read_text().rstrip()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #4d120792633836a1 Filesystem access.
pkgs/python/[email protected]/scripts/update_doc_snippets.py:109
    content = doc_path.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #bf2f5d93c2e699a7 Filesystem access.
pkgs/python/[email protected]/scripts/update_doc_snippets.py:134
            doc_path.write_text(updated_content)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #09f818df4fb1a720 Environment-variable access.
pkgs/python/[email protected]/src/mcp/cli/claude.py:24
        path = Path(os.environ.get("XDG_CONFIG_HOME", Path.home() / ".config"), "Claude")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ace59042931304cc Filesystem access.
pkgs/python/[email protected]/src/mcp/cli/claude.py:77
            config_file.write_text("{}")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e05dec1d0124735f Filesystem access.
pkgs/python/[email protected]/src/mcp/cli/claude.py:88
        config = json.loads(config_file.read_text())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3ea17064ae458f68 Filesystem access.
pkgs/python/[email protected]/src/mcp/cli/claude.py:135
        config_file.write_text(json.dumps(config, indent=2))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f1f62a683e5a1647 Environment-variable access.
pkgs/python/[email protected]/src/mcp/cli/cli.py:282
            env=dict(os.environ.items()),  # Convert to list of tuples for env update

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress dependency Excluded from app score #c8cd4390dd56a9d4 Outbound request to a variable or assembled URL on a network client. Review what data is sent to this destination.
pkgs/python/[email protected]/src/mcp/client/sse.py:138
                                    response = await client.post(
                                        endpoint_url,
                                        json=session_message.message.model_dump(
                                            by_alias=True,
                                            mode="json",
                                            exclude_none=True,
                                        ),
                                    )

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs dependency Excluded from app score #e89c10d7613f742f Environment-variable access.
pkgs/python/[email protected]/src/mcp/client/stdio/__init__.py:59
        value = os.environ.get(key)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #123b7af2dd3f052a Filesystem access.
pkgs/python/[email protected]/src/mcp/server/fastmcp/utilities/types.py:47
            with open(self.path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #acf5b9e478747b02 Filesystem access.
pkgs/python/[email protected]/src/mcp/server/fastmcp/utilities/types.py:94
            with open(self.path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

click

python dependency
expand_more 31 low-confidence finding(s)
low env_fs dependency Excluded from app score #3fa994769821a9b6 Filesystem access.
pkgs/python/[email protected]/src/click/_compat.py:366
        return open(file, mode)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #78556a4af4e24186 Filesystem access.
pkgs/python/[email protected]/src/click/_compat.py:368
    return open(file, mode, encoding=encoding, errors=errors)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #66028fe15316a33d Environment-variable access.
pkgs/python/[email protected]/src/click/_termui_impl.py:418
    pager_cmd_parts = shlex.split(os.environ.get("PAGER", ""))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ee9d1cfd4c4dde36 Environment-variable access.
pkgs/python/[email protected]/src/click/_termui_impl.py:424
    if os.environ.get("TERM") in ("dumb", "emacs"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #387d83fe02298858 Environment-variable access.
pkgs/python/[email protected]/src/click/_termui_impl.py:516
    env = dict(os.environ)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #71c20de0dc2896e9 Environment-variable access.
pkgs/python/[email protected]/src/click/_termui_impl.py:521
        less_flags = f"{os.environ.get('LESS', '')}{' '.join(cmd_params)}"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d3dd1d855aba4f5d Environment-variable access.
pkgs/python/[email protected]/src/click/_termui_impl.py:673
            rv = os.environ.get(key)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8bcf784b7177d912 Environment-variable access.
pkgs/python/[email protected]/src/click/_termui_impl.py:695
            environ = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2d2e24fbf535736d Filesystem access.
pkgs/python/[email protected]/src/click/_termui_impl.py:761
            with open(name, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #10b20192615adc0c Filesystem access.
pkgs/python/[email protected]/src/click/_termui_impl.py:790
        null = open("/dev/null", "w")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4f8db37e96c63b4f Filesystem access.
pkgs/python/[email protected]/src/click/_termui_impl.py:916
            f = open("/dev/tty")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6607272c367d6909 Filesystem access.
pkgs/python/[email protected]/src/click/core.py:1243
                formatter.write_text(text)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #81b16a96da115e17 Filesystem access.
pkgs/python/[email protected]/src/click/core.py:1264
                formatter.write_text(epilog)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d05b912cf53c3589 Environment-variable access.
pkgs/python/[email protected]/src/click/core.py:1557
        instruction = os.environ.get(complete_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a9a48204a89008c4 Environment-variable access.
pkgs/python/[email protected]/src/click/core.py:2631
            rv = os.environ.get(self.envvar)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3eca6b311eb51e27 Environment-variable access.
pkgs/python/[email protected]/src/click/core.py:2637
                rv = os.environ.get(envvar)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dfc3c318e5a78356 Environment-variable access.
pkgs/python/[email protected]/src/click/core.py:3402
            rv = os.environ.get(envvar)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3945fcc02ed888cd Environment-variable access.
pkgs/python/[email protected]/src/click/shell_completion.py:371
        cwords = split_arg_string(os.environ["COMP_WORDS"])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d918a5e0813974ea Environment-variable access.
pkgs/python/[email protected]/src/click/shell_completion.py:372
        cword = int(os.environ["COMP_CWORD"])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f49fdc358b2b95f7 Environment-variable access.
pkgs/python/[email protected]/src/click/shell_completion.py:393
        cwords = split_arg_string(os.environ["COMP_WORDS"])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1875b7d858cefbcf Environment-variable access.
pkgs/python/[email protected]/src/click/shell_completion.py:394
        cword = int(os.environ["COMP_CWORD"])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #05d5a967a94e1f35 Environment-variable access.
pkgs/python/[email protected]/src/click/shell_completion.py:429
        cwords = split_arg_string(os.environ["COMP_WORDS"])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e86d1f034f0e8076 Environment-variable access.
pkgs/python/[email protected]/src/click/shell_completion.py:430
        incomplete = os.environ["COMP_CWORD"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aca8a2ee14da1403 Environment-variable access.
pkgs/python/[email protected]/src/click/testing.py:567
                old_env[key] = os.environ.get(key)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0e3cd6bcae8a321a Environment-variable access.
pkgs/python/[email protected]/src/click/testing.py:570
                        del os.environ[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6f95cb291c9e9694 Environment-variable access.
pkgs/python/[email protected]/src/click/testing.py:574
                    os.environ[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c08da1a965b12d76 Environment-variable access.
pkgs/python/[email protected]/src/click/testing.py:580
                        del os.environ[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d9b834e015255432 Environment-variable access.
pkgs/python/[email protected]/src/click/testing.py:584
                    os.environ[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6dbbb51d765717ab Filesystem access.
pkgs/python/[email protected]/src/click/utils.py:149
                open(filename, mode).close()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b0589bebdc395860 Environment-variable access.
pkgs/python/[email protected]/src/click/utils.py:506
        folder = os.environ.get(key)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a11d38c3722ffedc Environment-variable access.
pkgs/python/[email protected]/src/click/utils.py:517
        os.environ.get("XDG_CONFIG_HOME", os.path.expanduser("~/.config")),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

gitpython

python dependency
expand_more 55 low-confidence finding(s)
low env_fs dependency Excluded from app score #78553c31c6cac6f1 Filesystem access.
pkgs/python/[email protected]/doc/source/conf.py:50
with open(os.path.join(os.path.dirname(__file__), "..", "..", "VERSION")) as fd:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9ea0ec0c4e702bfa Environment-variable access.
pkgs/python/[email protected]/git/cmd.py:668
    GIT_PYTHON_TRACE = os.environ.get("GIT_PYTHON_TRACE", False)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cc2140a946c0eb81 Environment-variable access.
pkgs/python/[email protected]/git/cmd.py:784
            new_git = os.environ.get(cls._git_exec_env_var, cls.git_exec_name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ab7a37ddb35c85c6 Environment-variable access.
pkgs/python/[email protected]/git/cmd.py:833
                mode = os.environ.get(cls._refresh_env_var, "raise").lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3924654d8d7aa3b9 Environment-variable access.
pkgs/python/[email protected]/git/cmd.py:1369
        env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #97e73f95344826d5 Filesystem access.
pkgs/python/[email protected]/git/cmd.py:1391
        stdout_sink = PIPE if with_stdout else getattr(subprocess, "DEVNULL", None) or open(os.devnull, "wb")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5c2ab9e70e890c23 Environment-variable access.
pkgs/python/[email protected]/git/config.py:259
        config_home = os.environ.get("XDG_CONFIG_HOME") or osp.join(os.environ.get("HOME", "~"), ".config")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e96bc2500704c2ea Filesystem access.
pkgs/python/[email protected]/git/config.py:652
                    with open(file_path, "rb") as fp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1e0f22263ff5e291 Filesystem access.
pkgs/python/[email protected]/git/config.py:770
            with open(fp, "wb") as fp_open:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #92b2126510ee83d7 Filesystem access.
pkgs/python/[email protected]/git/index/base.py:705
                return open(filepath, "rb")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3f46fdf2a97bf846 Filesystem access.
pkgs/python/[email protected]/git/index/base.py:1180
        with open(self._commit_editmsg_filepath(), "wb") as commit_editmsg_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c4cc670ae58596b6 Filesystem access.
pkgs/python/[email protected]/git/index/base.py:1187
        with open(self._commit_editmsg_filepath(), "rb") as commit_editmsg_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3aa06a8c5c97940c Environment-variable access.
pkgs/python/[email protected]/git/index/fun.py:89
    env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #777776cc2f8556eb Environment-variable access.
pkgs/python/[email protected]/git/objects/commit.py:681
        env = os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #68040d36102debb0 Filesystem access.
pkgs/python/[email protected]/git/objects/submodule/base.py:428
        with open(git_file, "wb") as fp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a7c0a2733316acd6 Filesystem access.
pkgs/python/[email protected]/git/refs/log.py:267
        with open(filepath, "rb") as fp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9c887fb978a94ab9 Filesystem access.
pkgs/python/[email protected]/git/refs/log.py:363
            fd = open(filepath, "ab")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a3a35ecd1145c4fd Filesystem access.
pkgs/python/[email protected]/git/refs/symbolic.py:152
            with open(cls._get_packed_refs_path(repo), "rt", encoding="UTF-8") as fp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #795a6d436dbfdb23 Filesystem access.
pkgs/python/[email protected]/git/refs/symbolic.py:265
            with open(os.path.join(repodir, ref_path), "rt", encoding="UTF-8") as fp:  # type: ignore[arg-type]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #07a92286421fbd77 Filesystem access.
pkgs/python/[email protected]/git/refs/symbolic.py:668
                with open(pack_file_path, "rb") as reader:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #910d45b2ade00fe8 Filesystem access.
pkgs/python/[email protected]/git/refs/symbolic.py:696
                    with open(pack_file_path, "wb") as fd:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #975aa4dc2df7248f Filesystem access.
pkgs/python/[email protected]/git/refs/symbolic.py:738
            with open(abs_ref_path, "rb") as fd:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0d75bde3e34084fa Filesystem access.
pkgs/python/[email protected]/git/refs/symbolic.py:822
                with open(new_abs_path, "rb") as fd1:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0bf33209d74e2c0e Filesystem access.
pkgs/python/[email protected]/git/refs/symbolic.py:824
                with open(cur_abs_path, "rb") as fd2:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #75b3cbc0ba770cd4 Filesystem access.
pkgs/python/[email protected]/git/remote.py:918
        with open(fetch_head.abspath, "rb") as fp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #18a979f5262aec03 Environment-variable access.
repo/base.py:230
        epath = path or os.getenv("GIT_DIR")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d53636f80549b74f Environment-variable access.
repo/base.py:266
                if "GIT_WORK_TREE" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d76a5d63d3ecb82a Environment-variable access.
repo/base.py:267
                    self._working_tree_dir = os.getenv("GIT_WORK_TREE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #47db28bcfe2c0724 Filesystem access.
repo/base.py:271
                    with open(osp.join(git_dir, "gitdir")) as fp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0a2543d2c405b157 Environment-variable access.
repo/base.py:294
                if os.environ.get("GIT_COMMON_DIR") is None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8ccdf9d1c3172082 Environment-variable access.
repo/base.py:298
                if "GIT_WORK_TREE" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0ac7f89af07fa3d5 Environment-variable access.
repo/base.py:299
                    self._working_tree_dir = os.getenv("GIT_WORK_TREE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4e289354bd2afa85 Filesystem access.
repo/base.py:336
            common_dir = (Path(self.git_dir) / "commondir").read_text().splitlines()[0].strip()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #18be82c42c3c657b Filesystem access.
repo/base.py:397
        with open(filename, "rb") as fp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #46a595d9752ec29b Filesystem access.
repo/base.py:403
        with open(filename, "wb") as fp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e7f3a089d34e0788 Environment-variable access.
repo/base.py:678
            config_home = os.environ.get("XDG_CONFIG_HOME") or osp.join(os.environ.get("HOME", "~"), ".config")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1ed583c056740de1 Filesystem access.
repo/base.py:952
            with open(alternates_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1ce462c53d9e3d2e Filesystem access.
repo/base.py:975
            with open(alternates_path, "wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bd7a736f8af2e6fa Filesystem access.
repo/base.py:1729
        with open(rebase_head_file, "rt") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ee6af6d709af5082 Filesystem access.
repo/fun.py:55
    with open(filename, "ab"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0ed1a597396242f0 Environment-variable access.
repo/fun.py:69
        if (osp.isdir(osp.join(d, "objects")) or "GIT_OBJECT_DIRECTORY" in os.environ) and osp.isdir(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8fe7c2c5e1278fea Filesystem access.
repo/fun.py:93
        lines = Path(dotgit).read_text().splitlines()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3b74cd28d7477cfe Filesystem access.
repo/fun.py:108
        with open(d) as fp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #969831f6a6493206 Environment-variable access.
pkgs/python/[email protected]/git/util.py:122
        value = os.environ[name]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a35ba5c995fd8b39 Environment-variable access.
pkgs/python/[email protected]/git/util.py:201
    old_value = os.getenv(name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #85f194d48b3905b6 Environment-variable access.
pkgs/python/[email protected]/git/util.py:202
    os.environ[name] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c6cc0fbdb86c30d4 Environment-variable access.
pkgs/python/[email protected]/git/util.py:207
            del os.environ[name]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7b92e9a882084e32 Environment-variable access.
pkgs/python/[email protected]/git/util.py:209
            os.environ[name] = old_value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #88f208dfcfe03f46 Environment-variable access.
pkgs/python/[email protected]/git/util.py:338
    PATHEXT = os.environ.get("PATHEXT", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #450035d1bd78eda0 Environment-variable access.
pkgs/python/[email protected]/git/util.py:374
        path = os.environ["PATH"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b1ce84ff84d8ebe8 Environment-variable access.
pkgs/python/[email protected]/git/util.py:868
                val = os.environ[evar]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a4cd2bf4ca4d2494 Filesystem access.
pkgs/python/[email protected]/git/util.py:1054
            with open(lock_file, mode="w"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #65ff9ef66bf2faa7 Filesystem access.
pkgs/python/[email protected]/setup.py:14
    return (Path(__file__).parent / path).read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e7e36e4b8c0f6e4d Filesystem access.
pkgs/python/[email protected]/setup.py:49
        with open(filename) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d69d2becb3ca62eb Filesystem access.
pkgs/python/[email protected]/setup.py:59
        with open(filename, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

httpx

python dependency
expand_more 4 low-confidence finding(s)
low env_fs dependency Excluded from app score #a520155fa18eab00 Environment-variable access.
pkgs/python/[email protected]/httpx/_config.py:34
        if trust_env and os.environ.get("SSL_CERT_FILE"):  # pragma: nocover

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b7b670464f79bbf1 Environment-variable access.
pkgs/python/[email protected]/httpx/_config.py:35
            ctx = ssl.create_default_context(cafile=os.environ["SSL_CERT_FILE"])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #429c871723237632 Environment-variable access.
pkgs/python/[email protected]/httpx/_config.py:36
        elif trust_env and os.environ.get("SSL_CERT_DIR"):  # pragma: nocover

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b29e6f54b8e8cc50 Environment-variable access.
pkgs/python/[email protected]/httpx/_config.py:37
            ctx = ssl.create_default_context(capath=os.environ["SSL_CERT_DIR"])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

pydantic

python dependency
expand_more 9 low-confidence finding(s)
low env_fs dependency Excluded from app score #c36d15b92623ba32 Filesystem access.
pkgs/python/[email protected]/pydantic/deprecated/parse.py:71
    b = path.read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fa1b4b65e1c592d7 Environment-variable access.
pkgs/python/[email protected]/pydantic/json_schema.py:344
                if os.getenv('PYDANTIC_PRIVATE_ALLOW_UNHANDLED_SCHEMA_TYPES'):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5fa7ef8a7712a0ba Filesystem access.
pkgs/python/[email protected]/pydantic/mypy.py:1411
    with open(config_file, 'rb') as rf:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #00170a53e24d63a6 Environment-variable access.
pkgs/python/[email protected]/pydantic/plugin/_loader.py:27
    disabled_plugins = os.getenv('PYDANTIC_DISABLE_PLUGINS')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #84e750dd4bc53bf3 Environment-variable access.
pkgs/python/[email protected]/pydantic/v1/env_settings.py:173
            env_vars: Mapping[str, Optional[str]] = os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8aa2cfc6269df5c5 Environment-variable access.
pkgs/python/[email protected]/pydantic/v1/env_settings.py:175
            env_vars = {k.lower(): v for k, v in os.environ.items()}

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fceb0ee58f8b1c29 Filesystem access.
pkgs/python/[email protected]/pydantic/v1/env_settings.py:307
                    secret_value = path.read_text().strip()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a8c18a33efa1fcee Filesystem access.
pkgs/python/[email protected]/pydantic/v1/mypy.py:948
    with open(config_file, read_mode) as rf:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f4b751a0533f70e3 Filesystem access.
pkgs/python/[email protected]/pydantic/v1/parse.py:57
    b = path.read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

readabilipy

python dependency
expand_more 5 low-confidence finding(s)
low env_fs dependency Excluded from app score #e65ff606e70321bc Filesystem access.
pkgs/python/[email protected]/readabilipy/__main__.py:66
        input_file = open(args.input_file, encoding="utf-8", errors="replace")  # pylint: disable=consider-using-with

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3279c7e0806a2e55 Filesystem access.
pkgs/python/[email protected]/readabilipy/__main__.py:84
        output_file = open(args.output_file, "w", encoding="utf-8")  # pylint: disable=consider-using-with

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #24b79ca44dd69365 Filesystem access.
pkgs/python/[email protected]/readabilipy/simple_json.py:71
        with open(tmp_json_path, "r", encoding="utf-8") as json_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6306ae8515e63883 Filesystem access.
pkgs/python/[email protected]/setup.py:51
    with io.open(os.path.join(here, "README.md"), encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c3f17c3ba341cdf5 Filesystem access.
pkgs/python/[email protected]/setup.py:60
    with open(os.path.join(here, project_slug, "__version__.py")) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

requests

python dependency
expand_more 8 low-confidence finding(s)
low env_fs dependency Excluded from app score #7df7205ae190aa1d Environment-variable access.
pkgs/python/[email protected]/src/requests/sessions.py:857
                    os.environ.get("REQUESTS_CA_BUNDLE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3529f0702de64b8b Environment-variable access.
pkgs/python/[email protected]/src/requests/sessions.py:858
                    or os.environ.get("CURL_CA_BUNDLE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7ac3d5eace80bc1e Environment-variable access.
pkgs/python/[email protected]/src/requests/utils.py:239
    netrc_file = os.environ.get("NETRC")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #54729ecd2223d952 Environment-variable access.
pkgs/python/[email protected]/src/requests/utils.py:798
        old_value = os.environ.get(env_name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #feca93c96a546850 Environment-variable access.
pkgs/python/[email protected]/src/requests/utils.py:799
        os.environ[env_name] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c7b744b7c7365224 Environment-variable access.
pkgs/python/[email protected]/src/requests/utils.py:805
                del os.environ[env_name]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8cbb28890561efe8 Environment-variable access.
pkgs/python/[email protected]/src/requests/utils.py:807
                os.environ[env_name] = old_value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e1485894e09cd815 Environment-variable access.
pkgs/python/[email protected]/src/requests/utils.py:820
        return os.environ.get(key) or os.environ.get(key.upper())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

tzlocal

python dependency
expand_more 8 low-confidence finding(s)
low env_fs dependency Excluded from app score #65ba54ace82bf14f Filesystem access.
pkgs/python/[email protected]/tzlocal/unix.py:53
            with open(tzpath, encoding="ascii") as tzfile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0e5701a9a88bf2b1 Filesystem access.
pkgs/python/[email protected]/tzlocal/unix.py:88
            with open(tzpath, "rt") as tzfile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4a27259ae30c7691 Filesystem access.
pkgs/python/[email protected]/tzlocal/unix.py:204
            with open(tzpath, "rb") as tzfile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eea3f8363f8f3b20 Environment-variable access.
pkgs/python/[email protected]/tzlocal/utils.py:44
        tzenv = os.environ.get("TZ")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cd14de0cd18ef4d9 Environment-variable access.
pkgs/python/[email protected]/tzlocal/utils.py:79
        tzenv = os.environ.get("TZ")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6620e11c1f0d52fc Filesystem access.
pkgs/python/[email protected]/tzlocal/utils.py:95
        with open(tzenv, "rb") as tzfile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress dependency Excluded from app score #b7d5ad9f22985d04 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/python/[email protected]/update_windows_mappings.py:60
    source = urlopen(WIN_ZONES_URL).read()

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs dependency Excluded from app score #7cd335cfc307d3c6 Filesystem access.
pkgs/python/[email protected]/update_windows_mappings.py:100
    with open("tzlocal/windows_tz.py", "w") as out:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.