Close Open Privacy Scan

link https://github.com/DietrichGebert/ponytail

bolt Snapshot: commit c4d1925

science engine v1

schedule 2026-06-26T16:07:08.420820+00:00

App Privacy Score

22 /100

High privacy risk — application leak confirmed

High risk · 90 finding(s)

Dependency score: 100 (Low risk)

bar_chart Score Breakdown

pii_flow −60

egress −15

env_fs −3

list Scan Summary

3 high 5 medium 82 low

First-party packages: 1

Dependency packages: 0

Ecosystem: npm

swap_horiz Confirmed data exfiltration in application code

External domains: api.anthropic.comapi.openai.com

high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.

repo/benchmarks/claude-email.js:9 → repo/benchmarks/claude-email.js:17

high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.

repo/benchmarks/model-email.js:9 → repo/benchmarks/model-email.js:17

high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.

repo/benchmarks/robustness-audit.js:23 → repo/benchmarks/robustness-audit.js:158

medium first-party (npm) PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.

repo/benchmarks/claude-email.js:6 → repo/benchmarks/claude-email.js:25

medium first-party (npm) PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.

repo/benchmarks/claude-email.js:7 → repo/benchmarks/claude-email.js:38

medium first-party (npm) PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.

repo/benchmarks/model-email.js:6 → repo/benchmarks/model-email.js:24

medium first-party (npm) PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.

repo/benchmarks/model-email.js:7 → repo/benchmarks/model-email.js:37

medium first-party (npm) PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.

repo/scripts/check-versions.js:64 → repo/scripts/check-versions.js:67

</> First-Party Code

first-party (npm)

npm first-party

high pii_flow production #f60847903ee7e28a — User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.

repo/benchmarks/claude-email.js:17 · flow /tmp/closeopen-j8axgl7x/repo/benchmarks/claude-email.js:9 → /tmp/closeopen-j8axgl7x/repo/benchmarks/claude-email.js:17

  const r = await fetch('https://api.anthropic.com/v1/messages', { method: 'POST',
    headers: { 'x-api-key': KEY, 'anthropic-version': '2023-06-01', 'content-type': 'application/json' }, body: JSON.stringify(body) });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #597a7fa2d78baac2 — User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.

repo/benchmarks/model-email.js:17 · flow /tmp/closeopen-j8axgl7x/repo/benchmarks/model-email.js:9 → /tmp/closeopen-j8axgl7x/repo/benchmarks/model-email.js:17

  const r = await fetch('https://api.openai.com/v1/chat/completions', { method: 'POST',
    headers: { Authorization: 'Bearer ' + KEY, 'Content-Type': 'application/json' }, body: JSON.stringify(body) });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #49c1d158d4e70db1 — User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.

repo/benchmarks/robustness-audit.js:158 · flow /tmp/closeopen-j8axgl7x/repo/benchmarks/robustness-audit.js:23 → /tmp/closeopen-j8axgl7x/repo/benchmarks/robustness-audit.js:158

  const r = await fetch('https://api.openai.com/v1/chat/completions', {
    method: 'POST', headers: { Authorization: 'Bearer ' + KEY, 'Content-Type': 'application/json' }, body: JSON.stringify(body) });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium pii_flow production #d34b9dd097be37bd — PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.

repo/benchmarks/claude-email.js:25 · flow /tmp/closeopen-j8axgl7x/repo/benchmarks/claude-email.js:6 → /tmp/closeopen-j8axgl7x/repo/benchmarks/claude-email.js:25

  console.log(`email, n=${N}\n`);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium pii_flow production #d9f6c6b4c722121a — PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.

repo/benchmarks/claude-email.js:38 · flow /tmp/closeopen-j8axgl7x/repo/benchmarks/claude-email.js:7 → /tmp/closeopen-j8axgl7x/repo/benchmarks/claude-email.js:38

    console.log(`${model.padEnd(26)} ${rates.baseline.padEnd(10)} ${rates.ponytail}`);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium pii_flow production #fbf649a0ed014305 — PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.

repo/benchmarks/model-email.js:24 · flow /tmp/closeopen-j8axgl7x/repo/benchmarks/model-email.js:6 → /tmp/closeopen-j8axgl7x/repo/benchmarks/model-email.js:24

  console.log(`email, n=${N}\n`);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium pii_flow production #b8cf2616a91c99fe — PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.

repo/benchmarks/model-email.js:37 · flow /tmp/closeopen-j8axgl7x/repo/benchmarks/model-email.js:7 → /tmp/closeopen-j8axgl7x/repo/benchmarks/model-email.js:37

    console.log(`${model.padEnd(15)} ${rates.baseline.padEnd(10)} ${rates.ponytail}`);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium pii_flow production #ff04498780f75d30 — PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.

repo/scripts/check-versions.js:67 · flow /tmp/closeopen-j8axgl7x/repo/scripts/check-versions.js:64 → /tmp/closeopen-j8axgl7x/repo/scripts/check-versions.js:67

    console.error(`release tag ${tag} does not match version ${shared}; bump the version files before tagging`);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 82 low-confidence finding(s)

low env_fs production #d74e53d67c69fc28 — Filesystem access.

repo/.opencode/plugins/ponytail.mjs:13

import fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8e44a16388335148 — Environment-variable access.

repo/.opencode/plugins/ponytail.mjs:27

  process.env.XDG_CONFIG_HOME || path.join(os.homedir(), '.config'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7c6afd49405bcb3a — Filesystem access.

repo/.opencode/plugins/ponytail.mjs:34

    return normalizePersistedMode(fs.readFileSync(statePath, 'utf8').trim()) || getDefaultMode();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6c0302dcf56cbce7 — Filesystem access.

repo/.opencode/plugins/ponytail.mjs:42

  fs.writeFileSync(statePath, mode);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #588d07620b122033 — Filesystem access.

repo/.opencode/plugins/ponytail.mjs:46

  const content = fs.readFileSync(filePath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #64904b6c2e5f3108 — Filesystem access.

repo/benchmarks/arms/caveman.js:2

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #64904b6c2e5f3108 — Filesystem access.

repo/benchmarks/arms/caveman.js:2

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aed94049c89cfa65 — Filesystem access.

repo/benchmarks/arms/caveman.js:4

const system = fs.readFileSync(path.join(__dirname, 'caveman-SKILL.md'), 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #29020e2305cfd2bd — Filesystem access.

repo/benchmarks/arms/ponytail.js:2

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #29020e2305cfd2bd — Filesystem access.

repo/benchmarks/arms/ponytail.js:2

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #538ca4e42c6a1b96 — Filesystem access.

repo/benchmarks/arms/ponytail.js:4

const system = fs.readFileSync(path.join(__dirname, '..', '..', 'skills', 'ponytail', 'SKILL.md'), 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #40faeaaeb8b64b1e — Filesystem access.

repo/benchmarks/claude-email.js:2

const fs = require('fs'), path = require('path');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #40faeaaeb8b64b1e — Filesystem access.

repo/benchmarks/claude-email.js:2

const fs = require('fs'), path = require('path');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #596a04810075a92e — Filesystem access.

repo/benchmarks/claude-email.js:4

const skill = fs.readFileSync(path.join(__dirname, '..', 'skills', 'ponytail', 'SKILL.md'), 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6f53f4470fe19533 — Environment-variable access.

repo/benchmarks/claude-email.js:6

const N = Number(process.env.CE_N) || 40;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ff78799d1f7275c2 — Environment-variable access.

repo/benchmarks/claude-email.js:7

const MODELS = (process.env.CE_MODELS || 'claude-haiku-4-5-20251001,claude-sonnet-4-6,claude-opus-4-8').split(',');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #69d4bdfae1ee2b17 — Filesystem access.

repo/benchmarks/claude-email.js:9

const kv = Object.fromEntries(fs.readFileSync(path.join(__dirname, '..', '.env'), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #e4c786fb5121d6ae — Hardcoded external endpoint. Review what data is sent to this destination.

repo/benchmarks/claude-email.js:17

  const r = await fetch('https://api.anthropic.com/v1/messages', { method: 'POST',
    headers: { 'x-api-key': KEY, 'anthropic-version': '2023-06-01', 'content-type': 'application/json' }, body: JSON.stringify(body) });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #6b476fbc37d8b7ca — Filesystem access.

repo/benchmarks/correctness.js:10

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6b476fbc37d8b7ca — Filesystem access.

repo/benchmarks/correctness.js:10

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #57bd23b9bee2f1ad — Filesystem access.

repo/benchmarks/correctness.js:62

  fs.writeFileSync(p, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fa0c68b08aaab034 — Filesystem access.

repo/benchmarks/generate-examples.mjs:7

const j = JSON.parse(readFileSync(new URL('./output.json', import.meta.url), 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c259e49b4804e1ff — Filesystem access.

repo/benchmarks/generate-examples.mjs:42

  writeFileSync(new URL(`../examples/${slug}.md`, import.meta.url), md);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c819e63c0a42818f — Filesystem access.

repo/benchmarks/generate-examples.mjs:62

writeFileSync(new URL('../examples/README.md', import.meta.url), readme);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d5397e5387cf2297 — Filesystem access.

repo/benchmarks/model-email.js:2

const fs = require('fs'), path = require('path');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d5397e5387cf2297 — Filesystem access.

repo/benchmarks/model-email.js:2

const fs = require('fs'), path = require('path');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7967063a8f5ee40b — Filesystem access.

repo/benchmarks/model-email.js:4

const skill = fs.readFileSync(path.join(__dirname, '..', 'skills', 'ponytail', 'SKILL.md'), 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c3f6d9ed49a33a41 — Environment-variable access.

repo/benchmarks/model-email.js:6

const N = Number(process.env.ME_N) || 100;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #439c129a97108ad6 — Environment-variable access.

repo/benchmarks/model-email.js:7

const MODELS = (process.env.ME_MODELS || 'gpt-4.1-mini,gpt-5.4-mini').split(',');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1a39f116d35ead8c — Filesystem access.

repo/benchmarks/model-email.js:9

const kv = Object.fromEntries(fs.readFileSync(path.join(__dirname, '..', '.env'), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #2da3910c542642b6 — Hardcoded external endpoint. Review what data is sent to this destination.

repo/benchmarks/model-email.js:17

  const r = await fetch('https://api.openai.com/v1/chat/completions', { method: 'POST',
    headers: { Authorization: 'Bearer ' + KEY, 'Content-Type': 'application/json' }, body: JSON.stringify(body) });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #4f2b5e81db29255d — Filesystem access.

repo/benchmarks/robustness-audit.js:7

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4f2b5e81db29255d — Filesystem access.

repo/benchmarks/robustness-audit.js:7

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b8c2c4ddb9ac77d8 — Environment-variable access.

repo/benchmarks/robustness-audit.js:22

const N = Number(process.env.AUDIT_N) || 20;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0faa9a06e72403bd — Environment-variable access.

repo/benchmarks/robustness-audit.js:23

const MODEL = process.env.AUDIT_MODEL || 'gpt-5.4-mini';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4d87a59f5f2a8e3e — Filesystem access.

repo/benchmarks/robustness-audit.js:27

  kv = Object.fromEntries(fs.readFileSync(path.join(ROOT, '.env'), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #64ce8c32b20b7ef2 — Environment-variable access.

repo/benchmarks/robustness-audit.js:31

const KEY = process.env.OPENAI_API_KEY || kv.OPENAI_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #81b9908adf7ff2fc — Filesystem access.

repo/benchmarks/robustness-audit.js:32

const SKILL = fs.readFileSync(path.join(ROOT, 'skills', 'ponytail', 'SKILL.md'), 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e477dc3a639faecb — Filesystem access.

repo/benchmarks/robustness-audit.js:149

  fs.writeFileSync(f, harness);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #60c1246c83591485 — Hardcoded external endpoint. Review what data is sent to this destination.

repo/benchmarks/robustness-audit.js:158

  const r = await fetch('https://api.openai.com/v1/chat/completions', {
    method: 'POST', headers: { Authorization: 'Bearer ' + KEY, 'Content-Type': 'application/json' }, body: JSON.stringify(body) });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #77ed4c0c406fc447 — Filesystem access.

repo/hooks/ponytail-activate.js:9

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #77ed4c0c406fc447 — Filesystem access.

repo/hooks/ponytail-activate.js:9

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1662b5c0a05116c5 — Filesystem access.

repo/hooks/ponytail-activate.js:49

    const raw = fs.readFileSync(settingsPath, 'utf8').replace(/^\uFEFF/, '');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f47c10fdad682733 — Filesystem access.

repo/hooks/ponytail-config.js:12

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f47c10fdad682733 — Filesystem access.

repo/hooks/ponytail-config.js:12

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #53970d91bd7d5bbc — Environment-variable access.

repo/hooks/ponytail-config.js:55

  if (process.env.XDG_CONFIG_HOME) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2ba04147c971764f — Environment-variable access.

repo/hooks/ponytail-config.js:56

    return path.join(process.env.XDG_CONFIG_HOME, 'ponytail');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #16633600b60fac69 — Environment-variable access.

repo/hooks/ponytail-config.js:60

      process.env.APPDATA || path.join(os.homedir(), 'AppData', 'Roaming'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #21e4384a8df38fc6 — Environment-variable access.

repo/hooks/ponytail-config.js:73

  return process.env.CLAUDE_CONFIG_DIR || path.join(os.homedir(), '.claude');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2c8c8c22dda159d7 — Environment-variable access.

repo/hooks/ponytail-config.js:78

  const envMode = process.env.PONYTAIL_DEFAULT_MODE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #75090eea31075631 — Filesystem access.

repo/hooks/ponytail-config.js:86

    const config = JSON.parse(fs.readFileSync(configPath, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ac92ff257d1ece53 — Filesystem access.

repo/hooks/ponytail-config.js:104

  fs.writeFileSync(configPath, JSON.stringify({ defaultMode: normalized }, null, 2), 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9dd24c81a4da4fba — Filesystem access.

repo/hooks/ponytail-instructions.js:4

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9dd24c81a4da4fba — Filesystem access.

repo/hooks/ponytail-instructions.js:4

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1039ed854b66a34e — Filesystem access.

repo/hooks/ponytail-instructions.js:84

      filterSkillBodyForMode(fs.readFileSync(SKILL_PATH, 'utf8'), effectiveMode);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f61708e0190982ca — Filesystem access.

repo/hooks/ponytail-runtime.js:1

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f61708e0190982ca — Filesystem access.

repo/hooks/ponytail-runtime.js:1

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a48cd0b71227ae12 — Environment-variable access.

repo/hooks/ponytail-runtime.js:6

const isCopilot = Boolean(process.env.COPILOT_PLUGIN_DATA);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c51c39f5eef5675b — Environment-variable access.

repo/hooks/ponytail-runtime.js:7

const isCodex = !isCopilot && Boolean(process.env.PLUGIN_DATA);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7140f0b54b31b8d4 — Environment-variable access.

repo/hooks/ponytail-runtime.js:10

if (isCodex) stateDir = process.env.PLUGIN_DATA;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7a83e6d71a2b12d0 — Environment-variable access.

repo/hooks/ponytail-runtime.js:11

if (isCopilot) stateDir = process.env.COPILOT_PLUGIN_DATA;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f4c8b00ea16d4164 — Filesystem access.

repo/hooks/ponytail-runtime.js:17

  fs.writeFileSync(statePath, mode);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #96878f9e6e2e0422 — Filesystem access.

repo/hooks/ponytail-runtime.js:27

    return fs.readFileSync(statePath, 'utf8').trim() || null;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9a2439bd846eb2eb — Filesystem access.

repo/scripts/build-openclaw-skills.js:13

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9a2439bd846eb2eb — Filesystem access.

repo/scripts/build-openclaw-skills.js:13

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b5a9c416ac0be273 — Filesystem access.

repo/scripts/build-openclaw-skills.js:31

  const src = fs.readFileSync(path.join(ROOT, 'skills', name, 'SKILL.md'), 'utf8').replace(/\r\n/g, '\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e5756bda5edfc0ed — Filesystem access.

repo/scripts/build-openclaw-skills.js:57

    fs.writeFileSync(p, render(name));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #34986fc0a6aa9f34 — Filesystem access.

repo/scripts/check-rule-copies.js:2

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #34986fc0a6aa9f34 — Filesystem access.

repo/scripts/check-rule-copies.js:2

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3010f4b5bd319531 — Filesystem access.

repo/scripts/check-rule-copies.js:8

  return fs.readFileSync(path.join(root, relPath), 'utf8').replace(/\r\n/g, '\n').trim();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #64b193075a7defc5 — Filesystem access.

repo/scripts/check-versions.js:13

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #64b193075a7defc5 — Filesystem access.

repo/scripts/check-versions.js:13

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a9bc087e85d4b1cd — Filesystem access.

repo/scripts/check-versions.js:34

    const raw = fs.readFileSync(path.join(root, relPath), 'utf8').replace(/^\uFEFF/, '');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #773bea2a6e3d423b — Environment-variable access.

repo/scripts/check-versions.js:63

if (shared && process.env.GITHUB_REF_TYPE === 'tag') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #adb3aa28061f27d8 — Environment-variable access.

repo/scripts/check-versions.js:64

  const tag = process.env.GITHUB_REF_NAME || '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #baa183e94b26cf47 — Filesystem access.

repo/scripts/publish-openclaw-skills.js:19

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #baa183e94b26cf47 — Filesystem access.

repo/scripts/publish-openclaw-skills.js:19

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #af4ccb463710371a — Filesystem access.

repo/scripts/publish-openclaw-skills.js:26

const version = JSON.parse(fs.readFileSync(path.join(root, 'package.json'), 'utf8')).version;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a7c67b1aed4e53ba — Filesystem access.

repo/scripts/uninstall.js:8

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a7c67b1aed4e53ba — Filesystem access.

repo/scripts/uninstall.js:8

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #148a74202fbf71a0 — Filesystem access.

repo/scripts/uninstall.js:26

  const raw = fs.readFileSync(settingsPath, 'utf8').replace(/^\uFEFF/, '');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4057474ba78a1470 — Filesystem access.

repo/scripts/uninstall.js:35

    fs.writeFileSync(settingsPath, JSON.stringify(settings, null, 2), 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

verified_user Application data leak confirmed

App Privacy Score

bar_chart Score Breakdown

list Scan Summary

swap_horiz Confirmed data exfiltration in application code

</> First-Party Code

first-party (npm)