Close Open Privacy Scan
App Privacy Score
Low risk · 54 finding(s)
Dependency score: 97 (Low risk)
bar_chart Score Breakdown
list Scan Summary
swap_horiz External domains
0:0:0:0:0:0:0:00:0:0:0:0:ffff:7f00:11.1.1.110.0.0.110.0.0.510.255.255.255100.100.100.200100.64.1.1127.0.0.1.evil.com169.254.169.254172.16.0.1172.16.0.5172.31.255.255192.0.2.1192.0.32.1192.168.0.100192.168.1.1192.168.1.5192.88.99.12001::ffff:ffff:ffff:5601:56012001::ffff:ffff:ffff:561:5612001:db8::12002:a9fe:a9fe::64:ff9b:1::127.0.0.164:ff9b::10.0.0.1::::192.168.1.1::a9fe:a9fe::ffff:0:a00:1::ffff:0:a9fe:a9fe::ffff:127.0.0.1::ffff:169.254.169.254aa.ba.b.alibaba-inc.coma.exampleabc.comabc123.atlassian.netaccounts.feishu.cnaccounts.larksuite.comagent.exampleai.google.devaiplatformaiplatform.googleapis.comaistudio.google.comalibaba-inc.comalibaba-inc.com.evil.comalice.contoso.comaliyun-inc.comaliyun-inc.com.evil.comanthropic.exampleany.comapiapi-a.exampleapi-b.exampleapi-docs.deepseek.comapi-inference.modelscope.cnapi-one.exampleapi-two.exampleapi.anthropic.comapi.anthropic.com.evil.comapi.deepseek.comapi.deepseek.com.evil.comapi.deepseek.comevil.comapi.different.comapi.dingtalk.comapi.exampleapi.first.exampleapi.github.comapi.githubcopilot.comapi.minimax.ioapi.minimaxi.comapi.mistral.aiapi.mistral.ai.evil.exampleapi.modelscope.cnapi.openai.comapi.openai.com.malicious.comapi.openai.exampleapi.openrouter.aiapi.other.comapi.second.exampleapi.sgroup.qq.comapi.telegram.orgapi.xapi.x.comapi.xiaomimimo.comapi.xiaomimimo.com.evil.exampleapi.yapi.z.aiargvasr.exampleassets.anthropic.comattackerattacker.comattacker.exampleauth.exampleautopush-generativelanguage.sandbox.googleapis.comazure.examplebb.examplebailian.console.aliyun.combkt.e.aliyuncs.combkt.oss-cn-hangzhou.aliyuncs.combots.qq.combrokenbroken.exampleccdncdn.jsdelivr.netcdn.pixabay.comcdnjs.cloudflare.comchat.qwen.aiclaudemarketplaces.comcloud.google.comcn-hongkong.dashscope.aliyuncs.comcode.visualstudio.comcodeassist.google.comcodeload.github.comcoding-intl.dashscope-intl.aliyuncs.comcoding-intl.dashscope.aliyuncs.comcoding.dashscope.aliyuncs.comcollectorcontacts.contoso.comcsp.sourcecurrent.examplecustom-api.comcustom-endpoint.comcustom-gateway.minimax.iocustom.api.comcustom.api.minimax.iocustom.comcustom.otel.collectorcustom.registry.comdaemondashboard.contoso.comdashscope-intl.aliyuncs.comdashscope-us.aliyuncs.comdashscope.aliyuncs.comdashscope.aliyuncs.com.malicious.comdashscope.exampledefault-collectordefault.env.comdevelopers.google.comdiscovered.auth.comdocs.anthropic.comdocs.expo.devdocs.fireworks.aidocs.requesty.aidocs.z.aidummy.comeemscripten.orgen.wikipedia.orgenvenv-daemoneu.api.anthropic.comevilevil.comevil.exampleexamplefc00::1fc::1fd12::1fe80::1fea0::1febf::1febf::fffirst.examplefonts.googleapis.comfonts.gstatic.comgateway.alibaba-inc.comgateway.minimaxi.comgateway.qq.comgemini-api-demos.uc.r.appspot.comgemini.env.comgeminicli.comgenerativelanguage.googleapis.comghe.internalgithub.comgithub.com.attacker.comgithub.com.evilgitlab.comgitlab.company.comgoo.glegoogle.comgoogleapis.comgrafana.examplegrafana.internalhhanging.examplehelp.aliyun.comhelp.openai.comhookshosthost.comhost.docker.internaliamcredentials.googleapis.comiconscout.comidealab.alibaba-inc.comidealab.exampleidp.exampleilinkai.weixin.qq.comimg.pnginternal-proxy.corpinternal.bug-tracker.cominvalid-proxyjigsaw.w3.orgjson-schema.orglocalhost.evil.comlogback.qos.chlogsluci.appmanager-endpoint.commarketplace.visualstudio.commcp.alibaba-inc.commcp.clickhouse.cloudmermaid-js.github.iomermaid.js.orgmermaidjs.github.iometadatametadata.google.internalmetadata.localmetricsmetrics-hostmetrics-settingsminimax.iominimaxi.commirror.internalmodel-gateway.aliyun-inc.commodelscope.cnmodelscope.cn.evil.examplemodelstudio.console.alibabacloud.commy-collector.commy-iap-service.run.appmy-malicious-site.examplemy-proxy.minimaxi.commy-repo.commy-secret-proxymycoolproxy.whatever.comnew-endpoint.comnew-resource-url.comnews.google.comnot-token-plan.cn-beijing.maas.aliyuncs.comnotalibaba-inc.comnotaliyun-inc.comnotdashscope.aliyuncs.comnovac2c.cdn.weixin.qq.comnpm.imoapi.dingtalk.comoauth.qwen.comobjects.githubusercontent.comoncall.contoso.comone.exampleontheline.trincoll.eduopen.bigmodel.cnopen.feishu.cnopen.larksuite.comopenrouter.aiotelotel-tracesother-proxy.comother.comother.exampleotlp.example.com.evil.netp2parent.complatform.claude.complatform.minimaxi.complatform.openai.complay.googleapis.compolicies.google.compre4-chat.qwen.aiprivate.ipprocess.exampleprovider-a.exampleprovider-b.exampleproxy.exampleproxy.internalproxy.localproxy.otherproxy.parentproxy.routify.aipublic.ipqwen-code-assets.oss-cn-hangzhou.aliyuncs.comqwen-tracesqwenlm.github.ioraw.githubusercontent.comreact.devrefreshed-endpoint.comrefreshed-stream-endpoint.comregistry.npmjs.orgregistry.npmmirror.comrepo.contoso.comrouter.requesty.airuntime-proxy.localsafe.comsandbox.api.sgroup.qq.comsecond.examplesecret-proxysettingssettings-proxysettings.comsindresorhus.comsomesome-oauth-issued-endpoint.examplesome.gitstale.examplestorage.googleapis.comstream-endpoint.comsub.luci.appswagger.contoso.comt.metelegram.metemp-endpoint.comtest-endpoint.comtest-servertest-server.comtest.comtest.googleapis.comtest.proxy.comtests.contoso.comtoken-plan-cn.xiaomimimo.comtoken-plan.cn-beijing.maas.aliyuncs.comtoken-plan.cn-beijing.maas.aliyuncs.com.evil.comtoken.urltracestraces-collectortraces-hosttraces-settingstwo.exampleunpkg.comupload.wikimedia.orgus.api.deepseek.comus.i.posthog.comuser-proxy.examplevia.placeholder.comwebviewwiki.contoso.comworkspace-proxy.examplewww.alibabacloud.comwww.aliyun.comwww.allrecipes.comwww.contoso.comwww.foodnetwork.comwww.googleapis.comwww.minimax.iowww.modelscope.cnwww.slf4j.orgwww.typescriptlang.orgwww.w3.orgwww.youtube.comxx.comxn--googl-fsa.comyour-proxy.comyour-server.com
</> First-Party Code
first-party (java): packages/sdk-java/client
java first-partyexpand_more 2 low-confidence finding(s)
private String cwd = System.getProperty("user.dir");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
try (BufferedReader br = new BufferedReader(new InputStreamReader(Files.newInputStream(file.toPath()), charset), 16384)) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (java): packages/sdk-java/qwencode
java first-partyexpand_more 1 low-confidence finding(s)
Map<String, String> env = new HashMap<>(System.getenv());
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
</> Dependencies
ch.qos.logback:logback-classic
java dependencyexpand_more 1 low-confidence finding(s)
return System.getProperty(key);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
com.alibaba.fastjson2:fastjson2
java dependencyexpand_more 23 low-confidence finding(s)
String property = System.getProperty("fastjson2.creator");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
String features = System.getProperty("fastjson2.features");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
String property = System.getProperty(name);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
String property = System.getProperty(name);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
String property = System.getProperty(PROPERTY_DENY_PROPERTY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
String property = System.getProperty(PROPERTY_AUTO_TYPE_ACCEPT);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
String property = System.getProperty(PROPERTY_AUTO_TYPE_BEFORE_HANDLER);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
String property = System.getProperty(PROPERTY_AUTO_TYPE_HANDLER);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
String property = System.getProperty("fastjson.parser.safeMode");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
property = System.getProperty("fastjson2.parser.safeMode");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return of(Files.newInputStream(file.toPath()), StandardCharsets.UTF_8);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return new CSVReaderUTF8(Files.newInputStream(file.toPath()), StandardCharsets.UTF_8, types);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return new CSVReaderUTF8(Files.newInputStream(file.toPath()), charset, consumer);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return new CSVReaderUTF16(new InputStreamReader(Files.newInputStream(file.toPath()), charset), consumer);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
new InputStreamReader(Files.newInputStream(file.toPath()), charset), types
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return new CSVReaderUTF8(Files.newInputStream(file.toPath()), charset, types);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
Files.newInputStream(file.toPath()),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return new CSVReaderUTF8(Files.newInputStream(file.toPath()), charset, objectClass);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
try (FileInputStream in = new FileInputStream(file)) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
try (FileInputStream in = new FileInputStream(file)) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
String jmvName = System.getProperty("java.vm.name");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
graal = System.getProperty("org.graalvm.nativeimage.imagecode") != null;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
String javaSpecVer = System.getProperty("java.specification.version");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
commons-io:commons-io
java dependencyexpand_more 19 low-confidence finding(s)
return System.getProperty(property);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
try (InputStream inputStream = new CheckedInputStream(Files.newInputStream(file.toPath()), checksum)) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
try (Reader input1 = new InputStreamReader(Files.newInputStream(file1.toPath()), charset);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
Reader input2 = new InputStreamReader(Files.newInputStream(file2.toPath()), charset)) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
try (InputStream fis = Files.newInputStream(input.toPath())) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return System.getProperty("java.io.tmpdir");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return System.getProperty("user.home");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
inputStream = Files.newInputStream(file.toPath());
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return new FileInputStream(file);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return Files.readAllBytes(file.toPath());
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return IOUtils.toString(() -> Files.newInputStream(file.toPath()), Charsets.toCharset(charsetName));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return Files.readAllLines(file.toPath(), Charsets.toCharset(charset));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
try (InputStream inputStream1 = Files.newInputStream(nPath1, openOptions);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
InputStream inputStream2 = Files.newInputStream(nPath2, openOptions)) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
final String property = key != null && !key.isEmpty() ? System.getProperty(key, defaultPath) : defaultPath;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return new String(Files.readAllBytes(path), Charsets.toCharset(charset));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
Files.write(path, String.valueOf(charSequence).getBytes(Charsets.toCharset(charset)), openOptions);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
this(Files.newInputStream(Objects.requireNonNull(file, "file")));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return Files.newInputStream(outputPath);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
org.apache.commons:commons-lang3
java dependencyexpand_more 4 low-confidence finding(s)
final byte[] bytes = Files.readAllBytes(Paths.get(envVarFile));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return StringUtils.getIfEmpty(System.getProperty(property), defaultIfAbsent);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
final String value = System.getenv(name);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return IS_OS_WINDOWS ? System.getenv("COMPUTERNAME") : System.getenv("HOSTNAME");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
org.slf4j:slf4j-api
java dependencyexpand_more 4 low-confidence finding(s)
String explicitlySpecified = System.getProperty(PROVIDER_PROPERTY_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
String reportStreamStr = System.getProperty(SLF4J_INTERNAL_REPORT_STREAM_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
String verbosityStr = System.getProperty(SLF4J_INTERNAL_VERBOSITY_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
result = System.getProperty(key);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
Skipped dependencies
Production
- @qwen-code/sdk prod — dist-only: no readable source
- @qwen-code/channel-base prod — dist-only: no readable source
- @qwen-code/channel-dingtalk prod — registry 404
- @qwen-code/channel-wecom prod — registry 404
- @qwen-code/channel-qqbot prod — registry 404
- @qwen-code/channel-feishu prod — registry 404
- @qwen-code/channel-telegram prod — registry 404
- @qwen-code/channel-weixin prod — registry 404
- @qwen-code/web-templates prod — registry 404
- @codemirror/autocomplete prod — dist-only: no readable source
- @codemirror/commands prod — dist-only: no readable source
- @codemirror/language prod — dist-only: no readable source
- @codemirror/merge prod — dist-only: no readable source
- @codemirror/state prod — dist-only: no readable source
- @codemirror/view prod — dist-only: no readable source
- telegram-markdown-formatter prod — dist-only: no readable source
- @tencent-connect/qqbot-connector prod — dist-only: no readable source