Close Open Privacy Scan

bolt Snapshot: commit 289686a
science engine v3
schedule 2026-07-09T18:13:37.978881+00:00

verified_user Application data leak confirmed

High-confidence data exfiltration identified in application code.

App Privacy Score

0 /100
High privacy risk — application leak confirmed

High risk · 6057 finding(s)

Dependency score: 0 (High risk)

bar_chart Score Breakdown

pii_flow −60
telemetry −25
egress −15
env_fs −3

list Scan Summary

115 high 842 medium 5100 low
First-party packages: 7
Dependency packages: 93
Ecosystem: python

swap_horiz Confirmed data exfiltration in application code

External domains: ai-guard.aws.us.pangea.cloudai-guard.onyx.securityapi.aim.securityapi.aisec.catonetworks.comapi.anthropic.comapi.brightdata.comapi.cohere.comapi.cursor.comapi.deepseek.comapi.descope.comapi.dynamo.aiapi.enkryptai.comapi.firecrawl.devapi.github.comapi.greptile.comapi.hconeai.comapi.hiddenlayer.aiapi.hyperbrowser.aiapi.mistral.aiapi.openai.comapi.patronus.aiapi.sarvam.aiapi.smith.langchain.comapi.us1.zseclipse.netapi.vantage.shapi.x.aiapp.crewai.comauth.hiddenlayer.aicloud.langfuse.comcognitiveservices.azure.comdocs.litellm.aidoes-not-existgenerativelanguage.googleapis.comgithub.comlog.athina.ailogfire-api.pydantic.devlogin.microsoftonline.comnexus:8800openmeter.cloudpackages.unstructured.iopypi.orgraw.githubusercontent.comserver.lasso.securityservice.api.aisecurity.paloaltonetworks.comshell.singlestore.comus.i.posthog.comv2-api.scrapegraphai.com{FONT_LOC}

high pymongo User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:111 pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:116
high crewai-tools User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/crewai_tools/tools/brave_search_tool/brave_search_tool.py:129 pkgs/python/[email protected]/src/crewai_tools/tools/brave_search_tool/brave_search_tool.py:133
high crewai-tools User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/crewai_tools/tools/brightdata_tool/brightdata_serp.py:219 pkgs/python/[email protected]/src/crewai_tools/tools/brightdata_tool/brightdata_serp.py:224
high crewai-tools User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/crewai_tools/tools/brightdata_tool/brightdata_unlocker.py:135 pkgs/python/[email protected]/src/crewai_tools/tools/brightdata_tool/brightdata_unlocker.py:141
high crewai-tools User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:64 pkgs/python/[email protected]/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:80
high crewai-tools User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:64 pkgs/python/[email protected]/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:89
high crewai-tools User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:64 pkgs/python/[email protected]/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:100
high crewai-tools User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/crewai_tools/tools/contextualai_query_tool/contextual_query_tool.py:48 pkgs/python/[email protected]/src/crewai_tools/tools/contextualai_query_tool/contextual_query_tool.py:49
high crewai-tools User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/crewai_tools/tools/contextualai_rerank_tool/contextual_rerank_tool.py:53 pkgs/python/[email protected]/src/crewai_tools/tools/contextualai_rerank_tool/contextual_rerank_tool.py:69
high crewai-tools User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/crewai_tools/tools/crewai_platform_tools/crewai_platform_action_tool.py:75 pkgs/python/[email protected]/src/crewai_tools/tools/crewai_platform_tools/crewai_platform_action_tool.py:70
high crewai-tools User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/crewai_tools/tools/crewai_platform_tools/crewai_platform_tool_builder.py:52 pkgs/python/[email protected]/src/crewai_tools/tools/crewai_platform_tools/crewai_platform_tool_builder.py:47
high crewai-tools User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/crewai_tools/tools/parallel_tools/parallel_search_tool.py:78 pkgs/python/[email protected]/src/crewai_tools/tools/parallel_tools/parallel_search_tool.py:104
high crewai-tools User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:43 pkgs/python/[email protected]/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:39
high crewai-tools User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:66 pkgs/python/[email protected]/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:62
high crewai-tools User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:138 pkgs/python/[email protected]/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:145
high crewai-tools User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/crewai_tools/tools/patronus_eval_tool/patronus_predefined_criteria_eval_tool.py:60 pkgs/python/[email protected]/src/crewai_tools/tools/patronus_eval_tool/patronus_predefined_criteria_eval_tool.py:95
high crewai-tools User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/crewai_tools/tools/serper_dev_tool/serper_dev_tool.py:251 pkgs/python/[email protected]/src/crewai_tools/tools/serper_dev_tool/serper_dev_tool.py:257
high crewai-tools User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/crewai_tools/tools/serper_scrape_website_tool/serper_scrape_website_tool.py:52 pkgs/python/[email protected]/src/crewai_tools/tools/serper_scrape_website_tool/serper_scrape_website_tool.py:59
high firecrawl-py User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/conftest.py:10 pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/conftest.py:20
high composio-core User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/composio/tools/local/greptile/actions/codequery.py:71 pkgs/python/[email protected]/composio/tools/local/greptile/actions/codequery.py:107
high first-party (python) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/cli/src/crewai_cli/model_catalog.py:550 repo/lib/cli/src/crewai_cli/model_catalog.py:551
high first-party (python) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/adapters/zapier_adapter.py:27 repo/lib/crewai-tools/src/crewai_tools/adapters/zapier_adapter.py:45
high first-party (python) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/adapters/zapier_adapter.py:69 repo/lib/crewai-tools/src/crewai_tools/adapters/zapier_adapter.py:71
high first-party (python) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/brave_search_tool/brave_search_tool.py:129 repo/lib/crewai-tools/src/crewai_tools/tools/brave_search_tool/brave_search_tool.py:133
high first-party (python) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/brightdata_tool/brightdata_serp.py:219 repo/lib/crewai-tools/src/crewai_tools/tools/brightdata_tool/brightdata_serp.py:224
high first-party (python) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/brightdata_tool/brightdata_unlocker.py:135 repo/lib/crewai-tools/src/crewai_tools/tools/brightdata_tool/brightdata_unlocker.py:141
high first-party (python) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:64 repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:80
high first-party (python) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:64 repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:89
high first-party (python) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:64 repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:100
high first-party (python) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_query_tool/contextual_query_tool.py:48 repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_query_tool/contextual_query_tool.py:49
high first-party (python) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_rerank_tool/contextual_rerank_tool.py:53 repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_rerank_tool/contextual_rerank_tool.py:69
high first-party (python) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/crewai_platform_tools/crewai_platform_action_tool.py:75 repo/lib/crewai-tools/src/crewai_tools/tools/crewai_platform_tools/crewai_platform_action_tool.py:70
high first-party (python) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/crewai_platform_tools/crewai_platform_tool_builder.py:52 repo/lib/crewai-tools/src/crewai_tools/tools/crewai_platform_tools/crewai_platform_tool_builder.py:47
high first-party (python) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/parallel_tools/parallel_search_tool.py:78 repo/lib/crewai-tools/src/crewai_tools/tools/parallel_tools/parallel_search_tool.py:104
high first-party (python) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:43 repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:39
high first-party (python) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:66 repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:62
high first-party (python) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:138 repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:145
high first-party (python) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_predefined_criteria_eval_tool.py:60 repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_predefined_criteria_eval_tool.py:95
high first-party (python) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/serper_dev_tool/serper_dev_tool.py:251 repo/lib/crewai-tools/src/crewai_tools/tools/serper_dev_tool/serper_dev_tool.py:257
high first-party (python) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/serper_scrape_website_tool/serper_scrape_website_tool.py:52 repo/lib/crewai-tools/src/crewai_tools/tools/serper_scrape_website_tool/serper_scrape_website_tool.py:59
high first-party (python) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai/src/crewai/a2a/auth/client_schemes.py:256 repo/lib/crewai/src/crewai/a2a/auth/client_schemes.py:256
high first-party (python): lib/cli User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/cli/src/crewai_cli/model_catalog.py:550 repo/lib/cli/src/crewai_cli/model_catalog.py:551
high first-party (python): lib/crewai User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai/src/crewai/a2a/auth/client_schemes.py:256 repo/lib/crewai/src/crewai/a2a/auth/client_schemes.py:256
high first-party (python): lib/crewai-tools User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/adapters/zapier_adapter.py:27 repo/lib/crewai-tools/src/crewai_tools/adapters/zapier_adapter.py:45
high first-party (python): lib/crewai-tools User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/adapters/zapier_adapter.py:69 repo/lib/crewai-tools/src/crewai_tools/adapters/zapier_adapter.py:71
high first-party (python): lib/crewai-tools User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/brave_search_tool/brave_search_tool.py:129 repo/lib/crewai-tools/src/crewai_tools/tools/brave_search_tool/brave_search_tool.py:133
high first-party (python): lib/crewai-tools User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/brightdata_tool/brightdata_serp.py:219 repo/lib/crewai-tools/src/crewai_tools/tools/brightdata_tool/brightdata_serp.py:224
high first-party (python): lib/crewai-tools User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/brightdata_tool/brightdata_unlocker.py:135 repo/lib/crewai-tools/src/crewai_tools/tools/brightdata_tool/brightdata_unlocker.py:141
high first-party (python): lib/crewai-tools User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:64 repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:80
high first-party (python): lib/crewai-tools User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:64 repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:89
high first-party (python): lib/crewai-tools User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:64 repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:100
high first-party (python): lib/crewai-tools User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_query_tool/contextual_query_tool.py:48 repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_query_tool/contextual_query_tool.py:49
high first-party (python): lib/crewai-tools User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_rerank_tool/contextual_rerank_tool.py:53 repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_rerank_tool/contextual_rerank_tool.py:69
high first-party (python): lib/crewai-tools User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/crewai_platform_tools/crewai_platform_action_tool.py:75 repo/lib/crewai-tools/src/crewai_tools/tools/crewai_platform_tools/crewai_platform_action_tool.py:70
high first-party (python): lib/crewai-tools User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/crewai_platform_tools/crewai_platform_tool_builder.py:52 repo/lib/crewai-tools/src/crewai_tools/tools/crewai_platform_tools/crewai_platform_tool_builder.py:47
high first-party (python): lib/crewai-tools User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/parallel_tools/parallel_search_tool.py:78 repo/lib/crewai-tools/src/crewai_tools/tools/parallel_tools/parallel_search_tool.py:104
high first-party (python): lib/crewai-tools User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:43 repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:39
high first-party (python): lib/crewai-tools User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:66 repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:62
high first-party (python): lib/crewai-tools User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:138 repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:145
high first-party (python): lib/crewai-tools User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_predefined_criteria_eval_tool.py:60 repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_predefined_criteria_eval_tool.py:95
high first-party (python): lib/crewai-tools User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/serper_dev_tool/serper_dev_tool.py:251 repo/lib/crewai-tools/src/crewai_tools/tools/serper_dev_tool/serper_dev_tool.py:257
high first-party (python): lib/crewai-tools User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/serper_scrape_website_tool/serper_scrape_website_tool.py:52 repo/lib/crewai-tools/src/crewai_tools/tools/serper_scrape_website_tool/serper_scrape_website_tool.py:59
hub Dependency data flows (53)
high uv dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/crates/uv-python/fetch-download-metadata.py:782 pkgs/python/[email protected]/crates/uv-python/fetch-download-metadata.py:794
high e2b dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/e2b/api/__init__.py:66 pkgs/python/[email protected]/e2b/api/__init__.py:65
high e2b dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/e2b/api/client/client.py:230 pkgs/python/[email protected]/e2b/api/client/client.py:232
high e2b dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/e2b/api/client/client.py:266 pkgs/python/[email protected]/e2b/api/client/client.py:268
high e2b dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/e2b/volume/client/client.py:230 pkgs/python/[email protected]/e2b/volume/client/client.py:232
high e2b dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/e2b/volume/client/client.py:266 pkgs/python/[email protected]/e2b/volume/client/client.py:268
high e2b dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/e2b/volume/client_async/__init__.py:17 pkgs/python/[email protected]/e2b/volume/client_async/__init__.py:16
high e2b dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/e2b/volume/client_sync/__init__.py:16 pkgs/python/[email protected]/e2b/volume/client_sync/__init__.py:15
high mcp dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/mcp/client/auth/oauth2.py:433 pkgs/python/[email protected]/src/mcp/client/auth/oauth2.py:452
high crewai dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/crewai/a2a/auth/client_schemes.py:256 pkgs/python/[email protected]/src/crewai/a2a/auth/client_schemes.py:256
high mem0ai dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/mem0/client/main.py:105 pkgs/python/[email protected]/mem0/client/main.py:128
high mem0ai dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/mem0/client/main.py:992 pkgs/python/[email protected]/mem0/client/main.py:1015
high mem0ai dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/mem0/client/main.py:1044 pkgs/python/[email protected]/mem0/client/main.py:1041
high mem0ai dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/mem0/llms/sarvam.py:47 pkgs/python/[email protected]/mem0/llms/sarvam.py:81
high openai dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/openai/lib/azure.py:239 pkgs/python/[email protected]/src/openai/lib/azure.py:278
high openai dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/openai/lib/azure.py:563 pkgs/python/[email protected]/src/openai/lib/azure.py:602
high litellm dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/litellm/integrations/langfuse/langfuse_prompt_management.py:110 pkgs/python/[email protected]/litellm/integrations/langfuse/langfuse_prompt_management.py:108
high litellm dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/litellm/llms/bedrock/files/handler.py:122 pkgs/python/[email protected]/litellm/llms/bedrock/files/handler.py:136
high litellm dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/litellm/llms/custom_httpx/http_handler.py:541 pkgs/python/[email protected]/litellm/llms/custom_httpx/http_handler.py:556
high litellm dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/litellm/llms/custom_httpx/http_handler.py:1085 pkgs/python/[email protected]/litellm/llms/custom_httpx/http_handler.py:1094
high litellm dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/litellm/llms/huggingface/common_utils.py:77 pkgs/python/[email protected]/litellm/llms/huggingface/common_utils.py:83
high litellm dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/litellm/llms/sagemaker/completion/handler.py:560 pkgs/python/[email protected]/litellm/llms/sagemaker/completion/handler.py:625
high litellm dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/onyx/onyx.py:38 pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/onyx/onyx.py:41
high litellm dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/ovalix/ovalix.py:79 pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/ovalix/ovalix.py:89
high litellm dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/litellm/proxy/pass_through_endpoints/llm_passthrough_endpoints.py:196 pkgs/python/[email protected]/litellm/proxy/pass_through_endpoints/llm_passthrough_endpoints.py:205
high litellm dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/litellm/proxy/pass_through_endpoints/llm_passthrough_endpoints.py:259 pkgs/python/[email protected]/litellm/proxy/pass_through_endpoints/llm_passthrough_endpoints.py:268
high litellm dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/litellm/proxy/pass_through_endpoints/llm_passthrough_endpoints.py:382 pkgs/python/[email protected]/litellm/proxy/pass_through_endpoints/llm_passthrough_endpoints.py:391
high litellm dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/litellm/proxy/pass_through_endpoints/llm_passthrough_endpoints.py:573 pkgs/python/[email protected]/litellm/proxy/pass_through_endpoints/llm_passthrough_endpoints.py:582
high litellm dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/litellm/proxy/pass_through_endpoints/llm_passthrough_endpoints.py:2061 pkgs/python/[email protected]/litellm/proxy/pass_through_endpoints/llm_passthrough_endpoints.py:2088
high litellm dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/litellm/proxy_auth/credentials.py:161 pkgs/python/[email protected]/litellm/proxy_auth/credentials.py:160
high litellm dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/litellm/router_strategy/lowest_tpm_rpm_v2.py:101 pkgs/python/[email protected]/litellm/router_strategy/lowest_tpm_rpm_v2.py:98
high litellm dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/litellm/router_strategy/lowest_tpm_rpm_v2.py:125 pkgs/python/[email protected]/litellm/router_strategy/lowest_tpm_rpm_v2.py:122
high litellm dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/litellm/router_strategy/lowest_tpm_rpm_v2.py:186 pkgs/python/[email protected]/litellm/router_strategy/lowest_tpm_rpm_v2.py:183
high litellm dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/litellm/router_strategy/lowest_tpm_rpm_v2.py:209 pkgs/python/[email protected]/litellm/router_strategy/lowest_tpm_rpm_v2.py:206
high litellm dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/litellm/router_utils/pre_call_checks/model_rate_limit_check.py:121 pkgs/python/[email protected]/litellm/router_utils/pre_call_checks/model_rate_limit_check.py:119
high litellm dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/litellm/router_utils/pre_call_checks/model_rate_limit_check.py:140 pkgs/python/[email protected]/litellm/router_utils/pre_call_checks/model_rate_limit_check.py:138
high litellm dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/litellm/router_utils/pre_call_checks/model_rate_limit_check.py:190 pkgs/python/[email protected]/litellm/router_utils/pre_call_checks/model_rate_limit_check.py:188
high litellm dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/litellm/router_utils/pre_call_checks/model_rate_limit_check.py:215 pkgs/python/[email protected]/litellm/router_utils/pre_call_checks/model_rate_limit_check.py:213
high anthropic dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/anthropic/lib/credentials/_providers.py:384 pkgs/python/[email protected]/src/anthropic/lib/credentials/_providers.py:384
high anthropic dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/anthropic/lib/credentials/_workload.py:179 pkgs/python/[email protected]/src/anthropic/lib/credentials/_workload.py:179
high crewai-cli dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/crewai_cli/model_catalog.py:550 pkgs/python/[email protected]/src/crewai_cli/model_catalog.py:551
high crewai-tools dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/crewai_tools/adapters/zapier_adapter.py:27 pkgs/python/[email protected]/src/crewai_tools/adapters/zapier_adapter.py:45
high crewai-tools dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/crewai_tools/adapters/zapier_adapter.py:69 pkgs/python/[email protected]/src/crewai_tools/adapters/zapier_adapter.py:71
high firecrawl-py dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/firecrawl/firecrawl.backup.py:689 pkgs/python/[email protected]/firecrawl/firecrawl.backup.py:687
high firecrawl-py dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/firecrawl/firecrawl.backup.py:1255 pkgs/python/[email protected]/firecrawl/firecrawl.backup.py:1253
high firecrawl-py dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/firecrawl/v1/client.py:767 pkgs/python/[email protected]/firecrawl/v1/client.py:765
high firecrawl-py dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/firecrawl/v1/client.py:1420 pkgs/python/[email protected]/firecrawl/v1/client.py:1418
high singlestoredb dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/singlestoredb/fusion/graphql.py:172 pkgs/python/[email protected]/singlestoredb/fusion/graphql.py:173
high tavily-python dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/tavily/async_tavily.py:106 pkgs/python/[email protected]/tavily/async_tavily.py:113
high tavily-python dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/tavily/async_tavily.py:59 pkgs/python/[email protected]/tavily/async_tavily.py:118
high databricks-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/databricks/sdk/config.py:600 pkgs/python/[email protected]/databricks/sdk/config.py:602
high databricks-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/databricks/sdk/credentials_provider.py:340 pkgs/python/[email protected]/databricks/sdk/credentials_provider.py:341
high databricks-sdk dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/databricks/sdk/oidc_token_supplier.py:21 pkgs/python/[email protected]/databricks/sdk/oidc_token_supplier.py:23

</> First-Party Code

first-party (python)

python first-party
high pii_flow production #79b5c0d0b923fe2e User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/cli/src/crewai_cli/model_catalog.py:551 · flow /tmp/closeopen-2ddpso8x/repo/lib/cli/src/crewai_cli/model_catalog.py:550 → /tmp/closeopen-2ddpso8x/repo/lib/cli/src/crewai_cli/model_catalog.py:551
    response = httpx.get(
        url,
        headers=headers,
        params=params,
        timeout=_TIMEOUT,
        verify=ssl_config,
        follow_redirects=True,
    )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #075d705eb06e0d70 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/adapters/zapier_adapter.py:45 · flow /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/adapters/zapier_adapter.py:27 → /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/adapters/zapier_adapter.py:45
        response = requests.request(
            "POST",
            execute_url,
            headers=headers,
            json=action_params,
            timeout=30,
        )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #6f1a3775f2311708 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/adapters/zapier_adapter.py:71 · flow /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/adapters/zapier_adapter.py:69 → /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/adapters/zapier_adapter.py:71
        response = requests.request(
            "GET",
            ACTIONS_URL,
            headers=headers,
            timeout=30,
        )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #b9ab7d75d8ec8803 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/brave_search_tool/brave_search_tool.py:133 · flow /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/brave_search_tool/brave_search_tool.py:129 → /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/brave_search_tool/brave_search_tool.py:133
            response = requests.get(
                self.search_url, headers=headers, params=payload, timeout=30
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #7383a3f39520d3f9 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/brightdata_tool/brightdata_serp.py:224 · flow /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/brightdata_tool/brightdata_serp.py:219 → /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/brightdata_tool/brightdata_serp.py:224
            response = requests.post(
                self.base_url, json=request_params, headers=headers, timeout=30
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #d84331e262f9bc6a User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/brightdata_tool/brightdata_unlocker.py:141 · flow /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/brightdata_tool/brightdata_unlocker.py:135 → /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/brightdata_tool/brightdata_unlocker.py:141
            response = requests.post(
                self.base_url, json=payload, headers=headers, timeout=30
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #606a8dc0265f49ed User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:80 · flow /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:64 → /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:80
                result = requests.post(
                    url, headers=headers, data=config, files=file, timeout=30
                )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #54ee6e5991bc6a7d User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:89 · flow /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:64 → /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:89
                result = requests.get(status_url, headers=headers, timeout=30)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #ba9b0f1f50f6dc1a User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:100 · flow /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:64 → /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:100
            result = requests.get(
                results_url,
                headers=headers,
                params={"output_types": ",".join(output_types)},
                timeout=30,
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #d9377578c7ac6ad5 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_query_tool/contextual_query_tool.py:49 · flow /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_query_tool/contextual_query_tool.py:48 → /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_query_tool/contextual_query_tool.py:49
        response = requests.get(url, headers=headers, timeout=30)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #8a8a4218787cbdd5 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_rerank_tool/contextual_rerank_tool.py:69 · flow /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_rerank_tool/contextual_rerank_tool.py:53 → /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_rerank_tool/contextual_rerank_tool.py:69
            result = requests.post(
                rerank_url, json=payload, headers=headers, timeout=30
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #a464a42eaa43caf8 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/crewai_platform_tools/crewai_platform_action_tool.py:70 · flow /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/crewai_platform_tools/crewai_platform_action_tool.py:75 → /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/crewai_platform_tools/crewai_platform_action_tool.py:70
            response = requests.post(
                url=api_url,
                headers=headers,
                json=payload,
                timeout=60,
                verify=os.environ.get("CREWAI_FACTORY", "false").lower() != "true",
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #adfac052e0d07507 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/crewai_platform_tools/crewai_platform_tool_builder.py:47 · flow /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/crewai_platform_tools/crewai_platform_tool_builder.py:52 → /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/crewai_platform_tools/crewai_platform_tool_builder.py:47
            response = requests.get(
                actions_url,
                headers=headers,
                timeout=30,
                params={"apps": ",".join(self._apps)},
                verify=os.environ.get("CREWAI_FACTORY", "false").lower() != "true",
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #19504e9468156b17 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/parallel_tools/parallel_search_tool.py:104 · flow /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/parallel_tools/parallel_search_tool.py:78 → /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/parallel_tools/parallel_search_tool.py:104
            resp = requests.post(
                self.search_url, json=payload, headers=headers, timeout=request_timeout
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #0fb5ac381c5d7883 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:39 · flow /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:43 → /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:39
            requests.get(
                "https://api.patronus.ai/v1/evaluators",
                headers={
                    "accept": "application/json",
                    "X-API-KEY": os.environ["PATRONUS_API_KEY"],
                },
                timeout=30,
            ).text

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #006e935f1229a921 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:62 · flow /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:66 → /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:62
            requests.get(
                "https://api.patronus.ai/v1/evaluator-criteria",
                headers={
                    "accept": "application/json",
                    "X-API-KEY": os.environ["PATRONUS_API_KEY"],
                },
                timeout=30,
            ).text

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #e669c0759e283e2b User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:145 · flow /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:138 → /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:145
        response = requests.post(
            self.evaluate_url,
            headers=headers,
            data=json.dumps(data),
            timeout=30,
        )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #2b013e003a3ad541 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_predefined_criteria_eval_tool.py:95 · flow /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_predefined_criteria_eval_tool.py:60 → /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_predefined_criteria_eval_tool.py:95
        response = requests.post(
            self.evaluate_url,
            headers=headers,
            data=json.dumps(data),
            timeout=30,
        )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #82ecdd44be15299f User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/serper_dev_tool/serper_dev_tool.py:257 · flow /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/serper_dev_tool/serper_dev_tool.py:251 → /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/serper_dev_tool/serper_dev_tool.py:257
            response = requests.post(
                search_url, headers=headers, json=payload, timeout=10
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #46de3990eec5cbbc User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/serper_scrape_website_tool/serper_scrape_website_tool.py:59 · flow /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/serper_scrape_website_tool/serper_scrape_website_tool.py:52 → /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/serper_scrape_website_tool/serper_scrape_website_tool.py:59
            response = requests.post(
                api_url,
                headers=headers,
                data=payload,
                timeout=30,
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #ee26149bf95e3160 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai/src/crewai/a2a/auth/client_schemes.py:256 · flow /tmp/closeopen-2ddpso8x/repo/lib/crewai/src/crewai/a2a/auth/client_schemes.py:256 → /tmp/closeopen-2ddpso8x/repo/lib/crewai/src/crewai/a2a/auth/client_schemes.py:256
        client.auth = DigestAuth(self.username, self.password)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium telemetry production #ccb66d6d6a9e484e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/lib/crewai-core/src/crewai_core/telemetry.py:22
from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #92cf22690d1c9399 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/lib/crewai-core/src/crewai_core/telemetry.py:23
from opentelemetry.exporter.otlp.proto.http.trace_exporter import OTLPSpanExporter

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #64c395665ae0cefe Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/lib/crewai-core/src/crewai_core/telemetry.py:24
from opentelemetry.sdk.resources import SERVICE_NAME, Resource

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #4b3954aa0e2e53c6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/lib/crewai-core/src/crewai_core/telemetry.py:25
from opentelemetry.sdk.trace import TracerProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ec54aad48f80091a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/lib/crewai-core/src/crewai_core/telemetry.py:26
from opentelemetry.sdk.trace.export import (
    BatchSpanProcessor,
    SpanExportResult,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #136419512cbb1003 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/lib/crewai-core/src/crewai_core/telemetry.py:30
from opentelemetry.trace import ProxyTracerProvider, Span, Status, StatusCode

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #fccc3a27c1afadc3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/lib/crewai/src/crewai/crew.py:21
from opentelemetry import baggage

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e27e3ea26ae40128 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/lib/crewai/src/crewai/crew.py:22
from opentelemetry.context import attach, detach

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #3305ed9943078756 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/lib/crewai/src/crewai/crew.py:42
    from opentelemetry.trace import Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #401599838cd50a96 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/lib/crewai/src/crewai/crews/utils.py:9
from opentelemetry import baggage

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #69d037a12a428c28 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/lib/crewai/src/crewai/flow/runtime/__init__.py:35
from opentelemetry import baggage

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #9d5aeac41ad132fe Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/lib/crewai/src/crewai/flow/runtime/__init__.py:36
from opentelemetry.context import attach, detach

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #165c9f421cdb0bab Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/lib/crewai/src/crewai/telemetry/telemetry.py:23
from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #2bcf559124aeb619 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/lib/crewai/src/crewai/telemetry/telemetry.py:24
from opentelemetry.exporter.otlp.proto.http.trace_exporter import (
    OTLPSpanExporter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #bdf8f6b21499acb0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/lib/crewai/src/crewai/telemetry/telemetry.py:27
from opentelemetry.sdk.resources import SERVICE_NAME, Resource

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #1ac5f65702db3cc3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/lib/crewai/src/crewai/telemetry/telemetry.py:28
from opentelemetry.sdk.trace import TracerProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #898d613a10745731 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/lib/crewai/src/crewai/telemetry/telemetry.py:29
from opentelemetry.sdk.trace.export import (
    BatchSpanProcessor,
    SpanExportResult,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e1615a76b19fc9f6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/lib/crewai/src/crewai/telemetry/telemetry.py:33
from opentelemetry.trace import ProxyTracerProvider, Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #cae7662201847c78 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/lib/crewai/src/crewai/telemetry/utils.py:11
from opentelemetry.trace import Span, Status, StatusCode

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #477a05c133423098 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/lib/crewai/src/crewai/utilities/crew/crew_context.py:5
from opentelemetry import baggage

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 390 low-confidence finding(s)
low env_fs production #96f971b2deda9b1f Environment-variable access.
repo/conftest.py:241
        os.environ["CREWAI_STORAGE_DIR"] = str(storage_dir)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ace4ef802a022dc1 Environment-variable access.
repo/conftest.py:242
        os.environ["CREWAI_TESTING"] = "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5b5ada2b09a6b32c Environment-variable access.
repo/conftest.py:247
            os.environ.pop("CREWAI_TESTING", "true")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #459c2be2e36f1bb5 Environment-variable access.
repo/conftest.py:248
            os.environ.pop("CREWAI_STORAGE_DIR", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e75cbad9097ee1a8 Environment-variable access.
repo/conftest.py:249
            os.environ.pop("CREWAI_DISABLE_TELEMETRY", "true")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8201c7d75282f210 Environment-variable access.
repo/conftest.py:250
            os.environ.pop("OTEL_SDK_DISABLED", "true")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #63270507a4a16e4c Environment-variable access.
repo/conftest.py:251
            os.environ.pop("OPENAI_BASE_URL", "https://api.openai.com/v1")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0fdd4798c0fc019c Environment-variable access.
repo/conftest.py:252
            os.environ.pop("OPENAI_API_BASE", "https://api.openai.com/v1")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5bea1959baf2e5ec Environment-variable access.
repo/conftest.py:416
        "record_mode": os.getenv("PYTEST_VCR_RECORD_MODE", "once"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #02fae027a4d63963 Environment-variable access.
repo/conftest.py:424
    if os.getenv("GITHUB_ACTIONS") == "true":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c466cc3ac0b07630 Filesystem access.
repo/lib/cli/src/crewai_cli/checkpoint_cli.py:85
        with open(path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9d898c0346162fe5 Filesystem access.
repo/lib/cli/src/crewai_cli/checkpoint_cli.py:233
            with open(path) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7b985bcdfcea5123 Filesystem access.
repo/lib/cli/src/crewai_cli/checkpoint_cli.py:254
    with open(path) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #608c49cd572b7531 Filesystem access.
repo/lib/cli/src/crewai_cli/checkpoint_cli.py:265
    with open(path) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5a137abf8860958d Environment-variable access.
repo/lib/cli/src/crewai_cli/cli.py:694
    if os.environ.get("CREWAI_EXPERIMENTAL") != "1":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b04a3c9e3fa392db Environment-variable access.
repo/lib/cli/src/crewai_cli/cli.py:956
    crewai_tracing = os.getenv("CREWAI_TRACING_ENABLED", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #08ecb065a8ebbe48 Environment-variable access.
repo/lib/cli/src/crewai_cli/cli.py:970
    crewai_testing = os.getenv("CREWAI_TESTING", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #699eefc6ce689aa2 Environment-variable access.
repo/lib/cli/src/crewai_cli/cli.py:974
    crewai_user_id = os.getenv("CREWAI_USER_ID", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5af5a426f1521eb4 Environment-variable access.
repo/lib/cli/src/crewai_cli/cli.py:978
    crewai_org_id = os.getenv("CREWAI_ORG_ID", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4b7133f11306e5d9 Environment-variable access.
repo/lib/cli/src/crewai_cli/cli.py:1072
    env_enabled = os.getenv("CREWAI_TRACING_ENABLED", "false")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f4400a4b783b3465 Filesystem access.
repo/lib/cli/src/crewai_cli/create_crew.py:32
    with open(template_path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1e9a13f50b802de4 Filesystem access.
repo/lib/cli/src/crewai_cli/create_flow.py:47
    with open(project_root / ".env", "w") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #46f61ffdab12f93a Filesystem access.
repo/lib/cli/src/crewai_cli/create_flow.py:70
            with open(src_file, "r", encoding="utf-8") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #406257ba438e24bb Filesystem access.
repo/lib/cli/src/crewai_cli/create_flow.py:83
        with open(dst_file, "w") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b3d4db5192e13725 Filesystem access.
repo/lib/cli/src/crewai_cli/create_flow.py:142
        content = src_file.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #436fa64b86edb376 Filesystem access.
repo/lib/cli/src/crewai_cli/create_flow.py:149
        dst_file.write_text(content, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #307e52e9128c1121 Filesystem access.
repo/lib/cli/src/crewai_cli/create_flow.py:151
    (project_root / ".env").write_text("OPENAI_API_KEY=YOUR_API_KEY", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e24b889304fd607d Filesystem access.
repo/lib/cli/src/crewai_cli/create_flow.py:152
    (package_root / "__init__.py").write_text("", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ab2c2445c202b5a3 Filesystem access.
repo/lib/cli/src/crewai_cli/create_flow.py:154
        (package_root / folder / ".gitkeep").write_text("", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #81ba1b07475e414d Filesystem access.
repo/lib/cli/src/crewai_cli/create_json_crew.py:830
    path.write_text(content, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f44775a641387be2 Filesystem access.
repo/lib/cli/src/crewai_cli/create_json_crew.py:932
    (folder_path / "pyproject.toml").write_text(
        _render_json_crew_template(
            "pyproject.toml",
            {
                "folder_name": folder_name,
                "name": name,
                "crewai_tools_dependency": get_crewai_tools_dependency(),
            },
        ),
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #619858607faafcfe Filesystem access.
repo/lib/cli/src/crewai_cli/create_json_crew.py:945
    (folder_path / ".gitignore").write_text(
        _render_json_crew_template(".gitignore"),
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8488d6135f468f85 Filesystem access.
repo/lib/cli/src/crewai_cli/create_json_crew.py:951
    (folder_path / "README.md").write_text(
        _render_json_crew_template("README.md", {"name": name}),
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e9c2af0d4af603b2 Filesystem access.
repo/lib/cli/src/crewai_cli/create_json_crew.py:957
    (folder_path / "knowledge" / "user_preference.txt").write_text(
        _render_json_crew_template("knowledge/user_preference.txt"),
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f343fc527364f623 Filesystem access.
repo/lib/cli/src/crewai_cli/create_json_crew.py:963
    (folder_path / "skills" / ".gitkeep").write_text("", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2b48cfc96435f05c Filesystem access.
repo/lib/cli/src/crewai_cli/crew_run_tui.py:67
            content = env_file.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #13edc35b7650df31 Filesystem access.
repo/lib/cli/src/crewai_cli/crew_run_tui.py:71
            env_file.write_text(f"{content}{sep}{key}=true\n")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #48659a3db75f20e6 Filesystem access.
repo/lib/cli/src/crewai_cli/crew_run_tui.py:73
            env_file.write_text(f"{key}=true\n")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0cca9e005d9d27f3 Filesystem access.
repo/lib/cli/src/crewai_cli/deploy/validate.py:286
            referenced.update(pattern.findall(crew_path.read_text(errors="ignore")))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8a43689128fa9f15 Filesystem access.
repo/lib/cli/src/crewai_cli/deploy/validate.py:296
                    pattern.findall(agent_path.read_text(errors="ignore"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7bbfc7fda57d8749 Filesystem access.
repo/lib/cli/src/crewai_cli/deploy/validate.py:305
                text = py_path.read_text(encoding="utf-8", errors="ignore")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3fce2dbf9c959ee6 Filesystem access.
repo/lib/cli/src/crewai_cli/deploy/validate.py:321
            for line in env_file.read_text(errors="ignore").splitlines():

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #01a0b29847a3d408 Environment-variable access.
repo/lib/cli/src/crewai_cli/deploy/validate.py:332
            and var not in os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #486f66e4000dbe10 Filesystem access.
repo/lib/cli/src/crewai_cli/deploy/validate.py:873
                text = path.read_text(encoding="utf-8", errors="ignore")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d77b7d1b08d48dcc Filesystem access.
repo/lib/cli/src/crewai_cli/deploy/validate.py:880
                text = path.read_text(encoding="utf-8", errors="ignore")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #30c54102c89a835e Filesystem access.
repo/lib/cli/src/crewai_cli/deploy/validate.py:888
            for line in env_file.read_text(errors="ignore").splitlines():

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1ec28441cf2ce19f Environment-variable access.
repo/lib/cli/src/crewai_cli/deploy/validate.py:899
            and var not in os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9a89a5c71c9d3d15 Filesystem access.
repo/lib/cli/src/crewai_cli/deploy/validate.py:931
            text = lockfile.read_text(errors="ignore")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0cd30861480bc92c Filesystem access.
repo/lib/cli/src/crewai_cli/experimental/skills/main.py:66
        skill_md.write_text(_SKILL_MD_TEMPLATE.format(name=name))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cb53d0a95ca54a70 Filesystem access.
repo/lib/cli/src/crewai_cli/experimental/skills/main.py:173
                (cache_dir / ".crewai_meta.json").write_text(json.dumps(meta, indent=2))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ea54c5c3429e7c62 Filesystem access.
repo/lib/cli/src/crewai_cli/experimental/skills/main.py:189
            frontmatter = self._parse_frontmatter(skill_md.read_text())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1bc8e876d8a1f280 Filesystem access.
repo/lib/cli/src/crewai_cli/experimental/skills/main.py:280
                            meta = json.loads(meta_file.read_text())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #63ec0391789aac63 Filesystem access.
repo/lib/cli/src/crewai_cli/experimental/skills/main.py:371
            fm = self._parse_frontmatter(skill_md.read_text())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4bb0719eb048008d Filesystem access.
repo/lib/cli/src/crewai_cli/git.py:166
        existing = exclude_file.read_text() if exclude_file.exists() else ""

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0e0a20d2edde85a1 Filesystem access.
repo/lib/cli/src/crewai_cli/git.py:178
        exclude_file.write_text(
            f"{existing}{prefix}# CrewAI deploy auto-commit excludes\n{patterns}\n"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1093f3f2f22164f4 Environment-variable access.
repo/lib/cli/src/crewai_cli/model_catalog.py:79
        value = os.environ.get(env)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0f063e21c6c12543 Environment-variable access.
repo/lib/cli/src/crewai_cli/model_catalog.py:302
        os.environ.get("OLLAMA_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7d0ec9d6be3c7bd3 Environment-variable access.
repo/lib/cli/src/crewai_cli/model_catalog.py:303
        or os.environ.get("API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aa3fc7dae2b6ef37 Environment-variable access.
repo/lib/cli/src/crewai_cli/model_catalog.py:304
        or os.environ.get("OLLAMA_HOST")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c6e6b64a57c6c356 Filesystem access.
repo/lib/cli/src/crewai_cli/model_catalog.py:414
        cache_file.write_text(json.dumps(data), encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cac647b2c97987aa Environment-variable access.
repo/lib/cli/src/crewai_cli/model_catalog.py:550
    ssl_config = os.environ.get("SSL_CERT_FILE") or certifi.where()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d5d9b6040e1548e7 Filesystem access.
repo/lib/cli/src/crewai_cli/model_catalog.py:585
        data: dict[str, Any] = json.loads(path.read_text(encoding="utf-8"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #95f00e344905b5e0 Filesystem access.
repo/lib/cli/src/crewai_cli/model_catalog.py:673
        cache_file.write_text(json.dumps(payload), encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1f2e3df452268cb7 Filesystem access.
repo/lib/cli/src/crewai_cli/provider.py:149
        with open(cache_file, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7d50eb053b1480b3 Environment-variable access.
repo/lib/cli/src/crewai_cli/provider.py:165
    ssl_config = os.environ["SSL_CERT_FILE"] = certifi.where()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4ad68d14ccc619ce Filesystem access.
repo/lib/cli/src/crewai_cli/provider.py:171
            with open(cache_file, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #89d6b53dedcca19b Hardcoded external endpoint. Review what data is sent to this destination.
repo/lib/cli/src/crewai_cli/remote_template/main.py:166
                response = httpx.get(url, params=params, timeout=15)

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #8019a9e0926ffc96 Filesystem access.
repo/lib/cli/src/crewai_cli/remote_template/main.py:249
                    with zf.open(member) as src, open(target, "wb") as dst:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d425649b16d680e4 Environment-variable access.
repo/lib/cli/src/crewai_cli/run_crew.py:321
        os.environ[CREWAI_TRAINED_AGENTS_FILE_ENV] = trained_agents_file

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fc80226a4172eca6 Environment-variable access.
repo/lib/cli/src/crewai_cli/run_declarative_flow.py:319
    return os.environ.get("UV_RUN_RECURSION_DEPTH") is not None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #118e61d144778b6d Environment-variable access.
repo/lib/cli/src/crewai_cli/settings/main.py:45
        env_tracing = os.getenv("CREWAI_TRACING_ENABLED", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f40083ef810fb96c Filesystem access.
repo/lib/cli/src/crewai_cli/templates/flow/main.py:49
        with open(output_dir / "post.md", "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0ca2b827819820ea Environment-variable access.
repo/lib/cli/src/crewai_cli/tools/main.py:147
        build_env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #44f030cec8e58fcb Filesystem access.
repo/lib/cli/src/crewai_cli/tools/main.py:180
            with open(tarball_path, "rb") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6e9fbbd890a8c35a Filesystem access.
repo/lib/cli/src/crewai_cli/update_crew.py:96
    with open(output_file, "wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dbdcd0e4ab0da812 Environment-variable access.
repo/lib/cli/src/crewai_cli/utils.py:53
    value = os.environ.get("CREWAI_DMN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #86dd8dc82342a6ab Filesystem access.
repo/lib/cli/src/crewai_cli/utils.py:86
    with open(dst, "w") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6439a4d75c87de84 Filesystem access.
repo/lib/cli/src/crewai_cli/utils.py:94
    content = src.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #be41757c59f6f51b Filesystem access.
repo/lib/cli/src/crewai_cli/utils.py:104
        with open(env_file_path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #18ede37962b0af16 Filesystem access.
repo/lib/cli/src/crewai_cli/utils.py:142
            with open(filepath, "r", encoding="utf-8", errors="ignore") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a9f74a6f37a04ad1 Filesystem access.
repo/lib/cli/src/crewai_cli/utils.py:144
            with open(filepath, "w") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #649e89847a593a24 Filesystem access.
repo/lib/cli/src/crewai_cli/utils.py:165
        with open(env_file_path, "r") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c9e7b363570b5982 Filesystem access.
repo/lib/cli/src/crewai_cli/utils.py:176
    with open(env_file_path, "w") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7efabf1204b42d13 Environment-variable access.
repo/lib/crewai-core/src/crewai_core/lock_store.py:33
_REDIS_URL: str | None = os.environ.get("REDIS_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e02801dd505e09ee Environment-variable access.
repo/lib/crewai-core/src/crewai_core/paths.py:13
    return os.environ.get("CREWAI_STORAGE_DIR", Path.cwd().name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d19a975f7ae1c9a4 Environment-variable access.
repo/lib/crewai-core/src/crewai_core/plus_api.py:168
            os.getenv("CREWAI_PLUS_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6a70a6bba5217ab5 Filesystem access.
repo/lib/crewai-core/src/crewai_core/project.py:26
    with open(file_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #be9c9ed733e36c3c Filesystem access.
repo/lib/crewai-core/src/crewai_core/project.py:163
        with open(pyproject_path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #65c8d541717488c3 Filesystem access.
repo/lib/crewai-core/src/crewai_core/settings.py:97
                test_file.write_text("test")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3d4b3eb1102165db Environment-variable access.
repo/lib/crewai-core/src/crewai_core/telemetry.py:125
            os.getenv("OTEL_SDK_DISABLED", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5ac22a9ed63af0b9 Environment-variable access.
repo/lib/crewai-core/src/crewai_core/telemetry.py:126
            or os.getenv("CREWAI_DISABLE_TELEMETRY", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9b4fe1e24cb9b186 Environment-variable access.
repo/lib/crewai-core/src/crewai_core/telemetry.py:127
            or os.getenv("CREWAI_DISABLE_TRACKING", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e085dc024281f2a9 Environment-variable access.
repo/lib/crewai-core/src/crewai_core/token_manager.py:88
            base_path = os.environ.get("LOCALAPPDATA")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8d2966768ef726a2 Filesystem access.
repo/lib/crewai-core/src/crewai_core/token_manager.py:150
            with open(file_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aa65c777a267d098 Environment-variable access.
repo/lib/crewai-core/src/crewai_core/tool_credentials.py:24
    env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c4cd15915e036cea Environment-variable access.
repo/lib/crewai-core/src/crewai_core/tool_credentials.py:42
    env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #40698d861f5819da Filesystem access.
repo/lib/crewai-core/src/crewai_core/user_data.py:39
            return cast(dict[str, Any], json.loads(p.read_text()))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #051c0b8fbf7040fe Filesystem access.
repo/lib/crewai-core/src/crewai_core/user_data.py:49
        p.write_text(json.dumps(data, indent=2))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ad049ad6eac701fe Environment-variable access.
repo/lib/crewai-core/src/crewai_core/user_data.py:86
    if os.getenv("CREWAI_TRACING_ENABLED", "false").lower() in ("true", "1"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #05492be552001bfd Filesystem access.
repo/lib/crewai-core/src/crewai_core/version.py:117
            cache_data = json.loads(cache_file.read_text())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #3a61e49cc9b4d23f Hardcoded external endpoint. Review what data is sent to this destination.
repo/lib/crewai-core/src/crewai_core/version.py:125
        with request.urlopen(
            "https://pypi.org/pypi/crewai/json", timeout=timeout
        ) as response:

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #5ca3ad4e9564d449 Filesystem access.
repo/lib/crewai-core/src/crewai_core/version.py:142
            cache_file.write_text(json.dumps(cache_data))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2b4c1666f05f25e0 Filesystem access.
repo/lib/crewai-core/src/crewai_core/version.py:154
            cache_data = json.loads(cache_file.read_text())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b8ffeb0ea3a830c4 Filesystem access.
repo/lib/crewai-core/src/crewai_core/version.py:168
        cache_data = json.loads(cache_file.read_text())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #213637b68b923397 Filesystem access.
repo/lib/crewai-files/src/crewai_files/core/sources.py:263
            self._content = self.path.read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #84971148131d7701 Filesystem access.
repo/lib/crewai-files/src/crewai_files/core/sources.py:282
        with open(self.path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d2570d69d08d0efd Environment-variable access.
repo/lib/crewai-files/src/crewai_files/formatting/api.py:294
        s3_bucket = os.environ.get("CREWAI_BEDROCK_S3_BUCKET")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f4f33612d49f378d Environment-variable access.
repo/lib/crewai-files/src/crewai_files/formatting/api.py:333
        s3_bucket_owner = os.environ.get("CREWAI_BEDROCK_S3_BUCKET_OWNER")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #790638d83660f7e6 Environment-variable access.
repo/lib/crewai-files/src/crewai_files/uploaders/anthropic.py:39
        self._api_key = api_key or os.environ.get("ANTHROPIC_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ae084e0296c027ba Filesystem access.
repo/lib/crewai-files/src/crewai_files/uploaders/bedrock.py:94
    with open(file_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #54f22b2db78c9718 Environment-variable access.
repo/lib/crewai-files/src/crewai_files/uploaders/bedrock.py:128
        self._bucket_name = bucket_name or os.environ.get("CREWAI_BEDROCK_S3_BUCKET")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eeb1944d7fa9e162 Environment-variable access.
repo/lib/crewai-files/src/crewai_files/uploaders/bedrock.py:129
        self._bucket_owner = bucket_owner or os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d1656c663e0e6c7c Environment-variable access.
repo/lib/crewai-files/src/crewai_files/uploaders/bedrock.py:129
        self._bucket_owner = bucket_owner or os.environ.get(
            "CREWAI_BEDROCK_S3_BUCKET_OWNER"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #318d866251787dc8 Environment-variable access.
repo/lib/crewai-files/src/crewai_files/uploaders/bedrock.py:133
        self._region = region or os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6d662c81220b4035 Environment-variable access.
repo/lib/crewai-files/src/crewai_files/uploaders/bedrock.py:133
        self._region = region or os.environ.get(
            "AWS_REGION", os.environ.get("AWS_DEFAULT_REGION")
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #23072015567b480a Environment-variable access.
repo/lib/crewai-files/src/crewai_files/uploaders/bedrock.py:134
            "AWS_REGION", os.environ.get("AWS_DEFAULT_REGION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #05d1a39eed74a47e Filesystem access.
repo/lib/crewai-files/src/crewai_files/uploaders/bedrock.py:269
                with open(file_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1200b63f323ca91b Environment-variable access.
repo/lib/crewai-files/src/crewai_files/uploaders/factory.py:192
            not os.environ.get("CREWAI_BEDROCK_S3_BUCKET")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #66d09f60e0093e0d Environment-variable access.
repo/lib/crewai-files/src/crewai_files/uploaders/gemini.py:108
        self._api_key = api_key or os.environ.get("GOOGLE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #236b7cf5722e0e41 Environment-variable access.
repo/lib/crewai-files/src/crewai_files/uploaders/openai.py:136
        self._api_key = api_key or os.environ.get("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #31996d318627a3ad Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/adapters/enterprise_adapter.py:14
    base_url = os.getenv("CREWAI_PLUS_URL", "https://app.crewai.com")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8c60516186d8e73b Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/adapters/enterprise_adapter.py:419
        token = enterprise_action_token or os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #555a812d1919d387 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/adapters/enterprise_adapter.py:419
        token = enterprise_action_token or os.environ.get(
            "CREWAI_ENTERPRISE_TOOLS_TOKEN"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d7a1b2d56115ed47 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/adapters/zapier_adapter.py:62
        self.api_key = api_key or os.getenv("ZAPIER_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b16c21d2aa89f0a1 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/aws/bedrock/agents/invoke_agent_tool.py:60
        self.agent_id = agent_id or os.getenv("BEDROCK_AGENT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cefed0add51e0c75 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/aws/bedrock/agents/invoke_agent_tool.py:61
        self.agent_alias_id = agent_alias_id or os.getenv("BEDROCK_AGENT_ALIAS_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7a1ae0d1a5b70fc7 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/aws/bedrock/agents/invoke_agent_tool.py:105
                region_name=os.getenv(
                    "AWS_REGION", os.getenv("AWS_DEFAULT_REGION", "us-west-2")
                ),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f289ed11728d458f Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/aws/bedrock/agents/invoke_agent_tool.py:106
                    "AWS_REGION", os.getenv("AWS_DEFAULT_REGION", "us-west-2")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #66ed2ea49dae1c3d Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/aws/bedrock/knowledge_base/retriever_tool.py:60
        self.knowledge_base_id = knowledge_base_id or os.getenv("BEDROCK_KB_ID")  # type: ignore[assignment]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #25b0d3dd9b44795f Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/aws/bedrock/knowledge_base/retriever_tool.py:196
                region_name=os.getenv(
                    "AWS_REGION", os.getenv("AWS_DEFAULT_REGION", "us-east-1")
                ),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c5602ab6a97b5ba9 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/aws/bedrock/knowledge_base/retriever_tool.py:197
                    "AWS_REGION", os.getenv("AWS_DEFAULT_REGION", "us-east-1")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c76187ab966f587a Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/aws/s3/reader_tool.py:35
                region_name=os.getenv("CREW_AWS_REGION", "us-east-1"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e64b8951b17856b8 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/aws/s3/reader_tool.py:36
                aws_access_key_id=os.getenv("CREW_AWS_ACCESS_KEY_ID"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6c5fab3a045537b1 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/aws/s3/reader_tool.py:37
                aws_secret_access_key=os.getenv("CREW_AWS_SEC_ACCESS_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4ca90eb04ed310f7 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/aws/s3/writer_tool.py:36
                region_name=os.getenv("CREW_AWS_REGION", "us-east-1"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #692203e3f49f6bef Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/aws/s3/writer_tool.py:37
                aws_access_key_id=os.getenv("CREW_AWS_ACCESS_KEY_ID"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a4a49f0cb97a5ffb Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/aws/s3/writer_tool.py:38
                aws_secret_access_key=os.getenv("CREW_AWS_SEC_ACCESS_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d389c8b81fd9f4d9 Filesystem access.
repo/lib/crewai-tools/src/crewai_tools/generate_tool_specs.py:190
        with open(output_path, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6827dc578cb34f1a Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/rag/embedding_service.py:108
            return os.getenv(env_key)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #acd53115b96a036c Filesystem access.
repo/lib/crewai-tools/src/crewai_tools/rag/loaders/csv_loader.py:29
        with open(path, encoding="utf-8") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e132dd3d1ffdb374 Filesystem access.
repo/lib/crewai-tools/src/crewai_tools/rag/loaders/json_loader.py:28
        with open(path, encoding="utf-8") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e89aaa014962e32e Filesystem access.
repo/lib/crewai-tools/src/crewai_tools/rag/loaders/mdx_loader.py:36
        with open(path, encoding="utf-8") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d136d41c5ac85b81 Filesystem access.
repo/lib/crewai-tools/src/crewai_tools/rag/loaders/text_loader.py:15
        with open(source_content.source, encoding="utf-8") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c65ee4656d784e76 Filesystem access.
repo/lib/crewai-tools/src/crewai_tools/rag/loaders/xml_loader.py:37
        with open(path, encoding="utf-8") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #25e7919a97f5fc75 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/security/safe_path.py:52
    return os.environ.get(_UNSAFE_PATHS_ENV, "").lower() in ("true", "1", "yes")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f11ce03d650cc38b Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/ai_mind_tool/ai_mind_tool.py:47
        self.api_key = api_key or os.getenv("MINDS_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2cfbec5d9f4e3472 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/apify_actors_tool/apify_actors_tool.py:58
        if not os.environ.get("APIFY_API_TOKEN"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4fe752600c1b28e3 Filesystem access.
repo/lib/crewai-tools/src/crewai_tools/tools/brave_search_tool/base.py:26
    with open(filename, "w") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8aa7df2a5f380ad4 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/brave_search_tool/base.py:126
        self._api_key = api_key or os.environ.get("BRAVE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9b3bbf785272c872 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/brave_search_tool/brave_search_tool.py:55
        if "BRAVE_API_KEY" not in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1c7c918e3e8ff554 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/brave_search_tool/brave_search_tool.py:129
                "X-Subscription-Token": os.environ["BRAVE_API_KEY"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d4fb19011df06447 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/brightdata_tool/brightdata_dataset.py:20
            API_URL=os.environ.get("BRIGHTDATA_API_URL", "https://api.brightdata.com"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #67f4976e96c06545 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/brightdata_tool/brightdata_dataset.py:21
            DEFAULT_TIMEOUT=int(os.environ.get("BRIGHTDATA_DEFAULT_TIMEOUT", "600")),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2d06762885e34856 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/brightdata_tool/brightdata_dataset.py:23
                os.environ.get("BRIGHTDATA_DEFAULT_POLLING_INTERVAL", "1")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #56de010405db2119 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/brightdata_tool/brightdata_dataset.py:481
        api_key = os.getenv("BRIGHT_DATA_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b62f4d1cb62e5d08 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/brightdata_tool/brightdata_dataset.py:578
        api_key = os.getenv("BRIGHT_DATA_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4b181207e1a0bc32 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/brightdata_tool/brightdata_serp.py:18
            API_URL=os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4a95f6d526a8a979 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/brightdata_tool/brightdata_serp.py:18
            API_URL=os.environ.get(
                "BRIGHTDATA_API_URL", "https://api.brightdata.com/request"
            )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #37d6da93a303b3aa Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/brightdata_tool/brightdata_serp.py:125
        self.api_key = os.getenv("BRIGHT_DATA_API_KEY") or ""

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d04dd9a47b823f11 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/brightdata_tool/brightdata_serp.py:126
        self.zone = os.getenv("BRIGHT_DATA_ZONE") or ""

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7639f4a961a0c2c6 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/brightdata_tool/brightdata_unlocker.py:19
            API_URL=os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6d81c17c7edbba18 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/brightdata_tool/brightdata_unlocker.py:19
            API_URL=os.environ.get(
                "BRIGHTDATA_API_URL", "https://api.brightdata.com/request"
            )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #45745c4d348dd1b8 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/brightdata_tool/brightdata_unlocker.py:99
        self.api_key = os.getenv("BRIGHT_DATA_API_KEY") or ""

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0230350a49896434 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/brightdata_tool/brightdata_unlocker.py:100
        self.zone = os.getenv("BRIGHT_DATA_ZONE") or ""

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e805f142c23a6234 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/browserbase_load_tool/browserbase_load_tool.py:16
    api_key: str | None = os.getenv("BROWSERBASE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #31eab8f9e69b1125 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/browserbase_load_tool/browserbase_load_tool.py:17
    project_id: str | None = os.getenv("BROWSERBASE_PROJECT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #087cf11164ed2088 Filesystem access.
repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_create_agent_tool/contextual_create_agent_tool.py:65
                with open(doc_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #131453548e278d79 Filesystem access.
repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:78
            with open(file_path, "rb") as fp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #8131789ea62c4d13 Hardcoded external endpoint. Review what data is sent to this destination.
repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:80
                result = requests.post(
                    url, headers=headers, data=config, files=file, timeout=30
                )

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #252bf20636be0efb Hardcoded external endpoint. Review what data is sent to this destination.
repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_rerank_tool/contextual_rerank_tool.py:69
            result = requests.post(
                rerank_url, json=payload, headers=headers, timeout=30
            )

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #d6c30fb2bd86496d Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/crewai_platform_tools/crewai_platform_action_tool.py:75
                verify=os.environ.get("CREWAI_FACTORY", "false").lower() != "true",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8364a5ee3e9cef5b Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/crewai_platform_tools/crewai_platform_tool_builder.py:52
                verify=os.environ.get("CREWAI_FACTORY", "false").lower() != "true",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #98717797cb5b4137 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/crewai_platform_tools/misc.py:6
    base_url = os.getenv("CREWAI_PLUS_URL", "https://app.crewai.com")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9b0103a1da387c48 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/crewai_platform_tools/misc.py:12
    token = os.getenv("CREWAI_PLATFORM_INTEGRATION_TOKEN") or ""

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #720d9890a7e78123 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/databricks_query_tool/databricks_query_tool.py:145
        has_profile = "DATABRICKS_CONFIG_PROFILE" in os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #de82db3a5a52fc0e Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/databricks_query_tool/databricks_query_tool.py:147
            "DATABRICKS_HOST" in os.environ and "DATABRICKS_TOKEN" in os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9ed57a68cb1998bf Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/daytona_sandbox_tool/daytona_base_tool.py:35
        default_factory=lambda: os.getenv("DAYTONA_API_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1a0dcfdcf05b408a Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/daytona_sandbox_tool/daytona_base_tool.py:40
        default_factory=lambda: os.getenv("DAYTONA_API_URL"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #36b3dba6bd4e5481 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/daytona_sandbox_tool/daytona_base_tool.py:45
        default_factory=lambda: os.getenv("DAYTONA_TARGET"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #625d0d526b35128f Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/e2b_sandbox_tool/e2b_base_tool.py:36
            SecretStr(val) if (val := os.getenv("E2B_API_KEY")) else None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0cba09ad2da838de Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/e2b_sandbox_tool/e2b_base_tool.py:43
        default_factory=lambda: os.getenv("E2B_DOMAIN"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9b777809b2603fe0 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/exa_tools/exa_search_tool.py:58
        default_factory=lambda: os.getenv("EXA_API_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f556cf2b346a334d Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/exa_tools/exa_search_tool.py:63
        default_factory=lambda: os.getenv("EXA_BASE_URL"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #80ea09edd377d92d Filesystem access.
repo/lib/crewai-tools/src/crewai_tools/tools/file_read_tool/file_read_tool.py:93
            with open(file_path, "r") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #366de4d296af40dd Filesystem access.
repo/lib/crewai-tools/src/crewai_tools/tools/file_writer_tool/file_writer_tool.py:70
            with open(real_filepath, mode) as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #36d0d5b6586370e3 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/generate_crewai_automation_tool/generate_crewai_automation_tool.py:28
        default_factory=lambda: os.getenv("CREWAI_PLUS_URL", "https://app.crewai.com"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5e5d2709c97c2239 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/generate_crewai_automation_tool/generate_crewai_automation_tool.py:32
        default_factory=lambda: os.getenv("CREWAI_PERSONAL_ACCESS_TOKEN"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9b0c07e6c5f58d69 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/hyperbrowser_load_tool/hyperbrowser_load_tool.py:49
        self.api_key = api_key or os.getenv("HYPERBROWSER_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9095d41351c2e499 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/linkup/linkup_search_tool.py:54
        self._client = LinkupClient(api_key=api_key or os.getenv("LINKUP_API_KEY"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #80611fc92fa8aad3 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/merge_agent_handler_tool/merge_agent_handler_tool.py:65
        api_key = os.environ.get("AGENT_HANDLER_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7e3590fdce059fa9 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/mongodb_vector_search_tool/vector_search.py:124
        if "AZURE_OPENAI_ENDPOINT" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #744c03e09331853c Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/mongodb_vector_search_tool/vector_search.py:126
        elif "OPENAI_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #60306b6b97bb0428 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/multion_tool/example.py:7
os.environ["OPENAI_API_KEY"] = "Your Key"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4320958a493b5499 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/multion_tool/multion_tool.py:52
        self.multion = MultiOn(api_key=api_key or os.getenv("MULTION_API_KEY"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #db9a16849cda6813 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/nl2sql/nl2sql_tool.py:256
        if os.environ.get("CREWAI_NL2SQL_ALLOW_DML", "").strip().lower() == "true":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d08160b9f1b89a39 Filesystem access.
repo/lib/crewai-tools/src/crewai_tools/tools/ocr_tool/ocr_tool.py:104
        with open(image_path, "rb") as image_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e2c8634e9d6ce802 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/oxylabs_amazon_product_scraper_tool/oxylabs_amazon_product_scraper_tool.py:146
        username = os.environ.get("OXYLABS_USERNAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #12e229b3ce403db9 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/oxylabs_amazon_product_scraper_tool/oxylabs_amazon_product_scraper_tool.py:147
        password = os.environ.get("OXYLABS_PASSWORD")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d29238a8edb2ed4b Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/oxylabs_amazon_search_scraper_tool/oxylabs_amazon_search_scraper_tool.py:148
        username = os.environ.get("OXYLABS_USERNAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #de57feedb23602c0 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/oxylabs_amazon_search_scraper_tool/oxylabs_amazon_search_scraper_tool.py:149
        password = os.environ.get("OXYLABS_PASSWORD")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f7698c45956b94d3 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/oxylabs_google_search_scraper_tool/oxylabs_google_search_scraper_tool.py:151
        username = os.environ.get("OXYLABS_USERNAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #641e7321d7e607d1 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/oxylabs_google_search_scraper_tool/oxylabs_google_search_scraper_tool.py:152
        password = os.environ.get("OXYLABS_PASSWORD")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #12ae37d4e9ec3577 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/oxylabs_universal_scraper_tool/oxylabs_universal_scraper_tool.py:142
        username = os.environ.get("OXYLABS_USERNAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b5b0c1e3ebd59d13 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/oxylabs_universal_scraper_tool/oxylabs_universal_scraper_tool.py:143
        password = os.environ.get("OXYLABS_PASSWORD")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dc722fbbc20fdeba Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/parallel_tools/parallel_search_tool.py:78
        api_key = os.environ.get("PARALLEL_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #8a635c6911ca241c Hardcoded external endpoint. Review what data is sent to this destination.
repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:39
            requests.get(
                "https://api.patronus.ai/v1/evaluators",
                headers={
                    "accept": "application/json",
                    "X-API-KEY": os.environ["PATRONUS_API_KEY"],
                },
                timeout=30,
            ).text

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #b2bfaa68245e111d Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:43
                    "X-API-KEY": os.environ["PATRONUS_API_KEY"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #ad4bda867d334480 Hardcoded external endpoint. Review what data is sent to this destination.
repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:62
            requests.get(
                "https://api.patronus.ai/v1/evaluator-criteria",
                headers={
                    "accept": "application/json",
                    "X-API-KEY": os.environ["PATRONUS_API_KEY"],
                },
                timeout=30,
            ).text

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #5e33129904dce3ac Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:66
                    "X-API-KEY": os.environ["PATRONUS_API_KEY"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #37bb02f1f2c7ade2 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:138
        api_key = os.getenv("PATRONUS_API_KEY", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0533c07414da4c94 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_predefined_criteria_eval_tool.py:60
        api_key = os.getenv("PATRONUS_API_KEY", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9b6ad798747ed035 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/qdrant_vector_search_tool/qdrant_search_tool.py:113
                    .Client(api_key=os.getenv("OPENAI_API_KEY"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #61f4c4a3da3c86af Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/scrape_element_from_website/scrape_element_from_website.py:68
                self.cookies = {cookies["name"]: os.getenv(cookies["value"]) or ""}

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #951c7e19eab0b9ab Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/scrape_website_tool/scrape_website_tool.py:67
                self.cookies = {cookies["name"]: os.getenv(cookies["value"]) or ""}

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a39633df8978390d Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/scrapegraph_scrape_tool/scrapegraph_scrape_tool.py:113
        self.api_key = api_key or os.getenv("SCRAPEGRAPH_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #562ce82526cfe7c4 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/scrapfly_scrape_website_tool/scrapfly_scrape_website_tool.py:66
        self.scrapfly = ScrapflyClient(key=api_key or os.getenv("SCRAPFLY_API_KEY"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d0c1a1f5d2bd7c9e Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/serpapi_tool/serpapi_base_tool.py:44
        api_key = os.getenv("SERPAPI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e35e259cbe08c3be Filesystem access.
repo/lib/crewai-tools/src/crewai_tools/tools/serper_dev_tool/serper_dev_tool.py:94
        with open(filename, "w") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b0f1719e0782b9c5 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/serper_dev_tool/serper_dev_tool.py:251
            "X-API-KEY": os.environ["SERPER_API_KEY"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9a0a910700c34612 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/serper_scrape_website_tool/serper_scrape_website_tool.py:52
            api_key = os.getenv("SERPER_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #bd9745672cc71871 Hardcoded external endpoint. Review what data is sent to this destination.
repo/lib/crewai-tools/src/crewai_tools/tools/serper_scrape_website_tool/serper_scrape_website_tool.py:59
            response = requests.post(
                api_url,
                headers=headers,
                data=payload,
                timeout=30,
            )

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #ede578aff82dca99 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/serply_api_tool/serply_job_search_tool.py:47
            "X-API-KEY": os.environ["SERPLY_API_KEY"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aeabb1537d3a734e Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/serply_api_tool/serply_news_search_tool.py:47
            "X-API-KEY": os.environ["SERPLY_API_KEY"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0efcca8944f5cc15 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/serply_api_tool/serply_scholar_search_tool.py:51
            "X-API-KEY": os.environ["SERPLY_API_KEY"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #412fbe56d69074bc Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/serply_api_tool/serply_web_search_tool.py:67
            "X-API-KEY": os.environ["SERPLY_API_KEY"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #87762e3d65ddacaf Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/serply_api_tool/serply_webpage_to_markdown_tool.py:31
            "X-API-KEY": os.environ["SERPLY_API_KEY"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #56e2ffaedd57abca Filesystem access.
repo/lib/crewai-tools/src/crewai_tools/tools/snowflake_search_tool/snowflake_search_tool.py:188
            with open(self.config.private_key_path, "rb") as key_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b5ff3f2df994d6da Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/stagehand_tool/example.py:34
browserbase_api_key = os.environ.get("BROWSERBASE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #509739630e8ddbd0 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/stagehand_tool/example.py:35
browserbase_project_id = os.environ.get("BROWSERBASE_PROJECT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #901c40cfac5ffcaf Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/stagehand_tool/example.py:36
model_api_key = os.environ.get("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b0dd3eed6071c3b9 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/stagehand_tool/stagehand_tool.py:208
        self.api_key = api_key or os.getenv("BROWSERBASE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e344cf334931405f Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/stagehand_tool/stagehand_tool.py:209
        self.project_id = project_id or os.getenv("BROWSERBASE_PROJECT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8935a2469294316d Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/stagehand_tool/stagehand_tool.py:263
            return self.model_api_key or os.getenv("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0d2aa4d399d6ed5b Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/stagehand_tool/stagehand_tool.py:265
            return self.model_api_key or os.getenv("ANTHROPIC_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #642b90030bb863d2 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/stagehand_tool/stagehand_tool.py:267
            return self.model_api_key or os.getenv("GOOGLE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e2cb50cefdc17575 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/stagehand_tool/stagehand_tool.py:271
            or os.getenv("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #90f0ba2c604ef928 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/stagehand_tool/stagehand_tool.py:272
            or os.getenv("ANTHROPIC_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2d13023404a19d9e Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/tavily_extractor_tool/tavily_extractor_tool.py:62
        default_factory=lambda: os.getenv("TAVILY_API_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5cd3ba845126b981 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/tavily_get_research_tool/tavily_get_research_tool.py:56
            api_key = os.getenv("TAVILY_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ef3f11824d2004d7 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/tavily_research_tool/tavily_research_tool.py:92
            api_key = os.getenv("TAVILY_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8efe13c14dd50616 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/tavily_search_tool/tavily_search_tool.py:61
        default_factory=lambda: os.getenv("TAVILY_API_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5f943cad19c98800 Filesystem access.
repo/lib/crewai-tools/src/crewai_tools/tools/vision_tool/vision_tool.py:140
        with open(image_path, "rb") as image_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bd98da85795f5035 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/weaviate_tool/vector_search.py:89
            openai_api_key = os.environ.get("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #99131fa85fcdfe3f Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/zapier_action_tool/zapier_action_tool.py:23
        zapier_api_key = os.getenv("ZAPIER_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9848b45b4b2974d3 Filesystem access.
repo/lib/crewai/src/crewai/a2a/auth/client_schemes.py:112
            root_certs = Path(self.ca_cert_path).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9ad84a7d29700575 Filesystem access.
repo/lib/crewai/src/crewai/a2a/auth/client_schemes.py:115
            private_key = Path(self.client_key_path).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #449f78a2ba7d05a3 Filesystem access.
repo/lib/crewai/src/crewai/a2a/auth/client_schemes.py:116
            certificate_chain = Path(self.client_cert_path).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4e510b93e861c917 Environment-variable access.
repo/lib/crewai/src/crewai/a2a/auth/server_schemes.py:151
        return os.environ.get("AUTH_TOKEN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #134516de69dba9ad Filesystem access.
repo/lib/crewai/src/crewai/a2a/config.py:130
            return Path(self.private_key_path).read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #09287a6c081f4f3a Environment-variable access.
repo/lib/crewai/src/crewai/a2a/utils/task.py:102
_redis_url = os.environ.get("REDIS_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #55be86347174c858 Environment-variable access.
repo/lib/crewai/src/crewai/agent/core.py:1209
            else os.getenv(CREWAI_TRAINED_AGENTS_FILE_ENV, TRAINED_AGENTS_DATA_FILE)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #adaab7a696824402 Environment-variable access.
repo/lib/crewai/src/crewai/context.py:47
        token = os.getenv("CREWAI_PLATFORM_INTEGRATION_TOKEN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5a8f3c574c60a793 Environment-variable access.
repo/lib/crewai/src/crewai/events/listeners/tracing/trace_listener.py:194
            "user_id": os.getenv("CREWAI_USER_ID", "anonymous"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #45fc1409cc904ac3 Environment-variable access.
repo/lib/crewai/src/crewai/events/listeners/tracing/trace_listener.py:195
            "organization_id": os.getenv("CREWAI_ORG_ID", ""),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #596903cea236ad4f Environment-variable access.
repo/lib/crewai/src/crewai/events/listeners/tracing/utils.py:128
    env_value = os.getenv("CREWAI_TRACING_ENABLED", "").lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #48dc9e3a02b90aa6 Environment-variable access.
repo/lib/crewai/src/crewai/events/listeners/tracing/utils.py:188
    return os.environ.get("CREWAI_TESTING", "").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0429ad5385f572b9 Filesystem access.
repo/lib/crewai/src/crewai/events/listeners/tracing/utils.py:297
                content = path.read_text().strip()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b6019155d67a3c61 Environment-variable access.
repo/lib/crewai/src/crewai/events/listeners/tracing/utils.py:341
            container_id = os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4d03a4a776551c2d Environment-variable access.
repo/lib/crewai/src/crewai/events/listeners/tracing/utils.py:341
            container_id = os.environ.get(
                "HOSTNAME", os.environ.get("CONTAINER_ID", "")
            )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #52a959fe76330e1f Environment-variable access.
repo/lib/crewai/src/crewai/events/listeners/tracing/utils.py:342
                "HOSTNAME", os.environ.get("CONTAINER_ID", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2c277ee17d2e2187 Filesystem access.
repo/lib/crewai/src/crewai/events/listeners/tracing/utils.py:380
        p.write_text(json.dumps(data, indent=2))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7fbf471c6a9b5074 Filesystem access.
repo/lib/crewai/src/crewai/events/listeners/tracing/utils.py:412
        p.write_text(json.dumps(data, indent=2))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c94c015ee303b187 Environment-variable access.
repo/lib/crewai/src/crewai/events/utils/console_formatter.py:70
        if os.getenv("CI", "").lower() in ("true", "1"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bae8b908e91ff848 Environment-variable access.
repo/lib/crewai/src/crewai/events/utils/console_formatter.py:73
        if os.getenv("CREWAI_DISABLE_VERSION_CHECK", "").lower() in ("true", "1"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #929933f91b0997d9 Filesystem access.
repo/lib/crewai/src/crewai/experimental/evaluation/experiment/result.py:42
            with open(filepath, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #48200b3cc8603d07 Filesystem access.
repo/lib/crewai/src/crewai/experimental/evaluation/experiment/result.py:58
                with open(baseline_filepath, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a583728b2fb46104 Filesystem access.
repo/lib/crewai/src/crewai/experimental/evaluation/experiment/result.py:73
                with open(baseline_filepath, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b9e4ed16aa0251ae Filesystem access.
repo/lib/crewai/src/crewai/experimental/evaluation/experiment/result.py:91
            with open(baseline_filepath, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7b92cb85ca104d2c Environment-variable access.
repo/lib/crewai/src/crewai/experimental/skills/_flag.py:16
    return os.environ.get(ENV_VAR) == "1"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e4ceb658217008c0 Filesystem access.
repo/lib/crewai/src/crewai/experimental/skills/cache.py:91
        (skill_dir / _META_FILENAME).write_text(json.dumps(meta, indent=2))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d35a0757ae43e0e7 Filesystem access.
repo/lib/crewai/src/crewai/experimental/skills/cache.py:106
                        results.append(json.loads(meta_file.read_text()))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f6970ebb8f318914 Environment-variable access.
repo/lib/crewai/src/crewai/experimental/skills/registry.py:76
        os.environ.get("CI") == "1"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #be59023f0fc0ab5a Environment-variable access.
repo/lib/crewai/src/crewai/experimental/skills/registry.py:77
        or os.environ.get("CREWAI_NONINTERACTIVE") == "1"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #93e111edeb9ba408 Filesystem access.
repo/lib/crewai/src/crewai/flow/flow_definition.py:824
            contents = source_path.expanduser().read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2fbe56f39f80991a Environment-variable access.
repo/lib/crewai/src/crewai/flow/runtime/_actions.py:238
        raw = os.environ.get(_ALLOW_SCRIPT_EXECUTION_ENV_VAR, "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c6742e0d48721e45 Filesystem access.
repo/lib/crewai/src/crewai/flow/skill.py:90
    example_yaml = (_TEMPLATES_DIR / "flow_definition_example.yaml").read_text(
        encoding="utf-8"
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b2caa2a3ac8340ab Filesystem access.
repo/lib/crewai/src/crewai/flow/visualization/renderers/interactive.py:414
    css_content = css_file.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #156d445c30c3fdd7 Filesystem access.
repo/lib/crewai/src/crewai/flow/visualization/renderers/interactive.py:421
    css_output_path.write_text(css_content, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3adcb20ebdd26d60 Filesystem access.
repo/lib/crewai/src/crewai/flow/visualization/renderers/interactive.py:424
    js_content = js_file.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #71c18237dd9a6dad Filesystem access.
repo/lib/crewai/src/crewai/flow/visualization/renderers/interactive.py:438
    js_output_path.write_text(js_content, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c63badabcb6df506 Filesystem access.
repo/lib/crewai/src/crewai/flow/visualization/renderers/interactive.py:461
    output_path.write_text(html_content, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d6c7052e883d6c81 Environment-variable access.
repo/lib/crewai/src/crewai/knowledge/knowledge.py:66
os.environ["TOKENIZERS_PARALLELISM"] = "false"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #34cff4d284dd3e60 Filesystem access.
repo/lib/crewai/src/crewai/knowledge/source/csv_knowledge_source.py:17
            with open(file_path, "r", encoding="utf-8") as csvfile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e04f9dd3efbdfc18 Filesystem access.
repo/lib/crewai/src/crewai/knowledge/source/json_knowledge_source.py:18
            with open(path, "r", encoding="utf-8") as json_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c759c69249ba0ac4 Filesystem access.
repo/lib/crewai/src/crewai/knowledge/source/text_file_knowledge_source.py:17
            with open(path, "r", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f32e1b0417c1160c Environment-variable access.
repo/lib/crewai/src/crewai/llm.py:2484
            success_callbacks_str = os.environ.get("LITELLM_SUCCESS_CALLBACKS", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #276804241c9816f2 Environment-variable access.
repo/lib/crewai/src/crewai/llm.py:2491
            failure_callbacks_str = os.environ.get("LITELLM_FAILURE_CALLBACKS", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #386008dfb8ce61eb Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/anthropic/completion.py:256
            self.api_key = os.getenv("ANTHROPIC_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0f4284114cdffee6 Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/azure/completion.py:122
        data["api_key"] = data.get("api_key") or os.getenv("AZURE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #35ac5f4f5137414d Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/azure/completion.py:125
            or os.getenv("AZURE_ENDPOINT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1759c604196bdf4a Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/azure/completion.py:126
            or os.getenv("AZURE_OPENAI_ENDPOINT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bdc02e0ece3d2bdc Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/azure/completion.py:127
            or os.getenv("AZURE_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2f1f57843f9d05c7 Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/azure/completion.py:130
            data.get("api_version") or os.getenv("AZURE_API_VERSION") or "2024-06-01"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5fcb26af986bf969 Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/azure/completion.py:164
        raw = os.getenv("AZURE_CREDENTIAL_SCOPES")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8452cd2a2b844056 Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/azure/completion.py:271
            self.api_key = os.getenv("AZURE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #74536d61ca6dca94 Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/azure/completion.py:274
                os.getenv("AZURE_ENDPOINT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f08137f75e28542e Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/azure/completion.py:275
                or os.getenv("AZURE_OPENAI_ENDPOINT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1f477338efd8e7f6 Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/azure/completion.py:276
                or os.getenv("AZURE_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dc08a282ffba62ba Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/bedrock/completion.py:275
        data["aws_access_key_id"] = data.get("aws_access_key_id") or os.getenv(
            "AWS_ACCESS_KEY_ID"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #91d8ec1b01814744 Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/bedrock/completion.py:278
        data["aws_secret_access_key"] = data.get("aws_secret_access_key") or os.getenv(
            "AWS_SECRET_ACCESS_KEY"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ec09348fe8a5e37e Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/bedrock/completion.py:281
        data["aws_session_token"] = data.get("aws_session_token") or os.getenv(
            "AWS_SESSION_TOKEN"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b2bd2047b2e121c8 Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/bedrock/completion.py:286
            or os.getenv("AWS_DEFAULT_REGION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b76ccb01e46d47f0 Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/bedrock/completion.py:287
            or os.getenv("AWS_REGION_NAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f6f14fc19598858a Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/gemini/completion.py:84
            or os.getenv("GOOGLE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #044be4828bcdfacd Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/gemini/completion.py:85
            or os.getenv("GEMINI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #27bbde4d8d192c90 Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/gemini/completion.py:87
        data["project"] = data.get("project") or os.getenv("GOOGLE_CLOUD_PROJECT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5e261a4cca724e7f Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/gemini/completion.py:89
            data.get("location") or os.getenv("GOOGLE_CLOUD_LOCATION") or "us-central1"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c059b6d6a3ca05fe Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/gemini/completion.py:94
            use_vx = os.getenv("GOOGLE_GENAI_USE_VERTEXAI", "").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8d2f1e18660a1032 Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/gemini/completion.py:133
                self.api_key = os.getenv("GOOGLE_API_KEY") or os.getenv(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7debb4951ee96ed2 Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/gemini/completion.py:133
                self.api_key = os.getenv("GOOGLE_API_KEY") or os.getenv(
                    "GEMINI_API_KEY"
                )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7323a96d7f7ff304 Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/gemini/completion.py:137
                self.project = os.getenv("GOOGLE_CLOUD_PROJECT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #894597f54a62ef6d Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/openai/completion.py:250
        data["api_key"] = data.get("api_key") or os.getenv("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f48255ed45696263 Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/openai/completion.py:364
            self.api_key = os.getenv("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ea536412e0eee779 Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/openai/completion.py:374
            or os.getenv("OPENAI_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e27acbf15912bdea Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/openai_compatible/completion.py:189
        env_key = os.getenv(config.api_key_env)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a0a001960af494f3 Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/openai_compatible/completion.py:220
            env_value = os.getenv(config.base_url_env)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7779bacf3a24df30 Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/snowflake/completion.py:93
                token = os.getenv(env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b0593c2270b281f8 Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/snowflake/completion.py:114
        account_url = data.get("account_url") or os.getenv("SNOWFLAKE_ACCOUNT_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #755cc9226f12af78 Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/snowflake/completion.py:122
            or os.getenv("SNOWFLAKE_ACCOUNT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d6f66ec8e61898cc Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/snowflake/completion.py:123
            or os.getenv("SNOWFLAKE_ACCOUNT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #44faeb460dc6d68b Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/snowflake/completion.py:124
            or os.getenv("SNOWFLAKE_ACCOUNT_IDENTIFIER")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #56465e7ea847360e Environment-variable access.
repo/lib/crewai/src/crewai/memory/storage/lancedb_storage.py:68
            storage_dir = os.environ.get("CREWAI_STORAGE_DIR")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #307c6ca5d562a04e Environment-variable access.
repo/lib/crewai/src/crewai/memory/storage/qdrant_edge_storage.py:104
            storage_dir = os.environ.get("CREWAI_STORAGE_DIR")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2403fe87f85e4325 Filesystem access.
repo/lib/crewai/src/crewai/project/crew_base.py:391
        with open(config_path, encoding="utf-8") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c07cd57be4ced19f Filesystem access.
repo/lib/crewai/src/crewai/project/json_loader.py:209
    return parse_jsonc(path.read_text(encoding="utf-8"), source=path)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #438927fbaa467372 Environment-variable access.
repo/lib/crewai/src/crewai/rag/chromadb/config.py:61
            api_key=os.getenv("OPENAI_API_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #90d2542684a09f12 Filesystem access.
repo/lib/crewai/src/crewai/skills/parser.py:89
    content = path.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #afa0a07aaf2dd216 Filesystem access.
repo/lib/crewai/src/crewai/state/provider/json_provider.py:66
        with open(file_path, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9eee7ee027b026d1 Filesystem access.
repo/lib/crewai/src/crewai/state/provider/json_provider.py:132
        return Path(location).read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4d140077847448be Filesystem access.
repo/lib/crewai/src/crewai/state/provider/utils.py:29
        with open(file_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #87502d1872a3c997 Environment-variable access.
repo/lib/crewai/src/crewai/telemetry/telemetry.py:151
            os.getenv("OTEL_SDK_DISABLED", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #09e4d191572e00d4 Environment-variable access.
repo/lib/crewai/src/crewai/telemetry/telemetry.py:152
            or os.getenv("CREWAI_DISABLE_TELEMETRY", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5fbaabccda27686d Environment-variable access.
repo/lib/crewai/src/crewai/telemetry/telemetry.py:153
            or os.getenv("CREWAI_DISABLE_TRACKING", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #53eb04892c13a051 Environment-variable access.
repo/lib/crewai/src/crewai/types/callback.py:27
    raw = os.environ.get("CREWAI_DESERIALIZE_CALLBACKS", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #587c717bbc8daadf Environment-variable access.
repo/lib/crewai/src/crewai/utilities/env.py:20
    return any(os.environ.get(var) for var in CODEX_ENV_VARS)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c8e039619474da4f Environment-variable access.
repo/lib/crewai/src/crewai/utilities/env.py:24
    return any(os.environ.get(var) for var in CURSOR_ENV_VARS)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #400a060ce8b92185 Environment-variable access.
repo/lib/crewai/src/crewai/utilities/env.py:32
    if os.environ.get(CC_ENV_VAR):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #25a8d5b6af778f49 Filesystem access.
repo/lib/crewai/src/crewai/utilities/file_handler.py:94
                        with open(self._path, encoding="utf-8") as read_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b5a52bc744ce593a Filesystem access.
repo/lib/crewai/src/crewai/utilities/file_handler.py:100
                    with open(self._path, "w", encoding="utf-8") as write_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c8202635c49543ce Filesystem access.
repo/lib/crewai/src/crewai/utilities/file_handler.py:112
                    with open(self._path, "a", encoding="utf-8") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fa956c1f4befbe42 Filesystem access.
repo/lib/crewai/src/crewai/utilities/file_handler.py:151
            with open(self.file_path, "wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #80757aa40c14e859 Filesystem access.
repo/lib/crewai/src/crewai/utilities/file_handler.py:165
                with open(self.file_path, "rb") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5dce1c56dd6501f9 Filesystem access.
repo/lib/crewai/src/crewai/utilities/i18n.py:38
                with open(self.prompt_file, encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0d0046ce4797915e Filesystem access.
repo/lib/crewai/src/crewai/utilities/i18n.py:44
                with open(prompts_path, encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bbcc8ca70afe4421 Environment-variable access.
repo/lib/crewai/src/crewai/utilities/llm_utils.py:104
        os.environ.get("MODEL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #07eae0843039f29b Environment-variable access.
repo/lib/crewai/src/crewai/utilities/llm_utils.py:105
        or os.environ.get("MODEL_NAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #11de9ded1c53e14c Environment-variable access.
repo/lib/crewai/src/crewai/utilities/llm_utils.py:106
        or os.environ.get("OPENAI_MODEL_NAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ecbf5df43c22e2d3 Environment-variable access.
repo/lib/crewai/src/crewai/utilities/llm_utils.py:130
        os.environ.get("BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c81160f08b91e8d2 Environment-variable access.
repo/lib/crewai/src/crewai/utilities/llm_utils.py:131
        or os.environ.get("OPENAI_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c7981d29d0fad6d7 Environment-variable access.
repo/lib/crewai/src/crewai/utilities/llm_utils.py:132
        or os.environ.get("OPENAI_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6b16bf80a93a79b8 Environment-variable access.
repo/lib/crewai/src/crewai/utilities/llm_utils.py:135
    api_base = os.environ.get("API_BASE") or os.environ.get("AZURE_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #386f6a8186e1f40f Environment-variable access.
repo/lib/crewai/src/crewai/utilities/llm_utils.py:178
                    env_value = os.environ.get(key_name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fe0d5aedd6d42740 Filesystem access.
repo/lib/devtools/src/crewai_devtools/cli.py:287
    content = file_path.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #80d13237c5014b61 Filesystem access.
repo/lib/devtools/src/crewai_devtools/cli.py:298
        file_path.write_text("\n".join(lines) + "\n")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9ca0e29915600815 Filesystem access.
repo/lib/devtools/src/crewai_devtools/cli.py:317
    doc = tomlkit.parse(file_path.read_text())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b50d21600cf28550 Filesystem access.
repo/lib/devtools/src/crewai_devtools/cli.py:326
    file_path.write_text(tomlkit.dumps(doc))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3d6b736d8bb5691c Filesystem access.
repo/lib/devtools/src/crewai_devtools/cli.py:358
    content = file_path.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #06462aeec390a0fc Filesystem access.
repo/lib/devtools/src/crewai_devtools/cli.py:391
        file_path.write_text("\n".join(lines) + "\n")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9418ff780bd2d70d Filesystem access.
repo/lib/devtools/src/crewai_devtools/cli.py:591
    content = changelog_path.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #75788c91fb8c8712 Filesystem access.
repo/lib/devtools/src/crewai_devtools/cli.py:608
    changelog_path.write_text(new_content)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f89a8ba96c5648c3 Filesystem access.
repo/lib/devtools/src/crewai_devtools/cli.py:668
        content = pyproject.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c78f84a78c4233b1 Filesystem access.
repo/lib/devtools/src/crewai_devtools/cli.py:671
            pyproject.write_text(new_content)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aeac6219aa2779f2 Filesystem access.
repo/lib/devtools/src/crewai_devtools/cli.py:689
        if "__version__" in init_file.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cf8bbf70bbe705df Environment-variable access.
repo/lib/devtools/src/crewai_devtools/cli.py:1016
            openai_client = OpenAI(api_key=os.getenv("OPENAI_API_KEY"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8c27105bc28aa049 Environment-variable access.
repo/lib/devtools/src/crewai_devtools/cli.py:1264
_ENTERPRISE_REPO: Final[str | None] = os.getenv("ENTERPRISE_REPO")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aac1ad8435c9544e Environment-variable access.
repo/lib/devtools/src/crewai_devtools/cli.py:1266
    d.strip() for d in os.getenv("ENTERPRISE_VERSION_DIRS", "").split(",") if d.strip()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #abec53be68866617 Environment-variable access.
repo/lib/devtools/src/crewai_devtools/cli.py:1268
_ENTERPRISE_CREWAI_DEP_PATH: Final[str | None] = os.getenv("ENTERPRISE_CREWAI_DEP_PATH")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #760a2cb70253a3f3 Environment-variable access.
repo/lib/devtools/src/crewai_devtools/cli.py:1271
    for p in os.getenv("ENTERPRISE_EXTRA_PACKAGES", "").split(",")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d5b5d378687de70b Environment-variable access.
repo/lib/devtools/src/crewai_devtools/cli.py:1276
    for p in os.getenv("ENTERPRISE_WORKFLOW_PATHS", "").split(",")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #64026e08b350cda4 Filesystem access.
repo/lib/devtools/src/crewai_devtools/cli.py:1300
    content = pyproject_path.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b907fe4302249390 Filesystem access.
repo/lib/devtools/src/crewai_devtools/cli.py:1303
        pyproject_path.write_text(new_content)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f173eb0af1c14d32 Filesystem access.
repo/lib/devtools/src/crewai_devtools/cli.py:1330
    raw = workflow_path.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e73593efb221edbe Filesystem access.
repo/lib/devtools/src/crewai_devtools/cli.py:1343
    workflow_path.write_text("".join(lines))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #054e4b13489eed10 Filesystem access.
repo/lib/devtools/src/crewai_devtools/cli.py:1460
        content = pyproject.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4fcb7b93c668f950 Filesystem access.
repo/lib/devtools/src/crewai_devtools/cli.py:1464
            pyproject.write_text(new_content)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #928df2bb30889c0c Filesystem access.
repo/lib/devtools/src/crewai_devtools/cli.py:2063
                    content = vfile.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4e0180f6a65829e4 Filesystem access.
repo/lib/devtools/src/crewai_devtools/docs_check.py:421
                        ref_content = siblings[0].read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f431d64576cc4e9c Filesystem access.
repo/lib/devtools/src/crewai_devtools/docs_check.py:429
                en_path.write_text(content)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0630fede81cb3386 Filesystem access.
repo/lib/devtools/src/crewai_devtools/docs_check.py:437
            existing = en_path.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #629f5a0a821ae9bd Filesystem access.
repo/lib/devtools/src/crewai_devtools/docs_check.py:454
                en_path.write_text(content)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #db1ed419291e25fb Filesystem access.
repo/lib/devtools/src/crewai_devtools/docs_check.py:473
                lang_path.write_text(translated)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9ce04d07dbd6a98b Filesystem access.
repo/lib/devtools/src/crewai_devtools/docs_versioning.py:181
        text = mdx.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e4c9aab5f2ea104e Filesystem access.
repo/lib/devtools/src/crewai_devtools/docs_versioning.py:184
            mdx.write_text(new_text, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #37b0bd0643da9f2b Filesystem access.
repo/lib/devtools/src/crewai_devtools/docs_versioning.py:383
    data = json.loads(docs_json.read_text(encoding="utf-8"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #382960ad23c43448 Filesystem access.
repo/lib/devtools/src/crewai_devtools/docs_versioning.py:427
    docs_json.write_text(
        json.dumps(data, indent=2, ensure_ascii=False) + "\n",
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1e3e5eee2830ae45 Environment-variable access.
repo/scripts/age90_file_input_runner.py:109
    if model.startswith("openai/") and not os.getenv("OPENAI_API_KEY") and not payload_only:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #340c61be33e075e1 Filesystem access.
repo/scripts/docs/freeze_historical_versions.py:154
        text = mdx.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #022c9eb94a33efb2 Filesystem access.
repo/scripts/docs/freeze_historical_versions.py:157
            mdx.write_text(new_text, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #72934811e07780a5 Filesystem access.
repo/scripts/docs/prefix_version_paths.py:359
    data = json.loads(docs_json.read_text(encoding="utf-8"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9c41e08390f14cf0 Filesystem access.
repo/scripts/docs/prefix_version_paths.py:389
    docs_json.write_text(
        json.dumps(data, indent=2, ensure_ascii=False) + "\n",
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (python): lib/crewai-tools

python first-party
high pii_flow production #075d705eb06e0d70 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/adapters/zapier_adapter.py:45 · flow /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/adapters/zapier_adapter.py:27 → /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/adapters/zapier_adapter.py:45
        response = requests.request(
            "POST",
            execute_url,
            headers=headers,
            json=action_params,
            timeout=30,
        )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #6f1a3775f2311708 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/adapters/zapier_adapter.py:71 · flow /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/adapters/zapier_adapter.py:69 → /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/adapters/zapier_adapter.py:71
        response = requests.request(
            "GET",
            ACTIONS_URL,
            headers=headers,
            timeout=30,
        )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #b9ab7d75d8ec8803 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/brave_search_tool/brave_search_tool.py:133 · flow /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/brave_search_tool/brave_search_tool.py:129 → /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/brave_search_tool/brave_search_tool.py:133
            response = requests.get(
                self.search_url, headers=headers, params=payload, timeout=30
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #7383a3f39520d3f9 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/brightdata_tool/brightdata_serp.py:224 · flow /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/brightdata_tool/brightdata_serp.py:219 → /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/brightdata_tool/brightdata_serp.py:224
            response = requests.post(
                self.base_url, json=request_params, headers=headers, timeout=30
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #d84331e262f9bc6a User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/brightdata_tool/brightdata_unlocker.py:141 · flow /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/brightdata_tool/brightdata_unlocker.py:135 → /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/brightdata_tool/brightdata_unlocker.py:141
            response = requests.post(
                self.base_url, json=payload, headers=headers, timeout=30
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #606a8dc0265f49ed User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:80 · flow /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:64 → /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:80
                result = requests.post(
                    url, headers=headers, data=config, files=file, timeout=30
                )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #54ee6e5991bc6a7d User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:89 · flow /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:64 → /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:89
                result = requests.get(status_url, headers=headers, timeout=30)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #ba9b0f1f50f6dc1a User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:100 · flow /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:64 → /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:100
            result = requests.get(
                results_url,
                headers=headers,
                params={"output_types": ",".join(output_types)},
                timeout=30,
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #d9377578c7ac6ad5 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_query_tool/contextual_query_tool.py:49 · flow /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_query_tool/contextual_query_tool.py:48 → /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_query_tool/contextual_query_tool.py:49
        response = requests.get(url, headers=headers, timeout=30)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #8a8a4218787cbdd5 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_rerank_tool/contextual_rerank_tool.py:69 · flow /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_rerank_tool/contextual_rerank_tool.py:53 → /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_rerank_tool/contextual_rerank_tool.py:69
            result = requests.post(
                rerank_url, json=payload, headers=headers, timeout=30
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #a464a42eaa43caf8 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/crewai_platform_tools/crewai_platform_action_tool.py:70 · flow /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/crewai_platform_tools/crewai_platform_action_tool.py:75 → /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/crewai_platform_tools/crewai_platform_action_tool.py:70
            response = requests.post(
                url=api_url,
                headers=headers,
                json=payload,
                timeout=60,
                verify=os.environ.get("CREWAI_FACTORY", "false").lower() != "true",
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #adfac052e0d07507 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/crewai_platform_tools/crewai_platform_tool_builder.py:47 · flow /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/crewai_platform_tools/crewai_platform_tool_builder.py:52 → /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/crewai_platform_tools/crewai_platform_tool_builder.py:47
            response = requests.get(
                actions_url,
                headers=headers,
                timeout=30,
                params={"apps": ",".join(self._apps)},
                verify=os.environ.get("CREWAI_FACTORY", "false").lower() != "true",
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #19504e9468156b17 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/parallel_tools/parallel_search_tool.py:104 · flow /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/parallel_tools/parallel_search_tool.py:78 → /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/parallel_tools/parallel_search_tool.py:104
            resp = requests.post(
                self.search_url, json=payload, headers=headers, timeout=request_timeout
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #0fb5ac381c5d7883 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:39 · flow /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:43 → /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:39
            requests.get(
                "https://api.patronus.ai/v1/evaluators",
                headers={
                    "accept": "application/json",
                    "X-API-KEY": os.environ["PATRONUS_API_KEY"],
                },
                timeout=30,
            ).text

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #006e935f1229a921 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:62 · flow /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:66 → /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:62
            requests.get(
                "https://api.patronus.ai/v1/evaluator-criteria",
                headers={
                    "accept": "application/json",
                    "X-API-KEY": os.environ["PATRONUS_API_KEY"],
                },
                timeout=30,
            ).text

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #e669c0759e283e2b User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:145 · flow /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:138 → /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:145
        response = requests.post(
            self.evaluate_url,
            headers=headers,
            data=json.dumps(data),
            timeout=30,
        )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #2b013e003a3ad541 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_predefined_criteria_eval_tool.py:95 · flow /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_predefined_criteria_eval_tool.py:60 → /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_predefined_criteria_eval_tool.py:95
        response = requests.post(
            self.evaluate_url,
            headers=headers,
            data=json.dumps(data),
            timeout=30,
        )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #82ecdd44be15299f User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/serper_dev_tool/serper_dev_tool.py:257 · flow /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/serper_dev_tool/serper_dev_tool.py:251 → /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/serper_dev_tool/serper_dev_tool.py:257
            response = requests.post(
                search_url, headers=headers, json=payload, timeout=10
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #46de3990eec5cbbc User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai-tools/src/crewai_tools/tools/serper_scrape_website_tool/serper_scrape_website_tool.py:59 · flow /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/serper_scrape_website_tool/serper_scrape_website_tool.py:52 → /tmp/closeopen-2ddpso8x/repo/lib/crewai-tools/src/crewai_tools/tools/serper_scrape_website_tool/serper_scrape_website_tool.py:59
            response = requests.post(
                api_url,
                headers=headers,
                data=payload,
                timeout=30,
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 124 low-confidence finding(s)
low env_fs production #31996d318627a3ad Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/adapters/enterprise_adapter.py:14
    base_url = os.getenv("CREWAI_PLUS_URL", "https://app.crewai.com")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8c60516186d8e73b Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/adapters/enterprise_adapter.py:419
        token = enterprise_action_token or os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #555a812d1919d387 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/adapters/enterprise_adapter.py:419
        token = enterprise_action_token or os.environ.get(
            "CREWAI_ENTERPRISE_TOOLS_TOKEN"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d7a1b2d56115ed47 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/adapters/zapier_adapter.py:62
        self.api_key = api_key or os.getenv("ZAPIER_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b16c21d2aa89f0a1 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/aws/bedrock/agents/invoke_agent_tool.py:60
        self.agent_id = agent_id or os.getenv("BEDROCK_AGENT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cefed0add51e0c75 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/aws/bedrock/agents/invoke_agent_tool.py:61
        self.agent_alias_id = agent_alias_id or os.getenv("BEDROCK_AGENT_ALIAS_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7a1ae0d1a5b70fc7 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/aws/bedrock/agents/invoke_agent_tool.py:105
                region_name=os.getenv(
                    "AWS_REGION", os.getenv("AWS_DEFAULT_REGION", "us-west-2")
                ),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f289ed11728d458f Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/aws/bedrock/agents/invoke_agent_tool.py:106
                    "AWS_REGION", os.getenv("AWS_DEFAULT_REGION", "us-west-2")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #66ed2ea49dae1c3d Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/aws/bedrock/knowledge_base/retriever_tool.py:60
        self.knowledge_base_id = knowledge_base_id or os.getenv("BEDROCK_KB_ID")  # type: ignore[assignment]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #25b0d3dd9b44795f Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/aws/bedrock/knowledge_base/retriever_tool.py:196
                region_name=os.getenv(
                    "AWS_REGION", os.getenv("AWS_DEFAULT_REGION", "us-east-1")
                ),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c5602ab6a97b5ba9 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/aws/bedrock/knowledge_base/retriever_tool.py:197
                    "AWS_REGION", os.getenv("AWS_DEFAULT_REGION", "us-east-1")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c76187ab966f587a Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/aws/s3/reader_tool.py:35
                region_name=os.getenv("CREW_AWS_REGION", "us-east-1"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e64b8951b17856b8 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/aws/s3/reader_tool.py:36
                aws_access_key_id=os.getenv("CREW_AWS_ACCESS_KEY_ID"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6c5fab3a045537b1 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/aws/s3/reader_tool.py:37
                aws_secret_access_key=os.getenv("CREW_AWS_SEC_ACCESS_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4ca90eb04ed310f7 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/aws/s3/writer_tool.py:36
                region_name=os.getenv("CREW_AWS_REGION", "us-east-1"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #692203e3f49f6bef Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/aws/s3/writer_tool.py:37
                aws_access_key_id=os.getenv("CREW_AWS_ACCESS_KEY_ID"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a4a49f0cb97a5ffb Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/aws/s3/writer_tool.py:38
                aws_secret_access_key=os.getenv("CREW_AWS_SEC_ACCESS_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d389c8b81fd9f4d9 Filesystem access.
repo/lib/crewai-tools/src/crewai_tools/generate_tool_specs.py:190
        with open(output_path, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6827dc578cb34f1a Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/rag/embedding_service.py:108
            return os.getenv(env_key)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #acd53115b96a036c Filesystem access.
repo/lib/crewai-tools/src/crewai_tools/rag/loaders/csv_loader.py:29
        with open(path, encoding="utf-8") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e132dd3d1ffdb374 Filesystem access.
repo/lib/crewai-tools/src/crewai_tools/rag/loaders/json_loader.py:28
        with open(path, encoding="utf-8") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e89aaa014962e32e Filesystem access.
repo/lib/crewai-tools/src/crewai_tools/rag/loaders/mdx_loader.py:36
        with open(path, encoding="utf-8") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d136d41c5ac85b81 Filesystem access.
repo/lib/crewai-tools/src/crewai_tools/rag/loaders/text_loader.py:15
        with open(source_content.source, encoding="utf-8") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c65ee4656d784e76 Filesystem access.
repo/lib/crewai-tools/src/crewai_tools/rag/loaders/xml_loader.py:37
        with open(path, encoding="utf-8") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #25e7919a97f5fc75 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/security/safe_path.py:52
    return os.environ.get(_UNSAFE_PATHS_ENV, "").lower() in ("true", "1", "yes")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f11ce03d650cc38b Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/ai_mind_tool/ai_mind_tool.py:47
        self.api_key = api_key or os.getenv("MINDS_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2cfbec5d9f4e3472 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/apify_actors_tool/apify_actors_tool.py:58
        if not os.environ.get("APIFY_API_TOKEN"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4fe752600c1b28e3 Filesystem access.
repo/lib/crewai-tools/src/crewai_tools/tools/brave_search_tool/base.py:26
    with open(filename, "w") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8aa7df2a5f380ad4 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/brave_search_tool/base.py:126
        self._api_key = api_key or os.environ.get("BRAVE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9b3bbf785272c872 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/brave_search_tool/brave_search_tool.py:55
        if "BRAVE_API_KEY" not in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1c7c918e3e8ff554 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/brave_search_tool/brave_search_tool.py:129
                "X-Subscription-Token": os.environ["BRAVE_API_KEY"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d4fb19011df06447 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/brightdata_tool/brightdata_dataset.py:20
            API_URL=os.environ.get("BRIGHTDATA_API_URL", "https://api.brightdata.com"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #67f4976e96c06545 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/brightdata_tool/brightdata_dataset.py:21
            DEFAULT_TIMEOUT=int(os.environ.get("BRIGHTDATA_DEFAULT_TIMEOUT", "600")),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2d06762885e34856 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/brightdata_tool/brightdata_dataset.py:23
                os.environ.get("BRIGHTDATA_DEFAULT_POLLING_INTERVAL", "1")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #56de010405db2119 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/brightdata_tool/brightdata_dataset.py:481
        api_key = os.getenv("BRIGHT_DATA_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b62f4d1cb62e5d08 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/brightdata_tool/brightdata_dataset.py:578
        api_key = os.getenv("BRIGHT_DATA_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4b181207e1a0bc32 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/brightdata_tool/brightdata_serp.py:18
            API_URL=os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4a95f6d526a8a979 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/brightdata_tool/brightdata_serp.py:18
            API_URL=os.environ.get(
                "BRIGHTDATA_API_URL", "https://api.brightdata.com/request"
            )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #37d6da93a303b3aa Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/brightdata_tool/brightdata_serp.py:125
        self.api_key = os.getenv("BRIGHT_DATA_API_KEY") or ""

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d04dd9a47b823f11 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/brightdata_tool/brightdata_serp.py:126
        self.zone = os.getenv("BRIGHT_DATA_ZONE") or ""

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7639f4a961a0c2c6 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/brightdata_tool/brightdata_unlocker.py:19
            API_URL=os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6d81c17c7edbba18 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/brightdata_tool/brightdata_unlocker.py:19
            API_URL=os.environ.get(
                "BRIGHTDATA_API_URL", "https://api.brightdata.com/request"
            )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #45745c4d348dd1b8 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/brightdata_tool/brightdata_unlocker.py:99
        self.api_key = os.getenv("BRIGHT_DATA_API_KEY") or ""

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0230350a49896434 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/brightdata_tool/brightdata_unlocker.py:100
        self.zone = os.getenv("BRIGHT_DATA_ZONE") or ""

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e805f142c23a6234 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/browserbase_load_tool/browserbase_load_tool.py:16
    api_key: str | None = os.getenv("BROWSERBASE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #31eab8f9e69b1125 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/browserbase_load_tool/browserbase_load_tool.py:17
    project_id: str | None = os.getenv("BROWSERBASE_PROJECT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #087cf11164ed2088 Filesystem access.
repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_create_agent_tool/contextual_create_agent_tool.py:65
                with open(doc_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #131453548e278d79 Filesystem access.
repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:78
            with open(file_path, "rb") as fp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #8131789ea62c4d13 Hardcoded external endpoint. Review what data is sent to this destination.
repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:80
                result = requests.post(
                    url, headers=headers, data=config, files=file, timeout=30
                )

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #252bf20636be0efb Hardcoded external endpoint. Review what data is sent to this destination.
repo/lib/crewai-tools/src/crewai_tools/tools/contextualai_rerank_tool/contextual_rerank_tool.py:69
            result = requests.post(
                rerank_url, json=payload, headers=headers, timeout=30
            )

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #d6c30fb2bd86496d Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/crewai_platform_tools/crewai_platform_action_tool.py:75
                verify=os.environ.get("CREWAI_FACTORY", "false").lower() != "true",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8364a5ee3e9cef5b Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/crewai_platform_tools/crewai_platform_tool_builder.py:52
                verify=os.environ.get("CREWAI_FACTORY", "false").lower() != "true",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #98717797cb5b4137 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/crewai_platform_tools/misc.py:6
    base_url = os.getenv("CREWAI_PLUS_URL", "https://app.crewai.com")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9b0103a1da387c48 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/crewai_platform_tools/misc.py:12
    token = os.getenv("CREWAI_PLATFORM_INTEGRATION_TOKEN") or ""

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #720d9890a7e78123 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/databricks_query_tool/databricks_query_tool.py:145
        has_profile = "DATABRICKS_CONFIG_PROFILE" in os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #de82db3a5a52fc0e Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/databricks_query_tool/databricks_query_tool.py:147
            "DATABRICKS_HOST" in os.environ and "DATABRICKS_TOKEN" in os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9ed57a68cb1998bf Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/daytona_sandbox_tool/daytona_base_tool.py:35
        default_factory=lambda: os.getenv("DAYTONA_API_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1a0dcfdcf05b408a Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/daytona_sandbox_tool/daytona_base_tool.py:40
        default_factory=lambda: os.getenv("DAYTONA_API_URL"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #36b3dba6bd4e5481 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/daytona_sandbox_tool/daytona_base_tool.py:45
        default_factory=lambda: os.getenv("DAYTONA_TARGET"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #625d0d526b35128f Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/e2b_sandbox_tool/e2b_base_tool.py:36
            SecretStr(val) if (val := os.getenv("E2B_API_KEY")) else None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0cba09ad2da838de Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/e2b_sandbox_tool/e2b_base_tool.py:43
        default_factory=lambda: os.getenv("E2B_DOMAIN"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9b777809b2603fe0 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/exa_tools/exa_search_tool.py:58
        default_factory=lambda: os.getenv("EXA_API_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f556cf2b346a334d Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/exa_tools/exa_search_tool.py:63
        default_factory=lambda: os.getenv("EXA_BASE_URL"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #80ea09edd377d92d Filesystem access.
repo/lib/crewai-tools/src/crewai_tools/tools/file_read_tool/file_read_tool.py:93
            with open(file_path, "r") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #366de4d296af40dd Filesystem access.
repo/lib/crewai-tools/src/crewai_tools/tools/file_writer_tool/file_writer_tool.py:70
            with open(real_filepath, mode) as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #36d0d5b6586370e3 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/generate_crewai_automation_tool/generate_crewai_automation_tool.py:28
        default_factory=lambda: os.getenv("CREWAI_PLUS_URL", "https://app.crewai.com"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5e5d2709c97c2239 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/generate_crewai_automation_tool/generate_crewai_automation_tool.py:32
        default_factory=lambda: os.getenv("CREWAI_PERSONAL_ACCESS_TOKEN"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9b0c07e6c5f58d69 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/hyperbrowser_load_tool/hyperbrowser_load_tool.py:49
        self.api_key = api_key or os.getenv("HYPERBROWSER_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9095d41351c2e499 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/linkup/linkup_search_tool.py:54
        self._client = LinkupClient(api_key=api_key or os.getenv("LINKUP_API_KEY"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #80611fc92fa8aad3 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/merge_agent_handler_tool/merge_agent_handler_tool.py:65
        api_key = os.environ.get("AGENT_HANDLER_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7e3590fdce059fa9 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/mongodb_vector_search_tool/vector_search.py:124
        if "AZURE_OPENAI_ENDPOINT" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #744c03e09331853c Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/mongodb_vector_search_tool/vector_search.py:126
        elif "OPENAI_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #60306b6b97bb0428 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/multion_tool/example.py:7
os.environ["OPENAI_API_KEY"] = "Your Key"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4320958a493b5499 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/multion_tool/multion_tool.py:52
        self.multion = MultiOn(api_key=api_key or os.getenv("MULTION_API_KEY"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #db9a16849cda6813 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/nl2sql/nl2sql_tool.py:256
        if os.environ.get("CREWAI_NL2SQL_ALLOW_DML", "").strip().lower() == "true":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d08160b9f1b89a39 Filesystem access.
repo/lib/crewai-tools/src/crewai_tools/tools/ocr_tool/ocr_tool.py:104
        with open(image_path, "rb") as image_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e2c8634e9d6ce802 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/oxylabs_amazon_product_scraper_tool/oxylabs_amazon_product_scraper_tool.py:146
        username = os.environ.get("OXYLABS_USERNAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #12e229b3ce403db9 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/oxylabs_amazon_product_scraper_tool/oxylabs_amazon_product_scraper_tool.py:147
        password = os.environ.get("OXYLABS_PASSWORD")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d29238a8edb2ed4b Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/oxylabs_amazon_search_scraper_tool/oxylabs_amazon_search_scraper_tool.py:148
        username = os.environ.get("OXYLABS_USERNAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #de57feedb23602c0 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/oxylabs_amazon_search_scraper_tool/oxylabs_amazon_search_scraper_tool.py:149
        password = os.environ.get("OXYLABS_PASSWORD")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f7698c45956b94d3 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/oxylabs_google_search_scraper_tool/oxylabs_google_search_scraper_tool.py:151
        username = os.environ.get("OXYLABS_USERNAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #641e7321d7e607d1 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/oxylabs_google_search_scraper_tool/oxylabs_google_search_scraper_tool.py:152
        password = os.environ.get("OXYLABS_PASSWORD")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #12ae37d4e9ec3577 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/oxylabs_universal_scraper_tool/oxylabs_universal_scraper_tool.py:142
        username = os.environ.get("OXYLABS_USERNAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b5b0c1e3ebd59d13 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/oxylabs_universal_scraper_tool/oxylabs_universal_scraper_tool.py:143
        password = os.environ.get("OXYLABS_PASSWORD")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dc722fbbc20fdeba Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/parallel_tools/parallel_search_tool.py:78
        api_key = os.environ.get("PARALLEL_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #8a635c6911ca241c Hardcoded external endpoint. Review what data is sent to this destination.
repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:39
            requests.get(
                "https://api.patronus.ai/v1/evaluators",
                headers={
                    "accept": "application/json",
                    "X-API-KEY": os.environ["PATRONUS_API_KEY"],
                },
                timeout=30,
            ).text

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #b2bfaa68245e111d Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:43
                    "X-API-KEY": os.environ["PATRONUS_API_KEY"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #ad4bda867d334480 Hardcoded external endpoint. Review what data is sent to this destination.
repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:62
            requests.get(
                "https://api.patronus.ai/v1/evaluator-criteria",
                headers={
                    "accept": "application/json",
                    "X-API-KEY": os.environ["PATRONUS_API_KEY"],
                },
                timeout=30,
            ).text

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #5e33129904dce3ac Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:66
                    "X-API-KEY": os.environ["PATRONUS_API_KEY"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #37bb02f1f2c7ade2 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:138
        api_key = os.getenv("PATRONUS_API_KEY", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0533c07414da4c94 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/patronus_eval_tool/patronus_predefined_criteria_eval_tool.py:60
        api_key = os.getenv("PATRONUS_API_KEY", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9b6ad798747ed035 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/qdrant_vector_search_tool/qdrant_search_tool.py:113
                    .Client(api_key=os.getenv("OPENAI_API_KEY"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #61f4c4a3da3c86af Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/scrape_element_from_website/scrape_element_from_website.py:68
                self.cookies = {cookies["name"]: os.getenv(cookies["value"]) or ""}

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #951c7e19eab0b9ab Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/scrape_website_tool/scrape_website_tool.py:67
                self.cookies = {cookies["name"]: os.getenv(cookies["value"]) or ""}

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a39633df8978390d Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/scrapegraph_scrape_tool/scrapegraph_scrape_tool.py:113
        self.api_key = api_key or os.getenv("SCRAPEGRAPH_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #562ce82526cfe7c4 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/scrapfly_scrape_website_tool/scrapfly_scrape_website_tool.py:66
        self.scrapfly = ScrapflyClient(key=api_key or os.getenv("SCRAPFLY_API_KEY"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d0c1a1f5d2bd7c9e Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/serpapi_tool/serpapi_base_tool.py:44
        api_key = os.getenv("SERPAPI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e35e259cbe08c3be Filesystem access.
repo/lib/crewai-tools/src/crewai_tools/tools/serper_dev_tool/serper_dev_tool.py:94
        with open(filename, "w") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b0f1719e0782b9c5 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/serper_dev_tool/serper_dev_tool.py:251
            "X-API-KEY": os.environ["SERPER_API_KEY"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9a0a910700c34612 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/serper_scrape_website_tool/serper_scrape_website_tool.py:52
            api_key = os.getenv("SERPER_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #bd9745672cc71871 Hardcoded external endpoint. Review what data is sent to this destination.
repo/lib/crewai-tools/src/crewai_tools/tools/serper_scrape_website_tool/serper_scrape_website_tool.py:59
            response = requests.post(
                api_url,
                headers=headers,
                data=payload,
                timeout=30,
            )

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #ede578aff82dca99 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/serply_api_tool/serply_job_search_tool.py:47
            "X-API-KEY": os.environ["SERPLY_API_KEY"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aeabb1537d3a734e Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/serply_api_tool/serply_news_search_tool.py:47
            "X-API-KEY": os.environ["SERPLY_API_KEY"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0efcca8944f5cc15 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/serply_api_tool/serply_scholar_search_tool.py:51
            "X-API-KEY": os.environ["SERPLY_API_KEY"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #412fbe56d69074bc Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/serply_api_tool/serply_web_search_tool.py:67
            "X-API-KEY": os.environ["SERPLY_API_KEY"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #87762e3d65ddacaf Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/serply_api_tool/serply_webpage_to_markdown_tool.py:31
            "X-API-KEY": os.environ["SERPLY_API_KEY"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #56e2ffaedd57abca Filesystem access.
repo/lib/crewai-tools/src/crewai_tools/tools/snowflake_search_tool/snowflake_search_tool.py:188
            with open(self.config.private_key_path, "rb") as key_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b5ff3f2df994d6da Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/stagehand_tool/example.py:34
browserbase_api_key = os.environ.get("BROWSERBASE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #509739630e8ddbd0 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/stagehand_tool/example.py:35
browserbase_project_id = os.environ.get("BROWSERBASE_PROJECT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #901c40cfac5ffcaf Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/stagehand_tool/example.py:36
model_api_key = os.environ.get("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b0dd3eed6071c3b9 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/stagehand_tool/stagehand_tool.py:208
        self.api_key = api_key or os.getenv("BROWSERBASE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e344cf334931405f Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/stagehand_tool/stagehand_tool.py:209
        self.project_id = project_id or os.getenv("BROWSERBASE_PROJECT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8935a2469294316d Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/stagehand_tool/stagehand_tool.py:263
            return self.model_api_key or os.getenv("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0d2aa4d399d6ed5b Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/stagehand_tool/stagehand_tool.py:265
            return self.model_api_key or os.getenv("ANTHROPIC_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #642b90030bb863d2 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/stagehand_tool/stagehand_tool.py:267
            return self.model_api_key or os.getenv("GOOGLE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e2cb50cefdc17575 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/stagehand_tool/stagehand_tool.py:271
            or os.getenv("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #90f0ba2c604ef928 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/stagehand_tool/stagehand_tool.py:272
            or os.getenv("ANTHROPIC_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2d13023404a19d9e Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/tavily_extractor_tool/tavily_extractor_tool.py:62
        default_factory=lambda: os.getenv("TAVILY_API_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5cd3ba845126b981 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/tavily_get_research_tool/tavily_get_research_tool.py:56
            api_key = os.getenv("TAVILY_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ef3f11824d2004d7 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/tavily_research_tool/tavily_research_tool.py:92
            api_key = os.getenv("TAVILY_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8efe13c14dd50616 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/tavily_search_tool/tavily_search_tool.py:61
        default_factory=lambda: os.getenv("TAVILY_API_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5f943cad19c98800 Filesystem access.
repo/lib/crewai-tools/src/crewai_tools/tools/vision_tool/vision_tool.py:140
        with open(image_path, "rb") as image_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bd98da85795f5035 Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/weaviate_tool/vector_search.py:89
            openai_api_key = os.environ.get("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #99131fa85fcdfe3f Environment-variable access.
repo/lib/crewai-tools/src/crewai_tools/tools/zapier_action_tool/zapier_action_tool.py:23
        zapier_api_key = os.getenv("ZAPIER_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (python): lib/crewai

python first-party
high pii_flow production #ee26149bf95e3160 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/crewai/src/crewai/a2a/auth/client_schemes.py:256 · flow /tmp/closeopen-2ddpso8x/repo/lib/crewai/src/crewai/a2a/auth/client_schemes.py:256 → /tmp/closeopen-2ddpso8x/repo/lib/crewai/src/crewai/a2a/auth/client_schemes.py:256
        client.auth = DigestAuth(self.username, self.password)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium telemetry production #fccc3a27c1afadc3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/lib/crewai/src/crewai/crew.py:21
from opentelemetry import baggage

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e27e3ea26ae40128 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/lib/crewai/src/crewai/crew.py:22
from opentelemetry.context import attach, detach

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #3305ed9943078756 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/lib/crewai/src/crewai/crew.py:42
    from opentelemetry.trace import Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #401599838cd50a96 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/lib/crewai/src/crewai/crews/utils.py:9
from opentelemetry import baggage

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #69d037a12a428c28 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/lib/crewai/src/crewai/flow/runtime/__init__.py:35
from opentelemetry import baggage

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #9d5aeac41ad132fe Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/lib/crewai/src/crewai/flow/runtime/__init__.py:36
from opentelemetry.context import attach, detach

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #165c9f421cdb0bab Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/lib/crewai/src/crewai/telemetry/telemetry.py:23
from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #2bcf559124aeb619 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/lib/crewai/src/crewai/telemetry/telemetry.py:24
from opentelemetry.exporter.otlp.proto.http.trace_exporter import (
    OTLPSpanExporter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #bdf8f6b21499acb0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/lib/crewai/src/crewai/telemetry/telemetry.py:27
from opentelemetry.sdk.resources import SERVICE_NAME, Resource

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #1ac5f65702db3cc3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/lib/crewai/src/crewai/telemetry/telemetry.py:28
from opentelemetry.sdk.trace import TracerProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #898d613a10745731 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/lib/crewai/src/crewai/telemetry/telemetry.py:29
from opentelemetry.sdk.trace.export import (
    BatchSpanProcessor,
    SpanExportResult,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e1615a76b19fc9f6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/lib/crewai/src/crewai/telemetry/telemetry.py:33
from opentelemetry.trace import ProxyTracerProvider, Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #cae7662201847c78 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/lib/crewai/src/crewai/telemetry/utils.py:11
from opentelemetry.trace import Span, Status, StatusCode

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #477a05c133423098 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/lib/crewai/src/crewai/utilities/crew/crew_context.py:5
from opentelemetry import baggage

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 108 low-confidence finding(s)
low env_fs production #9848b45b4b2974d3 Filesystem access.
repo/lib/crewai/src/crewai/a2a/auth/client_schemes.py:112
            root_certs = Path(self.ca_cert_path).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9ad84a7d29700575 Filesystem access.
repo/lib/crewai/src/crewai/a2a/auth/client_schemes.py:115
            private_key = Path(self.client_key_path).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #449f78a2ba7d05a3 Filesystem access.
repo/lib/crewai/src/crewai/a2a/auth/client_schemes.py:116
            certificate_chain = Path(self.client_cert_path).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4e510b93e861c917 Environment-variable access.
repo/lib/crewai/src/crewai/a2a/auth/server_schemes.py:151
        return os.environ.get("AUTH_TOKEN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #134516de69dba9ad Filesystem access.
repo/lib/crewai/src/crewai/a2a/config.py:130
            return Path(self.private_key_path).read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #09287a6c081f4f3a Environment-variable access.
repo/lib/crewai/src/crewai/a2a/utils/task.py:102
_redis_url = os.environ.get("REDIS_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #55be86347174c858 Environment-variable access.
repo/lib/crewai/src/crewai/agent/core.py:1209
            else os.getenv(CREWAI_TRAINED_AGENTS_FILE_ENV, TRAINED_AGENTS_DATA_FILE)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #adaab7a696824402 Environment-variable access.
repo/lib/crewai/src/crewai/context.py:47
        token = os.getenv("CREWAI_PLATFORM_INTEGRATION_TOKEN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5a8f3c574c60a793 Environment-variable access.
repo/lib/crewai/src/crewai/events/listeners/tracing/trace_listener.py:194
            "user_id": os.getenv("CREWAI_USER_ID", "anonymous"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #45fc1409cc904ac3 Environment-variable access.
repo/lib/crewai/src/crewai/events/listeners/tracing/trace_listener.py:195
            "organization_id": os.getenv("CREWAI_ORG_ID", ""),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #596903cea236ad4f Environment-variable access.
repo/lib/crewai/src/crewai/events/listeners/tracing/utils.py:128
    env_value = os.getenv("CREWAI_TRACING_ENABLED", "").lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #48dc9e3a02b90aa6 Environment-variable access.
repo/lib/crewai/src/crewai/events/listeners/tracing/utils.py:188
    return os.environ.get("CREWAI_TESTING", "").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0429ad5385f572b9 Filesystem access.
repo/lib/crewai/src/crewai/events/listeners/tracing/utils.py:297
                content = path.read_text().strip()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b6019155d67a3c61 Environment-variable access.
repo/lib/crewai/src/crewai/events/listeners/tracing/utils.py:341
            container_id = os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4d03a4a776551c2d Environment-variable access.
repo/lib/crewai/src/crewai/events/listeners/tracing/utils.py:341
            container_id = os.environ.get(
                "HOSTNAME", os.environ.get("CONTAINER_ID", "")
            )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #52a959fe76330e1f Environment-variable access.
repo/lib/crewai/src/crewai/events/listeners/tracing/utils.py:342
                "HOSTNAME", os.environ.get("CONTAINER_ID", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2c277ee17d2e2187 Filesystem access.
repo/lib/crewai/src/crewai/events/listeners/tracing/utils.py:380
        p.write_text(json.dumps(data, indent=2))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7fbf471c6a9b5074 Filesystem access.
repo/lib/crewai/src/crewai/events/listeners/tracing/utils.py:412
        p.write_text(json.dumps(data, indent=2))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c94c015ee303b187 Environment-variable access.
repo/lib/crewai/src/crewai/events/utils/console_formatter.py:70
        if os.getenv("CI", "").lower() in ("true", "1"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bae8b908e91ff848 Environment-variable access.
repo/lib/crewai/src/crewai/events/utils/console_formatter.py:73
        if os.getenv("CREWAI_DISABLE_VERSION_CHECK", "").lower() in ("true", "1"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #929933f91b0997d9 Filesystem access.
repo/lib/crewai/src/crewai/experimental/evaluation/experiment/result.py:42
            with open(filepath, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #48200b3cc8603d07 Filesystem access.
repo/lib/crewai/src/crewai/experimental/evaluation/experiment/result.py:58
                with open(baseline_filepath, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a583728b2fb46104 Filesystem access.
repo/lib/crewai/src/crewai/experimental/evaluation/experiment/result.py:73
                with open(baseline_filepath, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b9e4ed16aa0251ae Filesystem access.
repo/lib/crewai/src/crewai/experimental/evaluation/experiment/result.py:91
            with open(baseline_filepath, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7b92cb85ca104d2c Environment-variable access.
repo/lib/crewai/src/crewai/experimental/skills/_flag.py:16
    return os.environ.get(ENV_VAR) == "1"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e4ceb658217008c0 Filesystem access.
repo/lib/crewai/src/crewai/experimental/skills/cache.py:91
        (skill_dir / _META_FILENAME).write_text(json.dumps(meta, indent=2))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d35a0757ae43e0e7 Filesystem access.
repo/lib/crewai/src/crewai/experimental/skills/cache.py:106
                        results.append(json.loads(meta_file.read_text()))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f6970ebb8f318914 Environment-variable access.
repo/lib/crewai/src/crewai/experimental/skills/registry.py:76
        os.environ.get("CI") == "1"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #be59023f0fc0ab5a Environment-variable access.
repo/lib/crewai/src/crewai/experimental/skills/registry.py:77
        or os.environ.get("CREWAI_NONINTERACTIVE") == "1"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #93e111edeb9ba408 Filesystem access.
repo/lib/crewai/src/crewai/flow/flow_definition.py:824
            contents = source_path.expanduser().read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2fbe56f39f80991a Environment-variable access.
repo/lib/crewai/src/crewai/flow/runtime/_actions.py:238
        raw = os.environ.get(_ALLOW_SCRIPT_EXECUTION_ENV_VAR, "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c6742e0d48721e45 Filesystem access.
repo/lib/crewai/src/crewai/flow/skill.py:90
    example_yaml = (_TEMPLATES_DIR / "flow_definition_example.yaml").read_text(
        encoding="utf-8"
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b2caa2a3ac8340ab Filesystem access.
repo/lib/crewai/src/crewai/flow/visualization/renderers/interactive.py:414
    css_content = css_file.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #156d445c30c3fdd7 Filesystem access.
repo/lib/crewai/src/crewai/flow/visualization/renderers/interactive.py:421
    css_output_path.write_text(css_content, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3adcb20ebdd26d60 Filesystem access.
repo/lib/crewai/src/crewai/flow/visualization/renderers/interactive.py:424
    js_content = js_file.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #71c18237dd9a6dad Filesystem access.
repo/lib/crewai/src/crewai/flow/visualization/renderers/interactive.py:438
    js_output_path.write_text(js_content, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c63badabcb6df506 Filesystem access.
repo/lib/crewai/src/crewai/flow/visualization/renderers/interactive.py:461
    output_path.write_text(html_content, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d6c7052e883d6c81 Environment-variable access.
repo/lib/crewai/src/crewai/knowledge/knowledge.py:66
os.environ["TOKENIZERS_PARALLELISM"] = "false"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #34cff4d284dd3e60 Filesystem access.
repo/lib/crewai/src/crewai/knowledge/source/csv_knowledge_source.py:17
            with open(file_path, "r", encoding="utf-8") as csvfile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e04f9dd3efbdfc18 Filesystem access.
repo/lib/crewai/src/crewai/knowledge/source/json_knowledge_source.py:18
            with open(path, "r", encoding="utf-8") as json_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c759c69249ba0ac4 Filesystem access.
repo/lib/crewai/src/crewai/knowledge/source/text_file_knowledge_source.py:17
            with open(path, "r", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f32e1b0417c1160c Environment-variable access.
repo/lib/crewai/src/crewai/llm.py:2484
            success_callbacks_str = os.environ.get("LITELLM_SUCCESS_CALLBACKS", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #276804241c9816f2 Environment-variable access.
repo/lib/crewai/src/crewai/llm.py:2491
            failure_callbacks_str = os.environ.get("LITELLM_FAILURE_CALLBACKS", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #386008dfb8ce61eb Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/anthropic/completion.py:256
            self.api_key = os.getenv("ANTHROPIC_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0f4284114cdffee6 Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/azure/completion.py:122
        data["api_key"] = data.get("api_key") or os.getenv("AZURE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #35ac5f4f5137414d Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/azure/completion.py:125
            or os.getenv("AZURE_ENDPOINT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1759c604196bdf4a Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/azure/completion.py:126
            or os.getenv("AZURE_OPENAI_ENDPOINT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bdc02e0ece3d2bdc Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/azure/completion.py:127
            or os.getenv("AZURE_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2f1f57843f9d05c7 Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/azure/completion.py:130
            data.get("api_version") or os.getenv("AZURE_API_VERSION") or "2024-06-01"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5fcb26af986bf969 Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/azure/completion.py:164
        raw = os.getenv("AZURE_CREDENTIAL_SCOPES")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8452cd2a2b844056 Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/azure/completion.py:271
            self.api_key = os.getenv("AZURE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #74536d61ca6dca94 Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/azure/completion.py:274
                os.getenv("AZURE_ENDPOINT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f08137f75e28542e Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/azure/completion.py:275
                or os.getenv("AZURE_OPENAI_ENDPOINT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1f477338efd8e7f6 Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/azure/completion.py:276
                or os.getenv("AZURE_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dc08a282ffba62ba Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/bedrock/completion.py:275
        data["aws_access_key_id"] = data.get("aws_access_key_id") or os.getenv(
            "AWS_ACCESS_KEY_ID"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #91d8ec1b01814744 Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/bedrock/completion.py:278
        data["aws_secret_access_key"] = data.get("aws_secret_access_key") or os.getenv(
            "AWS_SECRET_ACCESS_KEY"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ec09348fe8a5e37e Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/bedrock/completion.py:281
        data["aws_session_token"] = data.get("aws_session_token") or os.getenv(
            "AWS_SESSION_TOKEN"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b2bd2047b2e121c8 Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/bedrock/completion.py:286
            or os.getenv("AWS_DEFAULT_REGION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b76ccb01e46d47f0 Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/bedrock/completion.py:287
            or os.getenv("AWS_REGION_NAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f6f14fc19598858a Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/gemini/completion.py:84
            or os.getenv("GOOGLE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #044be4828bcdfacd Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/gemini/completion.py:85
            or os.getenv("GEMINI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #27bbde4d8d192c90 Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/gemini/completion.py:87
        data["project"] = data.get("project") or os.getenv("GOOGLE_CLOUD_PROJECT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5e261a4cca724e7f Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/gemini/completion.py:89
            data.get("location") or os.getenv("GOOGLE_CLOUD_LOCATION") or "us-central1"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c059b6d6a3ca05fe Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/gemini/completion.py:94
            use_vx = os.getenv("GOOGLE_GENAI_USE_VERTEXAI", "").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8d2f1e18660a1032 Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/gemini/completion.py:133
                self.api_key = os.getenv("GOOGLE_API_KEY") or os.getenv(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7debb4951ee96ed2 Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/gemini/completion.py:133
                self.api_key = os.getenv("GOOGLE_API_KEY") or os.getenv(
                    "GEMINI_API_KEY"
                )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7323a96d7f7ff304 Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/gemini/completion.py:137
                self.project = os.getenv("GOOGLE_CLOUD_PROJECT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #894597f54a62ef6d Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/openai/completion.py:250
        data["api_key"] = data.get("api_key") or os.getenv("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f48255ed45696263 Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/openai/completion.py:364
            self.api_key = os.getenv("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ea536412e0eee779 Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/openai/completion.py:374
            or os.getenv("OPENAI_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e27acbf15912bdea Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/openai_compatible/completion.py:189
        env_key = os.getenv(config.api_key_env)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a0a001960af494f3 Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/openai_compatible/completion.py:220
            env_value = os.getenv(config.base_url_env)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7779bacf3a24df30 Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/snowflake/completion.py:93
                token = os.getenv(env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b0593c2270b281f8 Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/snowflake/completion.py:114
        account_url = data.get("account_url") or os.getenv("SNOWFLAKE_ACCOUNT_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #755cc9226f12af78 Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/snowflake/completion.py:122
            or os.getenv("SNOWFLAKE_ACCOUNT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d6f66ec8e61898cc Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/snowflake/completion.py:123
            or os.getenv("SNOWFLAKE_ACCOUNT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #44faeb460dc6d68b Environment-variable access.
repo/lib/crewai/src/crewai/llms/providers/snowflake/completion.py:124
            or os.getenv("SNOWFLAKE_ACCOUNT_IDENTIFIER")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #56465e7ea847360e Environment-variable access.
repo/lib/crewai/src/crewai/memory/storage/lancedb_storage.py:68
            storage_dir = os.environ.get("CREWAI_STORAGE_DIR")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #307c6ca5d562a04e Environment-variable access.
repo/lib/crewai/src/crewai/memory/storage/qdrant_edge_storage.py:104
            storage_dir = os.environ.get("CREWAI_STORAGE_DIR")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2403fe87f85e4325 Filesystem access.
repo/lib/crewai/src/crewai/project/crew_base.py:391
        with open(config_path, encoding="utf-8") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c07cd57be4ced19f Filesystem access.
repo/lib/crewai/src/crewai/project/json_loader.py:209
    return parse_jsonc(path.read_text(encoding="utf-8"), source=path)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #438927fbaa467372 Environment-variable access.
repo/lib/crewai/src/crewai/rag/chromadb/config.py:61
            api_key=os.getenv("OPENAI_API_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #90d2542684a09f12 Filesystem access.
repo/lib/crewai/src/crewai/skills/parser.py:89
    content = path.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #afa0a07aaf2dd216 Filesystem access.
repo/lib/crewai/src/crewai/state/provider/json_provider.py:66
        with open(file_path, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9eee7ee027b026d1 Filesystem access.
repo/lib/crewai/src/crewai/state/provider/json_provider.py:132
        return Path(location).read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4d140077847448be Filesystem access.
repo/lib/crewai/src/crewai/state/provider/utils.py:29
        with open(file_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #87502d1872a3c997 Environment-variable access.
repo/lib/crewai/src/crewai/telemetry/telemetry.py:151
            os.getenv("OTEL_SDK_DISABLED", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #09e4d191572e00d4 Environment-variable access.
repo/lib/crewai/src/crewai/telemetry/telemetry.py:152
            or os.getenv("CREWAI_DISABLE_TELEMETRY", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5fbaabccda27686d Environment-variable access.
repo/lib/crewai/src/crewai/telemetry/telemetry.py:153
            or os.getenv("CREWAI_DISABLE_TRACKING", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #53eb04892c13a051 Environment-variable access.
repo/lib/crewai/src/crewai/types/callback.py:27
    raw = os.environ.get("CREWAI_DESERIALIZE_CALLBACKS", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #587c717bbc8daadf Environment-variable access.
repo/lib/crewai/src/crewai/utilities/env.py:20
    return any(os.environ.get(var) for var in CODEX_ENV_VARS)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c8e039619474da4f Environment-variable access.
repo/lib/crewai/src/crewai/utilities/env.py:24
    return any(os.environ.get(var) for var in CURSOR_ENV_VARS)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #400a060ce8b92185 Environment-variable access.
repo/lib/crewai/src/crewai/utilities/env.py:32
    if os.environ.get(CC_ENV_VAR):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #25a8d5b6af778f49 Filesystem access.
repo/lib/crewai/src/crewai/utilities/file_handler.py:94
                        with open(self._path, encoding="utf-8") as read_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b5a52bc744ce593a Filesystem access.
repo/lib/crewai/src/crewai/utilities/file_handler.py:100
                    with open(self._path, "w", encoding="utf-8") as write_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c8202635c49543ce Filesystem access.
repo/lib/crewai/src/crewai/utilities/file_handler.py:112
                    with open(self._path, "a", encoding="utf-8") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fa956c1f4befbe42 Filesystem access.
repo/lib/crewai/src/crewai/utilities/file_handler.py:151
            with open(self.file_path, "wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #80757aa40c14e859 Filesystem access.
repo/lib/crewai/src/crewai/utilities/file_handler.py:165
                with open(self.file_path, "rb") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5dce1c56dd6501f9 Filesystem access.
repo/lib/crewai/src/crewai/utilities/i18n.py:38
                with open(self.prompt_file, encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0d0046ce4797915e Filesystem access.
repo/lib/crewai/src/crewai/utilities/i18n.py:44
                with open(prompts_path, encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bbcc8ca70afe4421 Environment-variable access.
repo/lib/crewai/src/crewai/utilities/llm_utils.py:104
        os.environ.get("MODEL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #07eae0843039f29b Environment-variable access.
repo/lib/crewai/src/crewai/utilities/llm_utils.py:105
        or os.environ.get("MODEL_NAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #11de9ded1c53e14c Environment-variable access.
repo/lib/crewai/src/crewai/utilities/llm_utils.py:106
        or os.environ.get("OPENAI_MODEL_NAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ecbf5df43c22e2d3 Environment-variable access.
repo/lib/crewai/src/crewai/utilities/llm_utils.py:130
        os.environ.get("BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c81160f08b91e8d2 Environment-variable access.
repo/lib/crewai/src/crewai/utilities/llm_utils.py:131
        or os.environ.get("OPENAI_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c7981d29d0fad6d7 Environment-variable access.
repo/lib/crewai/src/crewai/utilities/llm_utils.py:132
        or os.environ.get("OPENAI_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6b16bf80a93a79b8 Environment-variable access.
repo/lib/crewai/src/crewai/utilities/llm_utils.py:135
    api_base = os.environ.get("API_BASE") or os.environ.get("AZURE_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #386f6a8186e1f40f Environment-variable access.
repo/lib/crewai/src/crewai/utilities/llm_utils.py:178
                    env_value = os.environ.get(key_name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (python): lib/cli

python first-party
high pii_flow production #79b5c0d0b923fe2e User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/lib/cli/src/crewai_cli/model_catalog.py:551 · flow /tmp/closeopen-2ddpso8x/repo/lib/cli/src/crewai_cli/model_catalog.py:550 → /tmp/closeopen-2ddpso8x/repo/lib/cli/src/crewai_cli/model_catalog.py:551
    response = httpx.get(
        url,
        headers=headers,
        params=params,
        timeout=_TIMEOUT,
        verify=ssl_config,
        follow_redirects=True,
    )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 73 low-confidence finding(s)
low env_fs production #c466cc3ac0b07630 Filesystem access.
repo/lib/cli/src/crewai_cli/checkpoint_cli.py:85
        with open(path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9d898c0346162fe5 Filesystem access.
repo/lib/cli/src/crewai_cli/checkpoint_cli.py:233
            with open(path) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7b985bcdfcea5123 Filesystem access.
repo/lib/cli/src/crewai_cli/checkpoint_cli.py:254
    with open(path) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #608c49cd572b7531 Filesystem access.
repo/lib/cli/src/crewai_cli/checkpoint_cli.py:265
    with open(path) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5a137abf8860958d Environment-variable access.
repo/lib/cli/src/crewai_cli/cli.py:694
    if os.environ.get("CREWAI_EXPERIMENTAL") != "1":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b04a3c9e3fa392db Environment-variable access.
repo/lib/cli/src/crewai_cli/cli.py:956
    crewai_tracing = os.getenv("CREWAI_TRACING_ENABLED", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #08ecb065a8ebbe48 Environment-variable access.
repo/lib/cli/src/crewai_cli/cli.py:970
    crewai_testing = os.getenv("CREWAI_TESTING", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #699eefc6ce689aa2 Environment-variable access.
repo/lib/cli/src/crewai_cli/cli.py:974
    crewai_user_id = os.getenv("CREWAI_USER_ID", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5af5a426f1521eb4 Environment-variable access.
repo/lib/cli/src/crewai_cli/cli.py:978
    crewai_org_id = os.getenv("CREWAI_ORG_ID", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4b7133f11306e5d9 Environment-variable access.
repo/lib/cli/src/crewai_cli/cli.py:1072
    env_enabled = os.getenv("CREWAI_TRACING_ENABLED", "false")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f4400a4b783b3465 Filesystem access.
repo/lib/cli/src/crewai_cli/create_crew.py:32
    with open(template_path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1e9a13f50b802de4 Filesystem access.
repo/lib/cli/src/crewai_cli/create_flow.py:47
    with open(project_root / ".env", "w") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #46f61ffdab12f93a Filesystem access.
repo/lib/cli/src/crewai_cli/create_flow.py:70
            with open(src_file, "r", encoding="utf-8") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #406257ba438e24bb Filesystem access.
repo/lib/cli/src/crewai_cli/create_flow.py:83
        with open(dst_file, "w") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b3d4db5192e13725 Filesystem access.
repo/lib/cli/src/crewai_cli/create_flow.py:142
        content = src_file.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #436fa64b86edb376 Filesystem access.
repo/lib/cli/src/crewai_cli/create_flow.py:149
        dst_file.write_text(content, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #307e52e9128c1121 Filesystem access.
repo/lib/cli/src/crewai_cli/create_flow.py:151
    (project_root / ".env").write_text("OPENAI_API_KEY=YOUR_API_KEY", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e24b889304fd607d Filesystem access.
repo/lib/cli/src/crewai_cli/create_flow.py:152
    (package_root / "__init__.py").write_text("", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ab2c2445c202b5a3 Filesystem access.
repo/lib/cli/src/crewai_cli/create_flow.py:154
        (package_root / folder / ".gitkeep").write_text("", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #81ba1b07475e414d Filesystem access.
repo/lib/cli/src/crewai_cli/create_json_crew.py:830
    path.write_text(content, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f44775a641387be2 Filesystem access.
repo/lib/cli/src/crewai_cli/create_json_crew.py:932
    (folder_path / "pyproject.toml").write_text(
        _render_json_crew_template(
            "pyproject.toml",
            {
                "folder_name": folder_name,
                "name": name,
                "crewai_tools_dependency": get_crewai_tools_dependency(),
            },
        ),
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #619858607faafcfe Filesystem access.
repo/lib/cli/src/crewai_cli/create_json_crew.py:945
    (folder_path / ".gitignore").write_text(
        _render_json_crew_template(".gitignore"),
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8488d6135f468f85 Filesystem access.
repo/lib/cli/src/crewai_cli/create_json_crew.py:951
    (folder_path / "README.md").write_text(
        _render_json_crew_template("README.md", {"name": name}),
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e9c2af0d4af603b2 Filesystem access.
repo/lib/cli/src/crewai_cli/create_json_crew.py:957
    (folder_path / "knowledge" / "user_preference.txt").write_text(
        _render_json_crew_template("knowledge/user_preference.txt"),
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f343fc527364f623 Filesystem access.
repo/lib/cli/src/crewai_cli/create_json_crew.py:963
    (folder_path / "skills" / ".gitkeep").write_text("", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2b48cfc96435f05c Filesystem access.
repo/lib/cli/src/crewai_cli/crew_run_tui.py:67
            content = env_file.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #13edc35b7650df31 Filesystem access.
repo/lib/cli/src/crewai_cli/crew_run_tui.py:71
            env_file.write_text(f"{content}{sep}{key}=true\n")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #48659a3db75f20e6 Filesystem access.
repo/lib/cli/src/crewai_cli/crew_run_tui.py:73
            env_file.write_text(f"{key}=true\n")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0cca9e005d9d27f3 Filesystem access.
repo/lib/cli/src/crewai_cli/deploy/validate.py:286
            referenced.update(pattern.findall(crew_path.read_text(errors="ignore")))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8a43689128fa9f15 Filesystem access.
repo/lib/cli/src/crewai_cli/deploy/validate.py:296
                    pattern.findall(agent_path.read_text(errors="ignore"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7bbfc7fda57d8749 Filesystem access.
repo/lib/cli/src/crewai_cli/deploy/validate.py:305
                text = py_path.read_text(encoding="utf-8", errors="ignore")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3fce2dbf9c959ee6 Filesystem access.
repo/lib/cli/src/crewai_cli/deploy/validate.py:321
            for line in env_file.read_text(errors="ignore").splitlines():

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #01a0b29847a3d408 Environment-variable access.
repo/lib/cli/src/crewai_cli/deploy/validate.py:332
            and var not in os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #486f66e4000dbe10 Filesystem access.
repo/lib/cli/src/crewai_cli/deploy/validate.py:873
                text = path.read_text(encoding="utf-8", errors="ignore")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d77b7d1b08d48dcc Filesystem access.
repo/lib/cli/src/crewai_cli/deploy/validate.py:880
                text = path.read_text(encoding="utf-8", errors="ignore")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #30c54102c89a835e Filesystem access.
repo/lib/cli/src/crewai_cli/deploy/validate.py:888
            for line in env_file.read_text(errors="ignore").splitlines():

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1ec28441cf2ce19f Environment-variable access.
repo/lib/cli/src/crewai_cli/deploy/validate.py:899
            and var not in os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9a89a5c71c9d3d15 Filesystem access.
repo/lib/cli/src/crewai_cli/deploy/validate.py:931
            text = lockfile.read_text(errors="ignore")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0cd30861480bc92c Filesystem access.
repo/lib/cli/src/crewai_cli/experimental/skills/main.py:66
        skill_md.write_text(_SKILL_MD_TEMPLATE.format(name=name))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cb53d0a95ca54a70 Filesystem access.
repo/lib/cli/src/crewai_cli/experimental/skills/main.py:173
                (cache_dir / ".crewai_meta.json").write_text(json.dumps(meta, indent=2))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ea54c5c3429e7c62 Filesystem access.
repo/lib/cli/src/crewai_cli/experimental/skills/main.py:189
            frontmatter = self._parse_frontmatter(skill_md.read_text())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1bc8e876d8a1f280 Filesystem access.
repo/lib/cli/src/crewai_cli/experimental/skills/main.py:280
                            meta = json.loads(meta_file.read_text())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #63ec0391789aac63 Filesystem access.
repo/lib/cli/src/crewai_cli/experimental/skills/main.py:371
            fm = self._parse_frontmatter(skill_md.read_text())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4bb0719eb048008d Filesystem access.
repo/lib/cli/src/crewai_cli/git.py:166
        existing = exclude_file.read_text() if exclude_file.exists() else ""

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0e0a20d2edde85a1 Filesystem access.
repo/lib/cli/src/crewai_cli/git.py:178
        exclude_file.write_text(
            f"{existing}{prefix}# CrewAI deploy auto-commit excludes\n{patterns}\n"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1093f3f2f22164f4 Environment-variable access.
repo/lib/cli/src/crewai_cli/model_catalog.py:79
        value = os.environ.get(env)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0f063e21c6c12543 Environment-variable access.
repo/lib/cli/src/crewai_cli/model_catalog.py:302
        os.environ.get("OLLAMA_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7d0ec9d6be3c7bd3 Environment-variable access.
repo/lib/cli/src/crewai_cli/model_catalog.py:303
        or os.environ.get("API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aa3fc7dae2b6ef37 Environment-variable access.
repo/lib/cli/src/crewai_cli/model_catalog.py:304
        or os.environ.get("OLLAMA_HOST")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c6e6b64a57c6c356 Filesystem access.
repo/lib/cli/src/crewai_cli/model_catalog.py:414
        cache_file.write_text(json.dumps(data), encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cac647b2c97987aa Environment-variable access.
repo/lib/cli/src/crewai_cli/model_catalog.py:550
    ssl_config = os.environ.get("SSL_CERT_FILE") or certifi.where()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d5d9b6040e1548e7 Filesystem access.
repo/lib/cli/src/crewai_cli/model_catalog.py:585
        data: dict[str, Any] = json.loads(path.read_text(encoding="utf-8"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #95f00e344905b5e0 Filesystem access.
repo/lib/cli/src/crewai_cli/model_catalog.py:673
        cache_file.write_text(json.dumps(payload), encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1f2e3df452268cb7 Filesystem access.
repo/lib/cli/src/crewai_cli/provider.py:149
        with open(cache_file, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7d50eb053b1480b3 Environment-variable access.
repo/lib/cli/src/crewai_cli/provider.py:165
    ssl_config = os.environ["SSL_CERT_FILE"] = certifi.where()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4ad68d14ccc619ce Filesystem access.
repo/lib/cli/src/crewai_cli/provider.py:171
            with open(cache_file, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #89d6b53dedcca19b Hardcoded external endpoint. Review what data is sent to this destination.
repo/lib/cli/src/crewai_cli/remote_template/main.py:166
                response = httpx.get(url, params=params, timeout=15)

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #8019a9e0926ffc96 Filesystem access.
repo/lib/cli/src/crewai_cli/remote_template/main.py:249
                    with zf.open(member) as src, open(target, "wb") as dst:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d425649b16d680e4 Environment-variable access.
repo/lib/cli/src/crewai_cli/run_crew.py:321
        os.environ[CREWAI_TRAINED_AGENTS_FILE_ENV] = trained_agents_file

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fc80226a4172eca6 Environment-variable access.
repo/lib/cli/src/crewai_cli/run_declarative_flow.py:319
    return os.environ.get("UV_RUN_RECURSION_DEPTH") is not None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #118e61d144778b6d Environment-variable access.
repo/lib/cli/src/crewai_cli/settings/main.py:45
        env_tracing = os.getenv("CREWAI_TRACING_ENABLED", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f40083ef810fb96c Filesystem access.
repo/lib/cli/src/crewai_cli/templates/flow/main.py:49
        with open(output_dir / "post.md", "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0ca2b827819820ea Environment-variable access.
repo/lib/cli/src/crewai_cli/tools/main.py:147
        build_env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #44f030cec8e58fcb Filesystem access.
repo/lib/cli/src/crewai_cli/tools/main.py:180
            with open(tarball_path, "rb") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6e9fbbd890a8c35a Filesystem access.
repo/lib/cli/src/crewai_cli/update_crew.py:96
    with open(output_file, "wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dbdcd0e4ab0da812 Environment-variable access.
repo/lib/cli/src/crewai_cli/utils.py:53
    value = os.environ.get("CREWAI_DMN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #86dd8dc82342a6ab Filesystem access.
repo/lib/cli/src/crewai_cli/utils.py:86
    with open(dst, "w") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6439a4d75c87de84 Filesystem access.
repo/lib/cli/src/crewai_cli/utils.py:94
    content = src.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #be41757c59f6f51b Filesystem access.
repo/lib/cli/src/crewai_cli/utils.py:104
        with open(env_file_path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #18ede37962b0af16 Filesystem access.
repo/lib/cli/src/crewai_cli/utils.py:142
            with open(filepath, "r", encoding="utf-8", errors="ignore") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a9f74a6f37a04ad1 Filesystem access.
repo/lib/cli/src/crewai_cli/utils.py:144
            with open(filepath, "w") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #649e89847a593a24 Filesystem access.
repo/lib/cli/src/crewai_cli/utils.py:165
        with open(env_file_path, "r") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c9e7b363570b5982 Filesystem access.
repo/lib/cli/src/crewai_cli/utils.py:176
    with open(env_file_path, "w") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (python): lib/crewai-core

python first-party
medium telemetry production #ccb66d6d6a9e484e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/lib/crewai-core/src/crewai_core/telemetry.py:22
from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #92cf22690d1c9399 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/lib/crewai-core/src/crewai_core/telemetry.py:23
from opentelemetry.exporter.otlp.proto.http.trace_exporter import OTLPSpanExporter

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #64c395665ae0cefe Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/lib/crewai-core/src/crewai_core/telemetry.py:24
from opentelemetry.sdk.resources import SERVICE_NAME, Resource

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #4b3954aa0e2e53c6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/lib/crewai-core/src/crewai_core/telemetry.py:25
from opentelemetry.sdk.trace import TracerProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ec54aad48f80091a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/lib/crewai-core/src/crewai_core/telemetry.py:26
from opentelemetry.sdk.trace.export import (
    BatchSpanProcessor,
    SpanExportResult,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #136419512cbb1003 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/lib/crewai-core/src/crewai_core/telemetry.py:30
from opentelemetry.trace import ProxyTracerProvider, Span, Status, StatusCode

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 21 low-confidence finding(s)
low env_fs production #7efabf1204b42d13 Environment-variable access.
repo/lib/crewai-core/src/crewai_core/lock_store.py:33
_REDIS_URL: str | None = os.environ.get("REDIS_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e02801dd505e09ee Environment-variable access.
repo/lib/crewai-core/src/crewai_core/paths.py:13
    return os.environ.get("CREWAI_STORAGE_DIR", Path.cwd().name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d19a975f7ae1c9a4 Environment-variable access.
repo/lib/crewai-core/src/crewai_core/plus_api.py:168
            os.getenv("CREWAI_PLUS_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6a70a6bba5217ab5 Filesystem access.
repo/lib/crewai-core/src/crewai_core/project.py:26
    with open(file_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #be9c9ed733e36c3c Filesystem access.
repo/lib/crewai-core/src/crewai_core/project.py:163
        with open(pyproject_path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #65c8d541717488c3 Filesystem access.
repo/lib/crewai-core/src/crewai_core/settings.py:97
                test_file.write_text("test")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3d4b3eb1102165db Environment-variable access.
repo/lib/crewai-core/src/crewai_core/telemetry.py:125
            os.getenv("OTEL_SDK_DISABLED", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5ac22a9ed63af0b9 Environment-variable access.
repo/lib/crewai-core/src/crewai_core/telemetry.py:126
            or os.getenv("CREWAI_DISABLE_TELEMETRY", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9b4fe1e24cb9b186 Environment-variable access.
repo/lib/crewai-core/src/crewai_core/telemetry.py:127
            or os.getenv("CREWAI_DISABLE_TRACKING", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e085dc024281f2a9 Environment-variable access.
repo/lib/crewai-core/src/crewai_core/token_manager.py:88
            base_path = os.environ.get("LOCALAPPDATA")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8d2966768ef726a2 Filesystem access.
repo/lib/crewai-core/src/crewai_core/token_manager.py:150
            with open(file_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aa65c777a267d098 Environment-variable access.
repo/lib/crewai-core/src/crewai_core/tool_credentials.py:24
    env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c4cd15915e036cea Environment-variable access.
repo/lib/crewai-core/src/crewai_core/tool_credentials.py:42
    env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #40698d861f5819da Filesystem access.
repo/lib/crewai-core/src/crewai_core/user_data.py:39
            return cast(dict[str, Any], json.loads(p.read_text()))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #051c0b8fbf7040fe Filesystem access.
repo/lib/crewai-core/src/crewai_core/user_data.py:49
        p.write_text(json.dumps(data, indent=2))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ad049ad6eac701fe Environment-variable access.
repo/lib/crewai-core/src/crewai_core/user_data.py:86
    if os.getenv("CREWAI_TRACING_ENABLED", "false").lower() in ("true", "1"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #05492be552001bfd Filesystem access.
repo/lib/crewai-core/src/crewai_core/version.py:117
            cache_data = json.loads(cache_file.read_text())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #3a61e49cc9b4d23f Hardcoded external endpoint. Review what data is sent to this destination.
repo/lib/crewai-core/src/crewai_core/version.py:125
        with request.urlopen(
            "https://pypi.org/pypi/crewai/json", timeout=timeout
        ) as response:

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #5ca3ad4e9564d449 Filesystem access.
repo/lib/crewai-core/src/crewai_core/version.py:142
            cache_file.write_text(json.dumps(cache_data))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2b4c1666f05f25e0 Filesystem access.
repo/lib/crewai-core/src/crewai_core/version.py:154
            cache_data = json.loads(cache_file.read_text())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b8ffeb0ea3a830c4 Filesystem access.
repo/lib/crewai-core/src/crewai_core/version.py:168
        cache_data = json.loads(cache_file.read_text())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (python): lib/crewai-files

python first-party
expand_more 16 low-confidence finding(s)
low env_fs production #213637b68b923397 Filesystem access.
repo/lib/crewai-files/src/crewai_files/core/sources.py:263
            self._content = self.path.read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #84971148131d7701 Filesystem access.
repo/lib/crewai-files/src/crewai_files/core/sources.py:282
        with open(self.path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d2570d69d08d0efd Environment-variable access.
repo/lib/crewai-files/src/crewai_files/formatting/api.py:294
        s3_bucket = os.environ.get("CREWAI_BEDROCK_S3_BUCKET")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f4f33612d49f378d Environment-variable access.
repo/lib/crewai-files/src/crewai_files/formatting/api.py:333
        s3_bucket_owner = os.environ.get("CREWAI_BEDROCK_S3_BUCKET_OWNER")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #790638d83660f7e6 Environment-variable access.
repo/lib/crewai-files/src/crewai_files/uploaders/anthropic.py:39
        self._api_key = api_key or os.environ.get("ANTHROPIC_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ae084e0296c027ba Filesystem access.
repo/lib/crewai-files/src/crewai_files/uploaders/bedrock.py:94
    with open(file_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #54f22b2db78c9718 Environment-variable access.
repo/lib/crewai-files/src/crewai_files/uploaders/bedrock.py:128
        self._bucket_name = bucket_name or os.environ.get("CREWAI_BEDROCK_S3_BUCKET")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eeb1944d7fa9e162 Environment-variable access.
repo/lib/crewai-files/src/crewai_files/uploaders/bedrock.py:129
        self._bucket_owner = bucket_owner or os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d1656c663e0e6c7c Environment-variable access.
repo/lib/crewai-files/src/crewai_files/uploaders/bedrock.py:129
        self._bucket_owner = bucket_owner or os.environ.get(
            "CREWAI_BEDROCK_S3_BUCKET_OWNER"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #318d866251787dc8 Environment-variable access.
repo/lib/crewai-files/src/crewai_files/uploaders/bedrock.py:133
        self._region = region or os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6d662c81220b4035 Environment-variable access.
repo/lib/crewai-files/src/crewai_files/uploaders/bedrock.py:133
        self._region = region or os.environ.get(
            "AWS_REGION", os.environ.get("AWS_DEFAULT_REGION")
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #23072015567b480a Environment-variable access.
repo/lib/crewai-files/src/crewai_files/uploaders/bedrock.py:134
            "AWS_REGION", os.environ.get("AWS_DEFAULT_REGION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #05d1a39eed74a47e Filesystem access.
repo/lib/crewai-files/src/crewai_files/uploaders/bedrock.py:269
                with open(file_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1200b63f323ca91b Environment-variable access.
repo/lib/crewai-files/src/crewai_files/uploaders/factory.py:192
            not os.environ.get("CREWAI_BEDROCK_S3_BUCKET")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #66d09f60e0093e0d Environment-variable access.
repo/lib/crewai-files/src/crewai_files/uploaders/gemini.py:108
        self._api_key = api_key or os.environ.get("GOOGLE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #236b7cf5722e0e41 Environment-variable access.
repo/lib/crewai-files/src/crewai_files/uploaders/openai.py:136
        self._api_key = api_key or os.environ.get("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (python): lib/devtools

python first-party
expand_more 33 low-confidence finding(s)
low env_fs production #fe0d5aedd6d42740 Filesystem access.
repo/lib/devtools/src/crewai_devtools/cli.py:287
    content = file_path.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #80d13237c5014b61 Filesystem access.
repo/lib/devtools/src/crewai_devtools/cli.py:298
        file_path.write_text("\n".join(lines) + "\n")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9ca0e29915600815 Filesystem access.
repo/lib/devtools/src/crewai_devtools/cli.py:317
    doc = tomlkit.parse(file_path.read_text())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b50d21600cf28550 Filesystem access.
repo/lib/devtools/src/crewai_devtools/cli.py:326
    file_path.write_text(tomlkit.dumps(doc))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3d6b736d8bb5691c Filesystem access.
repo/lib/devtools/src/crewai_devtools/cli.py:358
    content = file_path.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #06462aeec390a0fc Filesystem access.
repo/lib/devtools/src/crewai_devtools/cli.py:391
        file_path.write_text("\n".join(lines) + "\n")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9418ff780bd2d70d Filesystem access.
repo/lib/devtools/src/crewai_devtools/cli.py:591
    content = changelog_path.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #75788c91fb8c8712 Filesystem access.
repo/lib/devtools/src/crewai_devtools/cli.py:608
    changelog_path.write_text(new_content)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f89a8ba96c5648c3 Filesystem access.
repo/lib/devtools/src/crewai_devtools/cli.py:668
        content = pyproject.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c78f84a78c4233b1 Filesystem access.
repo/lib/devtools/src/crewai_devtools/cli.py:671
            pyproject.write_text(new_content)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aeac6219aa2779f2 Filesystem access.
repo/lib/devtools/src/crewai_devtools/cli.py:689
        if "__version__" in init_file.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cf8bbf70bbe705df Environment-variable access.
repo/lib/devtools/src/crewai_devtools/cli.py:1016
            openai_client = OpenAI(api_key=os.getenv("OPENAI_API_KEY"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8c27105bc28aa049 Environment-variable access.
repo/lib/devtools/src/crewai_devtools/cli.py:1264
_ENTERPRISE_REPO: Final[str | None] = os.getenv("ENTERPRISE_REPO")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aac1ad8435c9544e Environment-variable access.
repo/lib/devtools/src/crewai_devtools/cli.py:1266
    d.strip() for d in os.getenv("ENTERPRISE_VERSION_DIRS", "").split(",") if d.strip()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #abec53be68866617 Environment-variable access.
repo/lib/devtools/src/crewai_devtools/cli.py:1268
_ENTERPRISE_CREWAI_DEP_PATH: Final[str | None] = os.getenv("ENTERPRISE_CREWAI_DEP_PATH")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #760a2cb70253a3f3 Environment-variable access.
repo/lib/devtools/src/crewai_devtools/cli.py:1271
    for p in os.getenv("ENTERPRISE_EXTRA_PACKAGES", "").split(",")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d5b5d378687de70b Environment-variable access.
repo/lib/devtools/src/crewai_devtools/cli.py:1276
    for p in os.getenv("ENTERPRISE_WORKFLOW_PATHS", "").split(",")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #64026e08b350cda4 Filesystem access.
repo/lib/devtools/src/crewai_devtools/cli.py:1300
    content = pyproject_path.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b907fe4302249390 Filesystem access.
repo/lib/devtools/src/crewai_devtools/cli.py:1303
        pyproject_path.write_text(new_content)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f173eb0af1c14d32 Filesystem access.
repo/lib/devtools/src/crewai_devtools/cli.py:1330
    raw = workflow_path.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e73593efb221edbe Filesystem access.
repo/lib/devtools/src/crewai_devtools/cli.py:1343
    workflow_path.write_text("".join(lines))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #054e4b13489eed10 Filesystem access.
repo/lib/devtools/src/crewai_devtools/cli.py:1460
        content = pyproject.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4fcb7b93c668f950 Filesystem access.
repo/lib/devtools/src/crewai_devtools/cli.py:1464
            pyproject.write_text(new_content)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #928df2bb30889c0c Filesystem access.
repo/lib/devtools/src/crewai_devtools/cli.py:2063
                    content = vfile.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4e0180f6a65829e4 Filesystem access.
repo/lib/devtools/src/crewai_devtools/docs_check.py:421
                        ref_content = siblings[0].read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f431d64576cc4e9c Filesystem access.
repo/lib/devtools/src/crewai_devtools/docs_check.py:429
                en_path.write_text(content)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0630fede81cb3386 Filesystem access.
repo/lib/devtools/src/crewai_devtools/docs_check.py:437
            existing = en_path.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #629f5a0a821ae9bd Filesystem access.
repo/lib/devtools/src/crewai_devtools/docs_check.py:454
                en_path.write_text(content)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #db1ed419291e25fb Filesystem access.
repo/lib/devtools/src/crewai_devtools/docs_check.py:473
                lang_path.write_text(translated)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9ce04d07dbd6a98b Filesystem access.
repo/lib/devtools/src/crewai_devtools/docs_versioning.py:181
        text = mdx.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e4c9aab5f2ea104e Filesystem access.
repo/lib/devtools/src/crewai_devtools/docs_versioning.py:184
            mdx.write_text(new_text, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #37b0bd0643da9f2b Filesystem access.
repo/lib/devtools/src/crewai_devtools/docs_versioning.py:383
    data = json.loads(docs_json.read_text(encoding="utf-8"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #382960ad23c43448 Filesystem access.
repo/lib/devtools/src/crewai_devtools/docs_versioning.py:427
    docs_json.write_text(
        json.dumps(data, indent=2, ensure_ascii=False) + "\n",
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

</> Dependencies

litellm

python dependency
high pii_flow dependency Excluded from app score #eed406fab785c4cb User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/litellm/integrations/langfuse/langfuse_prompt_management.py:108 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/litellm/integrations/langfuse/langfuse_prompt_management.py:110 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/litellm/integrations/langfuse/langfuse_prompt_management.py:108
        parameters["httpx_client"] = httpx.Client(
            verify=get_ssl_configuration(),
            cert=os.getenv("SSL_CERTIFICATE", litellm.ssl_certificate),
        )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #5d1cb17df7cc1a87 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/litellm/llms/bedrock/files/handler.py:136 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/litellm/llms/bedrock/files/handler.py:122 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/litellm/llms/bedrock/files/handler.py:136
        mock_response = httpx.Response(
            status_code=200,
            content=file_content,
            headers={"content-type": "application/octet-stream"},
            request=httpx.Request(method="GET", url=s3_uri),
        )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #f5911461f1f91148 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/litellm/llms/custom_httpx/http_handler.py:556 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/litellm/llms/custom_httpx/http_handler.py:541 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/litellm/llms/custom_httpx/http_handler.py:556
        return httpx.AsyncClient(
            transport=transport,
            event_hooks=event_hooks,
            timeout=timeout,
            verify=ssl_config,
            cert=cert,
            headers=default_headers,
            follow_redirects=True,
        )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #ad0f6f11ee49bfec User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/litellm/llms/custom_httpx/http_handler.py:1094 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/litellm/llms/custom_httpx/http_handler.py:1085 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/litellm/llms/custom_httpx/http_handler.py:1094
            self.client = httpx.Client(
                transport=transport,
                timeout=timeout,
                verify=ssl_config,
                cert=cert,
                headers=default_headers,
                follow_redirects=True,
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #b0ab451795be2e00 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/litellm/llms/huggingface/common_utils.py:83 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/litellm/llms/huggingface/common_utils.py:77 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/litellm/llms/huggingface/common_utils.py:83
        response = httpx.get(path, headers=headers, params=params)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #2ad07fa6dce4c5be User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/litellm/llms/sagemaker/completion/handler.py:625 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/litellm/llms/sagemaker/completion/handler.py:560 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/litellm/llms/sagemaker/completion/handler.py:625
        mock_response = HttpxResponse(
            status_code=200,
            content=json.dumps(response).encode("utf-8"),
            headers={"content-type": "application/json"},
        )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #c8b697535ceab6a4 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/onyx/onyx.py:41 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/onyx/onyx.py:38 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/onyx/onyx.py:41
            params={"timeout": httpx.Timeout(timeout=timeout, connect=5.0)},

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #a35cec4fd7e6d534 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/ovalix/ovalix.py:89 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/ovalix/ovalix.py:79 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/ovalix/ovalix.py:89
        self._tracker_headers = httpx.Headers(
            {
                "Authorization": f"Bearer {self._tracker_api_key}",
                "Content-Type": "application/json",
            },
            encoding="utf-8",
        )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #a41f637e648bf87a User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/litellm/proxy/pass_through_endpoints/llm_passthrough_endpoints.py:205 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/litellm/proxy/pass_through_endpoints/llm_passthrough_endpoints.py:196 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/litellm/proxy/pass_through_endpoints/llm_passthrough_endpoints.py:205
    base_url = httpx.URL(base_target_url)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #1497e45fe03fdb74 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/litellm/proxy/pass_through_endpoints/llm_passthrough_endpoints.py:268 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/litellm/proxy/pass_through_endpoints/llm_passthrough_endpoints.py:259 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/litellm/proxy/pass_through_endpoints/llm_passthrough_endpoints.py:268
    base_url = httpx.URL(base_target_url)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #247a44293ec64b88 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/litellm/proxy/pass_through_endpoints/llm_passthrough_endpoints.py:391 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/litellm/proxy/pass_through_endpoints/llm_passthrough_endpoints.py:382 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/litellm/proxy/pass_through_endpoints/llm_passthrough_endpoints.py:391
    base_url = httpx.URL(base_target_url)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #5916d245062d5d0e User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/litellm/proxy/pass_through_endpoints/llm_passthrough_endpoints.py:582 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/litellm/proxy/pass_through_endpoints/llm_passthrough_endpoints.py:573 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/litellm/proxy/pass_through_endpoints/llm_passthrough_endpoints.py:582
    base_url = httpx.URL(base_target_url)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #6cdb83eaf12ad08b User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/litellm/proxy/pass_through_endpoints/llm_passthrough_endpoints.py:2088 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/litellm/proxy/pass_through_endpoints/llm_passthrough_endpoints.py:2061 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/litellm/proxy/pass_through_endpoints/llm_passthrough_endpoints.py:2088
    base_url = httpx.URL(base_target_url)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #a646118e05c3f88a User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/litellm/proxy_auth/credentials.py:160 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/litellm/proxy_auth/credentials.py:161 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/litellm/proxy_auth/credentials.py:160
        response = httpx.post(
            self.token_url,
            data={
                "grant_type": "client_credentials",
                "client_id": self.client_id,
                "client_secret": self.client_secret,
                "scope": scope,
            },
        )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #0ad234601fee235a User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/litellm/router_strategy/lowest_tpm_rpm_v2.py:98 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/litellm/router_strategy/lowest_tpm_rpm_v2.py:101 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/litellm/router_strategy/lowest_tpm_rpm_v2.py:98
                    response=httpx.Response(
                        status_code=429,
                        content="{} rpm limit={}. current usage={}. id={}, model_group={}. Get the model info by calling 'router.get_model_info(id)".format(
                            RouterErrors.user_defined_ratelimit_error.value,
                            deployment_rpm,
                            local_result,
                            model_id,
                            deployment.get("model_name", ""),
                        ),
                        request=httpx.Request(
                            method="tpm_rpm_limits",
                            url="https://github.com/BerriAI/litellm",
                        ),  # type: ignore
                    ),

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #530577a09c4404b0 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/litellm/router_strategy/lowest_tpm_rpm_v2.py:122 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/litellm/router_strategy/lowest_tpm_rpm_v2.py:125 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/litellm/router_strategy/lowest_tpm_rpm_v2.py:122
                        response=httpx.Response(
                            status_code=429,
                            content="{} rpm limit={}. current usage={}".format(
                                RouterErrors.user_defined_ratelimit_error.value,
                                deployment_rpm,
                                result,
                            ),
                            request=httpx.Request(
                                method="tpm_rpm_limits",
                                url="https://github.com/BerriAI/litellm",
                            ),  # type: ignore
                        ),

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #5b2b2ef5d53cde73 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/litellm/router_strategy/lowest_tpm_rpm_v2.py:183 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/litellm/router_strategy/lowest_tpm_rpm_v2.py:186 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/litellm/router_strategy/lowest_tpm_rpm_v2.py:183
                    response=httpx.Response(
                        status_code=429,
                        content="{} rpm limit={}. current usage={}".format(
                            RouterErrors.user_defined_ratelimit_error.value,
                            deployment_rpm,
                            local_result,
                        ),
                        headers={"retry-after": str(60)},  # type: ignore
                        request=httpx.Request(
                            method="tpm_rpm_limits",
                            url="https://github.com/BerriAI/litellm",
                        ),  # type: ignore
                    ),

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #7ab436ae9ae384c9 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/litellm/router_strategy/lowest_tpm_rpm_v2.py:206 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/litellm/router_strategy/lowest_tpm_rpm_v2.py:209 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/litellm/router_strategy/lowest_tpm_rpm_v2.py:206
                        response=httpx.Response(
                            status_code=429,
                            content="{} rpm limit={}. current usage={}".format(
                                RouterErrors.user_defined_ratelimit_error.value,
                                deployment_rpm,
                                result,
                            ),
                            headers={"retry-after": str(60)},  # type: ignore
                            request=httpx.Request(
                                method="tpm_rpm_limits",
                                url="https://github.com/BerriAI/litellm",
                            ),  # type: ignore
                        ),

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #eb9ae13ecf57dbb4 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/litellm/router_utils/pre_call_checks/model_rate_limit_check.py:119 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/litellm/router_utils/pre_call_checks/model_rate_limit_check.py:121 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/litellm/router_utils/pre_call_checks/model_rate_limit_check.py:119
                        response=httpx.Response(
                            status_code=429,
                            content=f"{RouterErrors.user_defined_ratelimit_error.value} tpm limit={tpm_limit}. current usage={current_tpm}. id={model_id}, model_group={model_group}",
                            headers={"retry-after": str(60)},
                            request=httpx.Request(
                                method="model_rate_limit_check",
                                url="https://github.com/BerriAI/litellm",
                            ),
                        ),

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #f45ad43b5da3bcbf User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/litellm/router_utils/pre_call_checks/model_rate_limit_check.py:138 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/litellm/router_utils/pre_call_checks/model_rate_limit_check.py:140 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/litellm/router_utils/pre_call_checks/model_rate_limit_check.py:138
                        response=httpx.Response(
                            status_code=429,
                            content=f"{RouterErrors.user_defined_ratelimit_error.value} rpm limit={rpm_limit}. current usage={current_rpm}. id={model_id}, model_group={model_group}",
                            headers={"retry-after": str(60)},
                            request=httpx.Request(
                                method="model_rate_limit_check",
                                url="https://github.com/BerriAI/litellm",
                            ),
                        ),

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #e5b0b99f64b321f1 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/litellm/router_utils/pre_call_checks/model_rate_limit_check.py:188 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/litellm/router_utils/pre_call_checks/model_rate_limit_check.py:190 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/litellm/router_utils/pre_call_checks/model_rate_limit_check.py:188
                        response=httpx.Response(
                            status_code=429,
                            content=f"{RouterErrors.user_defined_ratelimit_error.value} tpm limit={tpm_limit}. current usage={current_tpm}. id={model_id}, model_group={model_group}",
                            headers={"retry-after": str(60)},
                            request=httpx.Request(
                                method="model_rate_limit_check",
                                url="https://github.com/BerriAI/litellm",
                            ),
                        ),

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #b1bf90c7c4062d76 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/litellm/router_utils/pre_call_checks/model_rate_limit_check.py:213 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/litellm/router_utils/pre_call_checks/model_rate_limit_check.py:215 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/litellm/router_utils/pre_call_checks/model_rate_limit_check.py:213
                        response=httpx.Response(
                            status_code=429,
                            content=f"{RouterErrors.user_defined_ratelimit_error.value} rpm limit={rpm_limit}. current usage={current_rpm}. id={model_id}, model_group={model_group}",
                            headers={"retry-after": str(60)},
                            request=httpx.Request(
                                method="model_rate_limit_check",
                                url="https://github.com/BerriAI/litellm",
                            ),
                        ),

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium telemetry dependency Excluded from app score #4d37f91dab07b227 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/_service_logger.py:15
    from opentelemetry.trace import Span as _Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #73711ba5b1e99672 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/caching/base_cache.py:15
    from opentelemetry.trace import Span as _Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #bb5c4e2b6f683da8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/caching/disk_cache.py:7
    from opentelemetry.trace import Span as _Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #f9e1eb255d06b0d0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/caching/dual_cache.py:30
    from opentelemetry.trace import Span as _Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #ff1cf62c86162f26 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/caching/redis_cache.py:42
    from opentelemetry.trace import Span as _Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #c7134c501faea9a1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/caching/redis_cluster_cache.py:13
    from opentelemetry.trace import Span as _Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #f1ed6b12437bbea3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/arize/_utils.py:18
    from opentelemetry.trace import Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #4b293d7beaf47316 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/arize/arize.py:19
    from opentelemetry.trace import Span as _Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #5b79086d67283cc7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/arize/arize.py:45
        from opentelemetry.sdk.trace import TracerProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #782a439c88b22159 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/arize/arize.py:46
        from opentelemetry.trace import SpanKind

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #6e6672504a213e0f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/arize/arize_phoenix.py:12
    from opentelemetry.sdk.trace import TracerProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #ea9128a14a3d6cfd Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/arize/arize_phoenix.py:13
    from opentelemetry.sdk.trace.export import SpanProcessor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #3f475e319cb65acc Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/arize/arize_phoenix.py:14
    from opentelemetry.trace import Span as _Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #bace8bf2dc506355 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/arize/arize_phoenix.py:15
    from opentelemetry.trace import SpanKind

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #90629e245f609b75 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/arize/arize_phoenix.py:16
    from opentelemetry.trace import Tracer

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #45a9c50e88b65061 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/arize/arize_phoenix.py:69
        from opentelemetry.trace import SpanKind

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #9c8300333e1dad66 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/arize/arize_phoenix.py:131
        from opentelemetry.sdk.resources import OTELResourceDetector, Resource

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #34dea120ff0bf612 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/arize/arize_phoenix.py:148
        from opentelemetry.sdk.trace import TracerProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #44e2944f01b5de5b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/arize/arize_phoenix.py:306
        from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #d6e08414316a99af Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/arize/arize_phoenix.py:347
        from opentelemetry.trace import Status, StatusCode

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #497b23d388d5b006 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/custom_logger.py:38
    from opentelemetry.trace import Span as _Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #8a524d054333cfc9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/langfuse/langfuse_otel.py:19
    from opentelemetry.trace import Span as _Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #8310970cba536087 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/langfuse/langfuse_otel_attributes.py:28
    from opentelemetry.trace import Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #079f042ce4e23fb4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/langtrace.py:7
    from opentelemetry.trace import Span as _Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #4eab63d63d730b30 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/levo/levo.py:7
    from opentelemetry.trace import Span as _Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #db1efa0ed1dce2c5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:45
    from opentelemetry.sdk.trace.export import SpanExporter as _SpanExporter

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #105bfe9a704a1142 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:46
    from opentelemetry.trace import Context as _Context

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #849e2feb98d4f436 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:47
    from opentelemetry.trace import Span as _Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #6d65ead42be15b06 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:48
    from opentelemetry.trace import Tracer as _Tracer

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #13fc1747c0c3fab2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:273
        from opentelemetry.sdk.trace.export.in_memory_span_exporter import (
            InMemorySpanExporter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #e9c8cebd61ec4953 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:364
        from opentelemetry.sdk.resources import OTELResourceDetector, Resource

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #c2cf56d8256be8ee Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:539
        from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #9dc80d8810c79684 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:540
        from opentelemetry.sdk.trace import TracerProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #c4497b6d4c72a594 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:541
        from opentelemetry.trace import SpanKind

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #8edc7922038b8a63 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:575
        from opentelemetry import metrics

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #17115fb6e03d43c9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:576
        from opentelemetry.sdk.metrics import MeterProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #eece0fa332ba6073 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:635
        from opentelemetry._logs import get_logger_provider, set_logger_provider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #017ee5658491c851 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:636
        from opentelemetry.sdk._logs import LoggerProvider as OTLoggerProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #f88d1282f096897a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:637
        from opentelemetry.sdk._logs.export import BatchLogRecordProcessor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #69a4b91707a33b17 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:677
        from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #9b08c23dd56e8193 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:678
        from opentelemetry.trace import Status, StatusCode

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #cc4bfa54e532f12d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:737
        from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #8a30e20f23915641 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:738
        from opentelemetry.trace import Status, StatusCode

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #8478c5d25f2f25c1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:799
        from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #630ac23cbfc662cc Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:800
        from opentelemetry.trace import Status, StatusCode

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #bdaf4ffe9afec465 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:892
        from opentelemetry import trace as _trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #b7652e779d785098 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:994
        from opentelemetry.sdk.trace import TracerProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #0beb6e6cd9bdaf62 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:1116
        from opentelemetry.trace import Status, StatusCode

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #2d8fe3a49c5a4cba Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:1164
            from opentelemetry.trace import Status, StatusCode

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #087746f142e142a0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:1218
        from opentelemetry.trace import Status, StatusCode

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #6598132824b00142 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:1237
        from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #115cb8dce6200ee4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:1238
        from opentelemetry.trace import Status, StatusCode

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #2f73a297f25217c2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:1611
        from opentelemetry._logs import SeverityNumber

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #eb0b7025aba72552 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:1614
            from opentelemetry.sdk._logs import LogRecord  # OTEL < 1.39.0

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #d8f24e3a6cdc3324 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:1616
            from opentelemetry.sdk._logs._internal import (  # OTEL >= 1.39.0
                LogRecord,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #10690cd10e0b89ed Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:1728
        from opentelemetry import trace as _trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #9303d9903bd52dfa Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:1850
        from opentelemetry.trace import Status, StatusCode

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #c662a8eeae8ec4d3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:2685
        from opentelemetry.trace.propagation.tracecontext import (
            TraceContextTextMapPropagator,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #8eb88ca6bc40f709 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:2696
        from opentelemetry import context, trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #6b645f91838678e5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:2697
        from opentelemetry.trace.propagation.tracecontext import (
            TraceContextTextMapPropagator,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #191b7f6938e27219 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:2751
        from opentelemetry.sdk.trace.export import (
            BatchSpanProcessor,
            ConsoleSpanExporter,
            SimpleSpanProcessor,
            SpanExporter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #a2b214222f2e5486 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:2793
                from opentelemetry.exporter.otlp.proto.http.trace_exporter import (
                    OTLPSpanExporter as OTLPSpanExporterHTTP,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #79921516a9c4ce50 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:2812
                from opentelemetry.exporter.otlp.proto.grpc.trace_exporter import (
                    OTLPSpanExporter as OTLPSpanExporterGRPC,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #f3138839fecf5105 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:2868
            from opentelemetry.sdk._logs.export import ConsoleLogExporter

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #ed3e5be21bf4f29d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:2880
            from opentelemetry.exporter.otlp.proto.http._log_exporter import (
                OTLPLogExporter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #2f94cc916f2d8639 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:2892
                from opentelemetry.exporter.otlp.proto.grpc._log_exporter import (
                    OTLPLogExporter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #446f932fabfc6e9a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:2912
            from opentelemetry.sdk._logs.export import ConsoleLogExporter

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #e244cb19497198df Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:2920
        from opentelemetry.sdk.metrics import Histogram

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #25f063f153f384f3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:2921
        from opentelemetry.sdk.metrics.export import (
            AggregationTemporality,
            ConsoleMetricExporter,
            PeriodicExportingMetricReader,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #3148830ab5aebe3e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:2946
            from opentelemetry.exporter.otlp.proto.http.metric_exporter import (
                OTLPMetricExporter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #0ddb073392519b76 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:2959
                from opentelemetry.exporter.otlp.proto.grpc.metric_exporter import (
                    OTLPMetricExporter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #b1e22b265b410aba Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:3078
        from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #0e359d167ee975d4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:3079
        from opentelemetry.trace import Status, StatusCode

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #39777f92764c8bf7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:3136
        from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #10a4c4d8de4e9de1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:3137
        from opentelemetry.trace import Status, StatusCode

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #7b9174b8107ee1b7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry_utils/base_otel_llm_obs_attributes.py:5
    from opentelemetry.trace import Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #8c7c6e671a3bf151 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/opentelemetry_utils/gen_ai_semconv.py:39
    from opentelemetry.trace import Span as _Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #afaf52294a4f0a60 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/otel/emitter.py:6
from opentelemetry.context import Context

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #ac575b992c980b90 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/otel/emitter.py:7
from opentelemetry.trace import Span, Tracer

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #1786713879479875 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/otel/emitter.py:8
from opentelemetry.trace.status import Status, StatusCode

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #d4ce4bb7b079c0ea Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/otel/logger.py:8
from opentelemetry.context import attach, get_current

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #280aa51e413228ea Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/otel/logger.py:9
from opentelemetry.sdk.trace import TracerProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #c50b8f31dc949f6e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/otel/logger.py:10
from opentelemetry.trace import Span, Tracer, get_current_span, use_span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #31e081380df39e13 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/otel/mount.py:113
        from opentelemetry.instrumentation.fastapi import FastAPIInstrumentor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #43fd87a2f172ee41 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/otel/plumbing/context.py:6
from opentelemetry import baggage

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #b939f2ec26e5f181 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/otel/plumbing/context.py:7
from opentelemetry.context import Context, get_current

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #0715b9a8cdc72060 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/otel/plumbing/context.py:8
from opentelemetry.trace import Span, get_current_span, set_span_in_context

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #8cd5d901a88eac1c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/otel/plumbing/context.py:9
from opentelemetry.trace.propagation.tracecontext import (
    TraceContextTextMapPropagator,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #67a552d744144bb1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/otel/plumbing/metrics.py:15
from opentelemetry.metrics import Histogram, Meter

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #99f37a80fe9e6291 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/otel/plumbing/providers.py:5
from opentelemetry import baggage, metrics

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #64845e97789a1f6e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/otel/plumbing/providers.py:6
from opentelemetry.context import Context

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #d4a19c3e0231c02d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/otel/plumbing/providers.py:7
from opentelemetry.metrics import MeterProvider, NoOpMeterProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #f0a3129c08edcad6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/otel/plumbing/providers.py:8
from opentelemetry.sdk.metrics import MeterProvider as SDKMeterProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #267d080a3e387324 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/otel/plumbing/providers.py:9
from opentelemetry.sdk.resources import Resource

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #3a2f95f14fd746fa Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/otel/plumbing/providers.py:10
from opentelemetry.sdk.trace import ReadableSpan, SpanProcessor, TracerProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #68b19a73cbbe0105 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/otel/plumbing/providers.py:11
from opentelemetry.sdk.trace.export import (
    BatchSpanProcessor,
    ConsoleSpanExporter,
    SimpleSpanProcessor,
    SpanExporter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #cd0bbc02fa2883c9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/otel/plumbing/providers.py:17
from opentelemetry.sdk.trace.export.in_memory_span_exporter import (
    InMemorySpanExporter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #a52008204965bab2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/otel/plumbing/providers.py:20
from opentelemetry.trace import Span, SpanKind, Tracer

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #01fc35db4a1c141d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/otel/plumbing/providers.py:31
    from opentelemetry.metrics import Meter

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #3da9b0de0c10111f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/otel/plumbing/providers.py:32
    from opentelemetry.sdk.metrics.export import MetricReader

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #f4687230dface5ec Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/otel/plumbing/providers.py:119
        from opentelemetry.exporter.otlp.proto.http.trace_exporter import (
            OTLPSpanExporter as HTTPExporter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #eb3bb1a275394967 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/otel/plumbing/providers.py:128
        from opentelemetry.exporter.otlp.proto.grpc.trace_exporter import (
            OTLPSpanExporter as GRPCExporter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #149d7d0ef8ecf39b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/otel/plumbing/providers.py:184
    from opentelemetry.sdk.metrics.export import (
        ConsoleMetricExporter,
        PeriodicExportingMetricReader,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #9e73fbf53caafd85 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/otel/plumbing/providers.py:191
        from opentelemetry.exporter.otlp.proto.http.metric_exporter import (
            OTLPMetricExporter as HTTPMetricExporter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #afce248d4c2c6f29 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/otel/plumbing/providers.py:194
        from opentelemetry.sdk.metrics import Histogram

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #240058c941abc0a4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/otel/plumbing/providers.py:195
        from opentelemetry.sdk.metrics.export import AggregationTemporality

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #55ec8cf34fcc26ee Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/otel/plumbing/providers.py:203
        from opentelemetry.sdk.metrics import Histogram

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #f761ef7319358d01 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/otel/plumbing/providers.py:204
        from opentelemetry.sdk.metrics.export import AggregationTemporality

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #1a1efc5673323b8c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/otel/plumbing/providers.py:207
            from opentelemetry.exporter.otlp.proto.grpc.metric_exporter import (
                OTLPMetricExporter as GRPCMetricExporter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #a409e1f29f08c654 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/otel/plumbing/routing.py:14
from opentelemetry.sdk.trace import TracerProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #6db66539de82ef78 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/otel/plumbing/routing.py:15
from opentelemetry.trace import Tracer

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #93d248a8db461e14 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/otel/presets/agentops.py:75
    from opentelemetry.exporter.otlp.proto.http.trace_exporter import (
        OTLPSpanExporter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #00234af5da75d29d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/traceloop.py:39
        from opentelemetry.semconv.ai import SpanAttributes

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #9a04318ea167b1d0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/traceloop.py:40
        from opentelemetry.trace import SpanKind, Status, StatusCode

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #b5c93107870d3829 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/weave/weave_otel.py:8
from opentelemetry.trace import Status, StatusCode

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #01d10d978aa52640 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/integrations/weave/weave_otel.py:26
    from opentelemetry.trace import Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #386025fde313c2ee Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/litellm_core_utils/core_helpers.py:12
    from opentelemetry.trace import Span as _Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #a42a1d01c47a0e8b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/litellm_core_utils/litellm_logging.py:3383
                    import sentry_sdk

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #88fae20b92bad7eb Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/litellm_core_utils/litellm_logging.py:3387
                    import sentry_sdk

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #e4dba7c5f6777ced Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/litellm_core_utils/litellm_logging.py:3388
                from sentry_sdk.scrubber import EventScrubber

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #5c9065facfc2d6cc Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/litellm_core_utils/logging_utils.py:18
    from opentelemetry.trace import Span as _Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #d636f3e2a16d9d20 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/llms/base_llm/managed_resources/base_managed_resource.py:30
    from opentelemetry.trace import Span as _Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #4706a51fe311e373 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/proxy/_types.py:61
    from opentelemetry.trace import Span as _Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #576ce35c719e579a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/proxy/auth/auth_checks.py:101
    from opentelemetry.trace import Span as _Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #f43633c659f44cd5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/proxy/auth/auth_exception_handler.py:29
    from opentelemetry.trace import Span as _Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #e19d42bbc6dc8651 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/proxy/hooks/batch_rate_limiter.py:61
    from opentelemetry.trace import Span as _Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #e524446f89ac8ec0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/proxy/hooks/parallel_request_limiter.py:24
    from opentelemetry.trace import Span as _Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #ec7f4ff4f058019c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/proxy/hooks/parallel_request_limiter_v3.py:51
    from opentelemetry.trace import Span as _Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #5dffa3a388328eff Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:126
    from opentelemetry.trace import Span as _Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #775f36514a0041b0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:914
            from opentelemetry import trace as _otel_trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #eec5f314f08f4208 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:1326
        from opentelemetry.trace import Status, StatusCode

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #d0ce6529065723ae Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/proxy/utils.py:170
    from opentelemetry.trace import Span as _Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #242eb32d5ff62e52 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/router.py:200
    from opentelemetry.trace import Span as _Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #77b01467ca56ce35 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/router_strategy/lowest_latency.py:16
    from opentelemetry.trace import Span as _Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #4093f95ddabbc729 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/router_strategy/lowest_tpm_rpm_v2.py:21
    from opentelemetry.trace import Span as _Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #6b6d7dd93fefd91e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/router_utils/cooldown_cache.py:17
    from opentelemetry.trace import Span as _Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #157a2a2b6b5f4c88 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/router_utils/cooldown_handlers.py:29
    from opentelemetry.trace import Span as _Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #788a456202526c92 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/router_utils/handle_error.py:12
    from opentelemetry.trace import Span as _Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #ea8b09850ba22346 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/router_utils/health_state_cache.py:17
    from opentelemetry.trace import Span as _Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #aaf3fa2847c9b040 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/router_utils/pre_call_checks/model_rate_limit_check.py:24
    from opentelemetry.trace import Span as _Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #508dc3fa897a7586 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/litellm/router_utils/prompt_caching_cache.py:16
    from opentelemetry.trace import Span as _Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 1409 low-confidence finding(s)
low env_fs dependency Excluded from app score #8ceb30606c82e3b2 Environment-variable access.
pkgs/python/[email protected]/litellm/__init__.py:23
    return os.getenv("LITELLM_DEV_ENV_HOT_RELOAD") == "True"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4c892ea97759f828 Environment-variable access.
pkgs/python/[email protected]/litellm/__init__.py:26
if os.getenv("LITELLM_MODE", "DEV") == "DEV":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2d5820e75c5506ae Environment-variable access.
pkgs/python/[email protected]/litellm/__init__.py:97
litellm_mode = os.getenv("LITELLM_MODE", "DEV")  # "PRODUCTION", "DEV"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #339b7cc8c9d3f724 Environment-variable access.
pkgs/python/[email protected]/litellm/__init__.py:227
drop_params = bool(os.getenv("LITELLM_DROP_PARAMS", False))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4e034fd707082c3a Environment-variable access.
pkgs/python/[email protected]/litellm/__init__.py:228
modify_params = bool(os.getenv("LITELLM_MODIFY_PARAMS", False))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cec618167a643c86 Environment-variable access.
pkgs/python/[email protected]/litellm/__init__.py:230
    os.getenv("LITELLM_USE_CHAT_COMPLETIONS_URL_FOR_ANTHROPIC_MESSAGES", False)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0ad627981401206e Environment-variable access.
pkgs/python/[email protected]/litellm/__init__.py:244
    os.getenv("LITELLM_ROUTE_ALL_CHAT_OPENAI_TO_RESPONSES", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1bcc8fdbe3e0f7f6 Environment-variable access.
pkgs/python/[email protected]/litellm/__init__.py:248
gemini_live_defer_setup: bool = os.getenv("LITELLM_GEMINI_LIVE_DEFER_SETUP", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d556d115b5d4ee0b Environment-variable access.
pkgs/python/[email protected]/litellm/__init__.py:250
    os.getenv("LITELLM_USE_LEGACY_INTERACTIONS_SCHEMA", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3782dae14e1b8cc0 Environment-variable access.
pkgs/python/[email protected]/litellm/__init__.py:391
model_cost_map_url: str = os.getenv(
    "LITELLM_MODEL_COST_MAP_URL",
    "https://raw.githubusercontent.com/BerriAI/litellm/main/model_prices_and_context_window.json",
)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ef90753a4b184f83 Environment-variable access.
pkgs/python/[email protected]/litellm/__init__.py:395
blog_posts_url: str = os.getenv(
    "LITELLM_BLOG_POSTS_URL",
    "https://docs.litellm.ai/blog/rss.xml",
)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ba29467a0910d3fa Environment-variable access.
pkgs/python/[email protected]/litellm/__init__.py:399
anthropic_beta_headers_url: str = os.getenv(
    "LITELLM_ANTHROPIC_BETA_HEADERS_URL",
    "https://raw.githubusercontent.com/BerriAI/litellm/main/litellm/anthropic_beta_headers_config.json",
)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0f1cfe2e79e7eaf3 Environment-variable access.
pkgs/python/[email protected]/litellm/__init__.py:2097
if os.getenv("LITELLM_DISABLE_LAZY_LOADING", "").lower() in ("1", "true", "yes", "on"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f1c25bda10eeae69 Environment-variable access.
pkgs/python/[email protected]/litellm/_logging.py:20
_ENABLE_SECRET_REDACTION = os.getenv("LITELLM_DISABLE_REDACT_SECRETS", "").lower() != "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d393bbc57cc6e7d9 Environment-variable access.
pkgs/python/[email protected]/litellm/_logging.py:80
json_logs = bool(os.getenv("JSON_LOGS", False))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f066b5f8d823d88b Environment-variable access.
pkgs/python/[email protected]/litellm/_logging.py:82
log_level = os.getenv("LITELLM_LOG", "DEBUG")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7aa1803697976016 Environment-variable access.
pkgs/python/[email protected]/litellm/_redis.py:193
    _client_id = azure_client_id or os.environ.get("AZURE_CLIENT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e3492b639c1a112c Environment-variable access.
pkgs/python/[email protected]/litellm/_redis.py:194
    _tenant_id = azure_tenant_id or os.environ.get("AZURE_TENANT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #98ad37c4ad918e41 Environment-variable access.
pkgs/python/[email protected]/litellm/_redis.py:195
    _client_secret = azure_client_secret or os.environ.get("AZURE_CLIENT_SECRET")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #887f19eb043f2d49 Environment-variable access.
pkgs/python/[email protected]/litellm/_redis.py:263
        username = os.environ.get("REDIS_USERNAME", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #13db3db40e64e662 Environment-variable access.
pkgs/python/[email protected]/litellm/_redis.py:290
    if "REDIS_URL" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #181bc4215af8f019 Environment-variable access.
pkgs/python/[email protected]/litellm/_redis.py:291
        return os.environ["REDIS_URL"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b18828822bf74176 Environment-variable access.
pkgs/python/[email protected]/litellm/_redis.py:293
    if "REDIS_HOST" not in os.environ or "REDIS_PORT" not in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fa9e200feeb8b81a Environment-variable access.
pkgs/python/[email protected]/litellm/_redis.py:296
    if "REDIS_SSL" in os.environ and os.environ["REDIS_SSL"].lower() == "true":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8f72b32b6386ca43 Environment-variable access.
pkgs/python/[email protected]/litellm/_redis.py:303
    if "REDIS_USERNAME" in os.environ and "REDIS_PASSWORD" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b06feaf52ee990c6 Environment-variable access.
pkgs/python/[email protected]/litellm/_redis.py:304
        auth_part = f"{os.environ['REDIS_USERNAME']}:{os.environ['REDIS_PASSWORD']}@"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5db7ffbc718b18be Environment-variable access.
pkgs/python/[email protected]/litellm/_redis.py:305
    elif "REDIS_PASSWORD" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5abdb0fd59e952ca Environment-variable access.
pkgs/python/[email protected]/litellm/_redis.py:306
        auth_part = f"{os.environ['REDIS_PASSWORD']}@"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #92f80ee45ef3c86b Environment-variable access.
pkgs/python/[email protected]/litellm/_redis.py:308
    return f"{redis_protocol}://{auth_part}{os.environ['REDIS_HOST']}:{os.environ['REDIS_PORT']}"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b07de08f00c449a7 Environment-variable access.
pkgs/python/[email protected]/litellm/_redis.py:573
                username=os.environ.get("REDIS_USERNAME") or None,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8dc9d8bcbce47faf Environment-variable access.
pkgs/python/[email protected]/litellm/_redis.py:616
            username=os.environ.get("REDIS_USERNAME") or None,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #19df6e5594a650ba Environment-variable access.
pkgs/python/[email protected]/litellm/_redis.py:662
            username=os.environ.get("REDIS_USERNAME") or None,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5653fdf62afb4c18 Filesystem access.
pkgs/python/[email protected]/litellm/anthropic_beta_headers_manager.py:51
                files("litellm").joinpath("anthropic_beta_headers_config.json").read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dc6450355476f39d Environment-variable access.
pkgs/python/[email protected]/litellm/anthropic_beta_headers_manager.py:137
    if os.getenv("LITELLM_LOCAL_ANTHROPIC_BETA_HEADERS", "").lower() == "true":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6768d7500fa53f38 Environment-variable access.
pkgs/python/[email protected]/litellm/assistants/main.py:109
            or os.getenv("OPENAI_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #804855a6781b9cdb Environment-variable access.
pkgs/python/[email protected]/litellm/assistants/main.py:110
            or os.getenv("OPENAI_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8c687287dd895ec9 Environment-variable access.
pkgs/python/[email protected]/litellm/assistants/main.py:116
            or os.getenv("OPENAI_ORGANIZATION", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bba29b88a9e4b9c7 Environment-variable access.
pkgs/python/[email protected]/litellm/assistants/main.py:124
            or os.getenv("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #119e304a73fe1c58 Environment-variable access.
pkgs/python/[email protected]/litellm/assistants/main.py:298
            or os.getenv("OPENAI_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #76702e4ef89fc5ab Environment-variable access.
pkgs/python/[email protected]/litellm/assistants/main.py:299
            or os.getenv("OPENAI_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6d7be16e2e00f7c5 Environment-variable access.
pkgs/python/[email protected]/litellm/assistants/main.py:305
            or os.getenv("OPENAI_ORGANIZATION", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5440a7e4751a82a2 Environment-variable access.
pkgs/python/[email protected]/litellm/assistants/main.py:313
            or os.getenv("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #908cb17022d4822d Environment-variable access.
pkgs/python/[email protected]/litellm/assistants/main.py:459
            or os.getenv("OPENAI_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #37c0fbb50b52b290 Environment-variable access.
pkgs/python/[email protected]/litellm/assistants/main.py:460
            or os.getenv("OPENAI_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b180ea054fec4538 Environment-variable access.
pkgs/python/[email protected]/litellm/assistants/main.py:464
            optional_params.organization or litellm.organization or os.getenv("OPENAI_ORGANIZATION", None) or None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #485a1fece75a6615 Environment-variable access.
pkgs/python/[email protected]/litellm/assistants/main.py:467
        api_key = optional_params.api_key or litellm.api_key or litellm.openai_key or os.getenv("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3263e047b109091d Environment-variable access.
pkgs/python/[email protected]/litellm/assistants/main.py:630
            or os.getenv("OPENAI_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #10e1c615c554bfd7 Environment-variable access.
pkgs/python/[email protected]/litellm/assistants/main.py:631
            or os.getenv("OPENAI_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b3f80f8d67115a3e Environment-variable access.
pkgs/python/[email protected]/litellm/assistants/main.py:637
            or os.getenv("OPENAI_ORGANIZATION", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ea586fe29c9169bf Environment-variable access.
pkgs/python/[email protected]/litellm/assistants/main.py:645
            or os.getenv("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #46b2495f34b60bcb Environment-variable access.
pkgs/python/[email protected]/litellm/assistants/main.py:782
            or os.getenv("OPENAI_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #653db5c061d93844 Environment-variable access.
pkgs/python/[email protected]/litellm/assistants/main.py:783
            or os.getenv("OPENAI_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c54485bc59a9cf2c Environment-variable access.
pkgs/python/[email protected]/litellm/assistants/main.py:789
            or os.getenv("OPENAI_ORGANIZATION", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7697e67f5cf03dc5 Environment-variable access.
pkgs/python/[email protected]/litellm/assistants/main.py:797
            or os.getenv("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #59f90c35d1d72b41 Environment-variable access.
pkgs/python/[email protected]/litellm/assistants/main.py:965
            or os.getenv("OPENAI_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f0fc33fc2fa45683 Environment-variable access.
pkgs/python/[email protected]/litellm/assistants/main.py:966
            or os.getenv("OPENAI_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9abea89dd4f9e727 Environment-variable access.
pkgs/python/[email protected]/litellm/assistants/main.py:972
            or os.getenv("OPENAI_ORGANIZATION", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #da876ea9f49d84e8 Environment-variable access.
pkgs/python/[email protected]/litellm/assistants/main.py:980
            or os.getenv("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #101f6eef49ea88d3 Environment-variable access.
pkgs/python/[email protected]/litellm/assistants/main.py:1123
            or os.getenv("OPENAI_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #860ea05b71fac69c Environment-variable access.
pkgs/python/[email protected]/litellm/assistants/main.py:1124
            or os.getenv("OPENAI_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d330e08921a376a3 Environment-variable access.
pkgs/python/[email protected]/litellm/assistants/main.py:1130
            or os.getenv("OPENAI_ORGANIZATION", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #55fafebc6eaf3787 Environment-variable access.
pkgs/python/[email protected]/litellm/assistants/main.py:1138
            or os.getenv("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0f3cf1bb364f880a Environment-variable access.
pkgs/python/[email protected]/litellm/assistants/main.py:1318
            or os.getenv("OPENAI_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #66f16f366007aeb1 Environment-variable access.
pkgs/python/[email protected]/litellm/assistants/main.py:1319
            or os.getenv("OPENAI_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8a7dabdefe6c5f1e Environment-variable access.
pkgs/python/[email protected]/litellm/assistants/main.py:1325
            or os.getenv("OPENAI_ORGANIZATION", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e7b5db677e0abbc8 Environment-variable access.
pkgs/python/[email protected]/litellm/assistants/main.py:1333
            or os.getenv("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3e6043640a1bb7d2 Environment-variable access.
pkgs/python/[email protected]/litellm/batches/main.py:246
                or os.getenv("OPENAI_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #27c43daebd88bde0 Environment-variable access.
pkgs/python/[email protected]/litellm/batches/main.py:247
                or os.getenv("OPENAI_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0344a987b4ef39af Environment-variable access.
pkgs/python/[email protected]/litellm/batches/main.py:253
                or os.getenv("OPENAI_ORGANIZATION", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #efba4fbaa29ae034 Environment-variable access.
pkgs/python/[email protected]/litellm/batches/main.py:261
                or os.getenv("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #062e2090adeef328 Environment-variable access.
pkgs/python/[email protected]/litellm/batches/main.py:395
            or os.getenv("OPENAI_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0ca4779a2ab299d7 Environment-variable access.
pkgs/python/[email protected]/litellm/batches/main.py:396
            or os.getenv("OPENAI_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2f602611bdcbdf9f Environment-variable access.
pkgs/python/[email protected]/litellm/batches/main.py:402
            or os.getenv("OPENAI_ORGANIZATION", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d78389d2e0c38f98 Environment-variable access.
pkgs/python/[email protected]/litellm/batches/main.py:410
            or os.getenv("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ffae98a5663f3a03 Environment-variable access.
pkgs/python/[email protected]/litellm/batches/main.py:711
            or os.getenv("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ce8779b387fda2dc Environment-variable access.
pkgs/python/[email protected]/litellm/batches/main.py:735
                or os.getenv("OPENAI_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #011e743b5d668b46 Environment-variable access.
pkgs/python/[email protected]/litellm/batches/main.py:736
                or os.getenv("OPENAI_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4cda1e43421c5473 Environment-variable access.
pkgs/python/[email protected]/litellm/batches/main.py:742
                or os.getenv("OPENAI_ORGANIZATION", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #13bed7f7cccfdd7f Environment-variable access.
pkgs/python/[email protected]/litellm/batches/main.py:927
                or os.getenv("OPENAI_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a020d829798812c4 Environment-variable access.
pkgs/python/[email protected]/litellm/batches/main.py:928
                or os.getenv("OPENAI_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6cddff190d2ae612 Environment-variable access.
pkgs/python/[email protected]/litellm/batches/main.py:932
                optional_params.organization or litellm.organization or os.getenv("OPENAI_ORGANIZATION", None) or None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7fc5cfcf613d8ad7 Environment-variable access.
pkgs/python/[email protected]/litellm/batches/main.py:934
            api_key = optional_params.api_key or litellm.api_key or litellm.openai_key or os.getenv("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b09d8c31436cb97d Filesystem access.
pkgs/python/[email protected]/litellm/budget_manager.py:55
                with open("user_cost.json", "r") as json_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8702aa99bc48fe0c Filesystem access.
pkgs/python/[email protected]/litellm/budget_manager.py:208
            with open("user_cost.json", "w") as json_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #412cfc9063994ddf Environment-variable access.
pkgs/python/[email protected]/litellm/caching/qdrant_semantic_cache.py:71
        qdrant_api_base = qdrant_api_base or os.getenv("QDRANT_URL") or os.getenv("QDRANT_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5c271903023b3749 Environment-variable access.
pkgs/python/[email protected]/litellm/caching/qdrant_semantic_cache.py:72
        qdrant_api_key = qdrant_api_key or os.getenv("QDRANT_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #53031aa0065553c4 Environment-variable access.
pkgs/python/[email protected]/litellm/caching/redis_semantic_cache.py:93
                host = host or os.environ["REDIS_HOST"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9d76f79ed9a8680c Environment-variable access.
pkgs/python/[email protected]/litellm/caching/redis_semantic_cache.py:94
                port = port or os.environ["REDIS_PORT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #90d6abe639846f61 Environment-variable access.
pkgs/python/[email protected]/litellm/caching/redis_semantic_cache.py:95
                password = password or os.environ["REDIS_PASSWORD"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bcf3227c9e48115f Environment-variable access.
pkgs/python/[email protected]/litellm/caching/valkey_semantic_cache.py:99
        host = host or os.environ.get("VALKEY_HOST") or os.environ.get("REDIS_HOST")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3cc35bc869337301 Environment-variable access.
pkgs/python/[email protected]/litellm/caching/valkey_semantic_cache.py:100
        port = port or os.environ.get("VALKEY_PORT") or os.environ.get("REDIS_PORT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #601753a49cc40687 Environment-variable access.
pkgs/python/[email protected]/litellm/caching/valkey_semantic_cache.py:101
        password = password or os.environ.get("VALKEY_PASSWORD") or os.environ.get("REDIS_PASSWORD")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cdaeafb998bc9b80 Environment-variable access.
pkgs/python/[email protected]/litellm/completion_extras/litellm_responses_transformation/transformation.py:924
            litellm.reasoning_auto_summary or os.getenv("LITELLM_REASONING_AUTO_SUMMARY", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cf5ddbdb61d1613f Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:7
DEFAULT_HEALTH_CHECK_PROMPT = str(os.getenv("DEFAULT_HEALTH_CHECK_PROMPT", "test from litellm"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1986b97d99b0f7f9 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:8
AZURE_DEFAULT_RESPONSES_API_VERSION = str(os.getenv("AZURE_DEFAULT_RESPONSES_API_VERSION", "preview"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9b9293298506c83f Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:9
ROUTER_MAX_FALLBACKS = int(os.getenv("ROUTER_MAX_FALLBACKS", 5))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #91ad5d91abae2960 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:10
DEFAULT_BATCH_SIZE = int(os.getenv("DEFAULT_BATCH_SIZE", 512))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #28c2b07c08ddb5e1 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:11
DEFAULT_FLUSH_INTERVAL_SECONDS = int(os.getenv("DEFAULT_FLUSH_INTERVAL_SECONDS", 5))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9c71e0a21dfb7970 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:12
DEFAULT_S3_FLUSH_INTERVAL_SECONDS = int(os.getenv("DEFAULT_S3_FLUSH_INTERVAL_SECONDS", 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #da3112af0c6f8fb2 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:13
DEFAULT_S3_BATCH_SIZE = int(os.getenv("DEFAULT_S3_BATCH_SIZE", 512))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #08b27fb95dbca4f3 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:14
DEFAULT_SQS_FLUSH_INTERVAL_SECONDS = int(os.getenv("DEFAULT_SQS_FLUSH_INTERVAL_SECONDS", 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #200ff4fafe31e50b Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:15
DEFAULT_NUM_WORKERS_LITELLM_PROXY = int(os.getenv("DEFAULT_NUM_WORKERS_LITELLM_PROXY", 1))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8d02cfccf935886a Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:16
DYNAMIC_RATE_LIMIT_ERROR_THRESHOLD_PER_MINUTE = int(os.getenv("DYNAMIC_RATE_LIMIT_ERROR_THRESHOLD_PER_MINUTE", 1))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9ba65d651c60cb8e Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:17
DEFAULT_SQS_BATCH_SIZE = int(os.getenv("DEFAULT_SQS_BATCH_SIZE", 512))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d0d4075bb276b126 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:20
DEFAULT_MAX_RETRIES = int(os.getenv("DEFAULT_MAX_RETRIES", 2))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4622262efe841c78 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:24
DEFAULT_MAX_RECURSE_DEPTH = int(os.getenv("DEFAULT_MAX_RECURSE_DEPTH", 100))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8087289bea53686f Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:25
DEFAULT_MAX_RECURSE_DEPTH_SENSITIVE_DATA_MASKER = int(os.getenv("DEFAULT_MAX_RECURSE_DEPTH_SENSITIVE_DATA_MASKER", 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #df47c8d5178442f5 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:27
    os.getenv("DEFAULT_FAILURE_THRESHOLD_PERCENT", 0.5)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6f7a98eeb651907c Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:29
DEFAULT_MAX_TOKENS = int(os.getenv("DEFAULT_MAX_TOKENS", 4096))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f60d84185f017e0c Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:30
DEFAULT_ALLOWED_FAILS = int(os.getenv("DEFAULT_ALLOWED_FAILS", 3))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4921f3ac318c9517 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:31
DEFAULT_REDIS_SYNC_INTERVAL = int(os.getenv("DEFAULT_REDIS_SYNC_INTERVAL", 1))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #62b2b93950902103 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:32
DEFAULT_COOLDOWN_TIME_SECONDS = int(os.getenv("DEFAULT_COOLDOWN_TIME_SECONDS", 5))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8939226b06f57b06 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:33
DEFAULT_REPLICATE_POLLING_RETRIES = int(os.getenv("DEFAULT_REPLICATE_POLLING_RETRIES", 5))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9854c7c41ec1c55e Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:34
DEFAULT_REPLICATE_POLLING_DELAY_SECONDS = int(os.getenv("DEFAULT_REPLICATE_POLLING_DELAY_SECONDS", 1))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f11d00fc0fd0f262 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:35
DEFAULT_IMAGE_TOKEN_COUNT = int(os.getenv("DEFAULT_IMAGE_TOKEN_COUNT", 250))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f4aaae18ab69d0f4 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:40
_max_stream_duration_env = os.getenv("LITELLM_MAX_STREAMING_DURATION_SECONDS", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fb9f3901fbbe0e75 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:48
MAX_BASE64_LENGTH_FOR_LOGGING = int(os.getenv("MAX_BASE64_LENGTH_FOR_LOGGING", 64))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8dcf075e6a178be0 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:52
LITELLM_DETAILED_TIMING = os.getenv("LITELLM_DETAILED_TIMING", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8326ccde707b6e7b Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:56
    os.getenv("MODEL_COST_MAP_MIN_MODEL_COUNT", 50)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5b67811989a0d1ff Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:59
    os.getenv("MODEL_COST_MAP_MAX_SHRINK_RATIO", 0.5)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4309038ded034598 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:61
DEFAULT_IMAGE_WIDTH = int(os.getenv("DEFAULT_IMAGE_WIDTH", 300))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f3e38c98e0c8a65e Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:62
DEFAULT_IMAGE_HEIGHT = int(os.getenv("DEFAULT_IMAGE_HEIGHT", 300))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4b6241a591bb7bb8 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:67
MAX_IMAGE_URL_DOWNLOAD_SIZE_MB = float(os.getenv("MAX_IMAGE_URL_DOWNLOAD_SIZE_MB", 50))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5b54db976ee9a303 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:69
    os.getenv("MAX_SIZE_PER_ITEM_IN_MEMORY_CACHE_IN_KB", 1024)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b54f0e319097dbab Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:76
    os.getenv("SINGLE_DEPLOYMENT_TRAFFIC_FAILURE_THRESHOLD", 1000)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #48b9b95254ae751f Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:79
    os.getenv("DEFAULT_FAILURE_THRESHOLD_MINIMUM_REQUESTS", 5)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #11bf4aa2abacabdc Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:82
DEFAULT_REASONING_EFFORT_DISABLE_THINKING_BUDGET = int(os.getenv("DEFAULT_REASONING_EFFORT_DISABLE_THINKING_BUDGET", 0))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a83ce8a65d385347 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:86
    os.getenv("DEFAULT_MCP_SEMANTIC_FILTER_EMBEDDING_MODEL", "text-embedding-3-small")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f43b4ee973dc1be5 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:88
DEFAULT_MCP_SEMANTIC_FILTER_TOP_K = int(os.getenv("DEFAULT_MCP_SEMANTIC_FILTER_TOP_K", 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1d51e3ce79e926b5 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:90
    os.getenv("DEFAULT_MCP_SEMANTIC_FILTER_SIMILARITY_THRESHOLD", 0.3)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #93204b9926261308 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:92
MAX_MCP_SEMANTIC_FILTER_TOOLS_HEADER_LENGTH = int(os.getenv("MAX_MCP_SEMANTIC_FILTER_TOOLS_HEADER_LENGTH", 150))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #45fc2533de26952c Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:96
    os.getenv("DEFAULT_SEMANTIC_GUARD_EMBEDDING_MODEL", "text-embedding-3-small")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1b89bfa19e19255b Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:98
DEFAULT_SEMANTIC_GUARD_SIMILARITY_THRESHOLD = float(os.getenv("DEFAULT_SEMANTIC_GUARD_SIMILARITY_THRESHOLD", 0.75))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #44db888bdb86c363 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:101
MCP_OAUTH2_TOKEN_EXPIRY_BUFFER_SECONDS = int(os.getenv("MCP_OAUTH2_TOKEN_EXPIRY_BUFFER_SECONDS", "60"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #21831937f1f71d75 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:102
MCP_OAUTH2_TOKEN_CACHE_MAX_SIZE = int(os.getenv("MCP_OAUTH2_TOKEN_CACHE_MAX_SIZE", "200"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #79de9e8e7e486905 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:103
MCP_OAUTH2_TOKEN_CACHE_DEFAULT_TTL = int(os.getenv("MCP_OAUTH2_TOKEN_CACHE_DEFAULT_TTL", "3600"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3fa028a07e831d80 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:108
MCP_NPM_CACHE_DIR = os.getenv("MCP_NPM_CACHE_DIR", "/tmp/.npm_mcp_cache")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5d75475d5f843eeb Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:109
MCP_OAUTH2_TOKEN_CACHE_MIN_TTL = int(os.getenv("MCP_OAUTH2_TOKEN_CACHE_MIN_TTL", "10"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0204720296b9ee30 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:114
    os.getenv("MCP_PER_USER_TOKEN_DEFAULT_TTL", "43200")  # 12 hours

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3d2c6c0453190a2a Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:116
MCP_PER_USER_TOKEN_EXPIRY_BUFFER_SECONDS = int(os.getenv("MCP_PER_USER_TOKEN_EXPIRY_BUFFER_SECONDS", "60"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #42bfb85b9b4406a5 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:119
MCP_CLIENT_TIMEOUT = float(os.getenv("LITELLM_MCP_CLIENT_TIMEOUT", "60.0"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e080317400425e60 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:120
MCP_TOOL_LISTING_TIMEOUT = float(os.getenv("LITELLM_MCP_TOOL_LISTING_TIMEOUT", "30.0"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e095f71f88d65302 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:121
MCP_METADATA_TIMEOUT = float(os.getenv("LITELLM_MCP_METADATA_TIMEOUT", "10.0"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #71caa2dce64129a7 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:122
MCP_HEALTH_CHECK_TIMEOUT = float(os.getenv("LITELLM_MCP_HEALTH_CHECK_TIMEOUT", "10.0"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cfc7229db50cbb43 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:129
_MCP_STDIO_EXTRA_COMMANDS = os.getenv("LITELLM_MCP_STDIO_EXTRA_COMMANDS", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #10cba003af1df60f Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:135
MCP_TOKEN_EXCHANGE_CACHE_MAX_SIZE = int(os.getenv("MCP_TOKEN_EXCHANGE_CACHE_MAX_SIZE", "500"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7295d443b2a4e358 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:145
    os.getenv("DEFAULT_REASONING_EFFORT_MINIMAL_THINKING_BUDGET_GEMINI_2_5_FLASH", 1)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #38925396e40fd9c0 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:148
    os.getenv("DEFAULT_REASONING_EFFORT_MINIMAL_THINKING_BUDGET_GEMINI_2_5_PRO", 128)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4d0fd2d93a6beba0 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:151
    os.getenv("DEFAULT_REASONING_EFFORT_MINIMAL_THINKING_BUDGET_GEMINI_2_5_FLASH_LITE", 512)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cd2a0588e51b7135 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:165
    os.getenv("DEFAULT_REASONING_EFFORT_MINIMAL_THINKING_BUDGET", 128)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ebeac191730178c7 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:183
DEFAULT_REASONING_EFFORT_LOW_THINKING_BUDGET = int(os.getenv("DEFAULT_REASONING_EFFORT_LOW_THINKING_BUDGET", 1024))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #523f0dc8e1f18377 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:185
    os.getenv("DEFAULT_REASONING_EFFORT_MEDIUM_THINKING_BUDGET", 2048)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #383d1c54e5c8dc84 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:187
DEFAULT_REASONING_EFFORT_HIGH_THINKING_BUDGET = int(os.getenv("DEFAULT_REASONING_EFFORT_HIGH_THINKING_BUDGET", 4096))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #434e14e32c5fef0c Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:188
DEFAULT_REASONING_EFFORT_XHIGH_THINKING_BUDGET = int(os.getenv("DEFAULT_REASONING_EFFORT_XHIGH_THINKING_BUDGET", 8192))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #55ec38c6b844726f Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:189
DEFAULT_REASONING_EFFORT_MAX_THINKING_BUDGET = int(os.getenv("DEFAULT_REASONING_EFFORT_MAX_THINKING_BUDGET", 16384))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5f5c93200536329f Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:191
    os.getenv("MAX_TOKEN_TRIMMING_ATTEMPTS", 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7e237a5a0494da68 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:194
RUNWAYML_DEFAULT_API_VERSION = str(os.getenv("RUNWAYML_DEFAULT_API_VERSION", "2024-11-06"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ff086ba0196ed5a3 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:195
RUNWAYML_POLLING_TIMEOUT = int(os.getenv("RUNWAYML_POLLING_TIMEOUT", 600))  # 10 minutes default for image generation

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #705a64320f679a2b Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:202
AIOHTTP_CONNECTOR_LIMIT = int(os.getenv("AIOHTTP_CONNECTOR_LIMIT", 1000))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c5689b14a49b794c Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:203
AIOHTTP_CONNECTOR_LIMIT_PER_HOST = int(os.getenv("AIOHTTP_CONNECTOR_LIMIT_PER_HOST", 500))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #46c45e43de906ac2 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:204
AIOHTTP_KEEPALIVE_TIMEOUT = int(os.getenv("AIOHTTP_KEEPALIVE_TIMEOUT", 120))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d669ccda29b2eff7 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:205
AIOHTTP_TTL_DNS_CACHE = int(os.getenv("AIOHTTP_TTL_DNS_CACHE", 300))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #07b950f165667d5c Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:212
AIOHTTP_SO_KEEPALIVE = os.getenv("AIOHTTP_SO_KEEPALIVE", "False").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #50fe2dbfe9269d0c Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:213
AIOHTTP_TCP_KEEPIDLE = int(os.getenv("AIOHTTP_TCP_KEEPIDLE", 60))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2328cfb89035f103 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:214
AIOHTTP_TCP_KEEPINTVL = int(os.getenv("AIOHTTP_TCP_KEEPINTVL", 30))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c933706fb639efd2 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:215
AIOHTTP_TCP_KEEPCNT = int(os.getenv("AIOHTTP_TCP_KEEPCNT", 5))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1ca47a18086e7102 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:228
_max_size_env = os.getenv("REALTIME_WEBSOCKET_MAX_MESSAGE_SIZE_BYTES")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5047aa3870a8d80f Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:234
DEFAULT_SSL_CIPHERS = os.getenv(
    "LITELLM_SSL_CIPHERS",
    # Priority 1: TLS 1.3 ciphers (fastest, ~50ms handshake)
    "TLS_AES_256_GCM_SHA384:"  # Fastest observed in testing
    "TLS_AES_128_GCM_SHA256:"  # Slightly faster than 256-bit
    "TLS_CHACHA20_POLY1305_SHA256:"  # Fast on ARM/mobile
    # Priority 2: TLS 1.2 ECDHE+GCM (fast, ~100ms handshake, widely supported)
    "ECDHE-RSA-AES256-GCM-SHA384:"
    "ECDHE-RSA-AES128-GCM-SHA256:"
    "ECDHE-ECDSA-AES256-GCM-SHA384:"
    "ECDHE-ECDSA-AES128-GCM-SHA256:"
    # Priority 3: Additional modern ciphers (good balance)
    "ECDHE-RSA-CHACHA20-POLY1305:"
    "ECDHE-ECDSA-CHACHA20-POLY1305:"
    # Priority 4: Widely compatible fallbacks (slower but universally supported)
    "ECDHE-RSA-AES256-SHA384:"  # Common fallback
    "ECDHE-RSA-AES128-SHA256:"  # Very widely supported
    "AES256-GCM-SHA384:"  # Non-PFS fallback (compatibility)
    "AES128-GCM-SHA256",  # Last resort (maximum compatibility)
)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b62b2f4df4701cce Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:263
MAX_REDIS_BUFFER_DEQUEUE_COUNT = int(os.getenv("MAX_REDIS_BUFFER_DEQUEUE_COUNT", 100))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #01ef2371dd0c0675 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:265
LITELLM_ASYNCIO_QUEUE_MAXSIZE = int(os.getenv("LITELLM_ASYNCIO_QUEUE_MAXSIZE", 1000))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5b5630ea76d30998 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:266
TOOL_POLICY_CACHE_TTL_SECONDS = int(os.getenv("TOOL_POLICY_CACHE_TTL_SECONDS", 60))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #549a8961edbeebef Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:269
MAX_SIZE_IN_MEMORY_QUEUE = int(os.getenv("MAX_SIZE_IN_MEMORY_QUEUE", int(LITELLM_ASYNCIO_QUEUE_MAXSIZE * 0.8)))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1b316d5453f700df Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:270
MAX_IN_MEMORY_QUEUE_FLUSH_COUNT = int(os.getenv("MAX_IN_MEMORY_QUEUE_FLUSH_COUNT", 1000))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6ed658323cbf8771 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:273
    os.getenv("MINIMUM_PROMPT_CACHE_TOKEN_COUNT", 1024)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c8b3b968e6ad46ad Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:276
    os.getenv("DEFAULT_TRIM_RATIO", 0.75)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4fbbe44d55ecd480 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:278
HOURS_IN_A_DAY = int(os.getenv("HOURS_IN_A_DAY", 24))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8e1694ea0316b68f Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:279
DAYS_IN_A_WEEK = int(os.getenv("DAYS_IN_A_WEEK", 7))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #32321712ceb06dfc Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:280
DAYS_IN_A_MONTH = int(os.getenv("DAYS_IN_A_MONTH", 28))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c4cadfd64526d88e Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:281
DAYS_IN_A_YEAR = int(os.getenv("DAYS_IN_A_YEAR", 365))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0d1afed89f138549 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:282
REPLICATE_MODEL_NAME_WITH_ID_LENGTH = int(os.getenv("REPLICATE_MODEL_NAME_WITH_ID_LENGTH", 64))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #078813a8c27792a4 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:284
FUNCTION_DEFINITION_TOKEN_COUNT = int(os.getenv("FUNCTION_DEFINITION_TOKEN_COUNT", 9))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c6735c2cdacf1a4b Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:285
SYSTEM_MESSAGE_TOKEN_COUNT = int(os.getenv("SYSTEM_MESSAGE_TOKEN_COUNT", 4))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1fa8a1c3720c942f Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:286
TOOL_CHOICE_OBJECT_TOKEN_COUNT = int(os.getenv("TOOL_CHOICE_OBJECT_TOKEN_COUNT", 4))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #564c7e3c71bd63c8 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:287
DEFAULT_MOCK_RESPONSE_PROMPT_TOKEN_COUNT = int(os.getenv("DEFAULT_MOCK_RESPONSE_PROMPT_TOKEN_COUNT", 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #954c9d20ae7e2b77 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:288
DEFAULT_MOCK_RESPONSE_COMPLETION_TOKEN_COUNT = int(os.getenv("DEFAULT_MOCK_RESPONSE_COMPLETION_TOKEN_COUNT", 20))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6298ea731f330640 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:289
MAX_SHORT_SIDE_FOR_IMAGE_HIGH_RES = int(os.getenv("MAX_SHORT_SIDE_FOR_IMAGE_HIGH_RES", 768))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8b0891c41d0c331c Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:290
MAX_LONG_SIDE_FOR_IMAGE_HIGH_RES = int(os.getenv("MAX_LONG_SIDE_FOR_IMAGE_HIGH_RES", 2000))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8320f894dfe3628a Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:291
MAX_TILE_WIDTH = int(os.getenv("MAX_TILE_WIDTH", 512))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6a9c9f653e23f212 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:292
MAX_TILE_HEIGHT = int(os.getenv("MAX_TILE_HEIGHT", 512))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c3ac1f3935617485 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:293
OPENAI_FILE_SEARCH_COST_PER_1K_CALLS = float(os.getenv("OPENAI_FILE_SEARCH_COST_PER_1K_CALLS", 2.5 / 1000))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #66896014cad498d5 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:297
    os.getenv("AZURE_FILE_SEARCH_COST_PER_GB_PER_DAY", 0.1)  # $0.1 USD per 1 GB/Day

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9c899eb7edc69673 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:300
    os.getenv("AZURE_COMPUTER_USE_INPUT_COST_PER_1K_TOKENS", 3.0)  # $0.003 USD per 1K Tokens

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f64dfed6ce81001c Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:303
    os.getenv("AZURE_COMPUTER_USE_OUTPUT_COST_PER_1K_TOKENS", 12.0)  # $0.012 USD per 1K Tokens

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #26789890159e4272 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:306
    os.getenv("AZURE_VECTOR_STORE_COST_PER_GB_PER_DAY", 0.1)  # $0.1 USD per 1 GB/Day (same as file search)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2b4255e2aab46afd Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:308
MIN_NON_ZERO_TEMPERATURE = float(os.getenv("MIN_NON_ZERO_TEMPERATURE", 0.0001))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #18f5a587d4a49431 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:311
    os.getenv("REPEATED_STREAMING_CHUNK_LIMIT", 100)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5f07251828345c08 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:315
DEFAULT_MAX_LRU_CACHE_SIZE = int(os.getenv("DEFAULT_MAX_LRU_CACHE_SIZE", 64))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ca02bf68ff181c93 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:317
INITIAL_RETRY_DELAY = float(os.getenv("INITIAL_RETRY_DELAY", 0.5))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9c5c7a004a608617 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:318
MAX_RETRY_DELAY = float(os.getenv("MAX_RETRY_DELAY", 8.0))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1310a2337510290d Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:319
JITTER = float(os.getenv("JITTER", 0.75))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f6a772777d4b732b Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:320
DEFAULT_IN_MEMORY_TTL = int(os.getenv("DEFAULT_IN_MEMORY_TTL", 5))  # default time to live for the in-memory cache

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #72c2c37f728d51a1 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:322
    os.getenv("DEFAULT_MAX_REDIS_BATCH_CACHE_SIZE", 1000)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #25b2f6fa348bdb4f Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:325
    os.getenv("DEFAULT_POLLING_INTERVAL", 0.03)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b75999e12e259d36 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:327
AZURE_OPERATION_POLLING_TIMEOUT = int(os.getenv("AZURE_OPERATION_POLLING_TIMEOUT", 120))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3bdf4945d2b965f3 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:328
AZURE_DOCUMENT_INTELLIGENCE_API_VERSION = str(os.getenv("AZURE_DOCUMENT_INTELLIGENCE_API_VERSION", "2024-11-30"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c3519c120f9da337 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:329
AZURE_DOCUMENT_INTELLIGENCE_DEFAULT_DPI = int(os.getenv("AZURE_DOCUMENT_INTELLIGENCE_DEFAULT_DPI", 96))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8bbca8fb57f90930 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:330
REDIS_SOCKET_TIMEOUT = float(os.getenv("REDIS_SOCKET_TIMEOUT", 0.1))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c31c84d9de7dafee Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:331
REDIS_CONNECTION_POOL_TIMEOUT = int(os.getenv("REDIS_CONNECTION_POOL_TIMEOUT", 5))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #826f18563173ffe4 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:332
REDIS_CIRCUIT_BREAKER_FAILURE_THRESHOLD = int(os.getenv("REDIS_CIRCUIT_BREAKER_FAILURE_THRESHOLD", 5))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a2d69f011bb7a689 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:333
REDIS_CIRCUIT_BREAKER_RECOVERY_TIMEOUT = int(os.getenv("REDIS_CIRCUIT_BREAKER_RECOVERY_TIMEOUT", 60))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fb8ee86974ba3aef Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:334
REDIS_CIRCUIT_BREAKER_ENABLED = os.getenv("REDIS_CIRCUIT_BREAKER_ENABLED", "true").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1b820c6fc39c7dd5 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:337
DEFAULT_REDIS_MAJOR_VERSION = int(os.getenv("DEFAULT_REDIS_MAJOR_VERSION", 7))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8a8131cc01e001e1 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:339
    os.getenv("NON_LLM_CONNECTION_TIMEOUT", 15)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6c79942211624e95 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:341
MAX_EXCEPTION_MESSAGE_LENGTH = int(os.getenv("MAX_EXCEPTION_MESSAGE_LENGTH", 2000))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3c071205fe9696e3 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:342
MAX_STRING_LENGTH_PROMPT_IN_DB = int(os.getenv("MAX_STRING_LENGTH_PROMPT_IN_DB", 2048))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e31677faf90d5941 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:343
BEDROCK_MAX_POLICY_SIZE = int(os.getenv("BEDROCK_MAX_POLICY_SIZE", 75))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5bb8594b69a1349d Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:344
BEDROCK_MIN_THINKING_BUDGET_TOKENS = int(os.getenv("BEDROCK_MIN_THINKING_BUDGET_TOKENS", 1024))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9c2e44b4ce0efa1c Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:347
REPLICATE_POLLING_DELAY_SECONDS = float(os.getenv("REPLICATE_POLLING_DELAY_SECONDS", 0.5))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #10523c50fb904be1 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:348
DEFAULT_ANTHROPIC_CHAT_MAX_TOKENS = int(os.getenv("DEFAULT_ANTHROPIC_CHAT_MAX_TOKENS", 4096))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f914b9ee3472d71e Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:350
TOGETHER_AI_4_B = int(os.getenv("TOGETHER_AI_4_B", 4))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #98be6d68c65b7518 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:351
TOGETHER_AI_8_B = int(os.getenv("TOGETHER_AI_8_B", 8))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9adaebdda6a4b1bb Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:352
TOGETHER_AI_21_B = int(os.getenv("TOGETHER_AI_21_B", 21))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #227ef3b278797208 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:353
TOGETHER_AI_41_B = int(os.getenv("TOGETHER_AI_41_B", 41))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #868e53122c70abc1 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:354
TOGETHER_AI_80_B = int(os.getenv("TOGETHER_AI_80_B", 80))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #64881ef4db422b3c Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:355
TOGETHER_AI_110_B = int(os.getenv("TOGETHER_AI_110_B", 110))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ce14df6a40212b3c Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:356
TOGETHER_AI_EMBEDDING_150_M = int(os.getenv("TOGETHER_AI_EMBEDDING_150_M", 150))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3cf62df2da434e30 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:357
TOGETHER_AI_EMBEDDING_350_M = int(os.getenv("TOGETHER_AI_EMBEDDING_350_M", 350))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #726128fbcfe76792 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:358
QDRANT_SCALAR_QUANTILE = float(os.getenv("QDRANT_SCALAR_QUANTILE", 0.99))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fdc00e5ec3612354 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:359
QDRANT_VECTOR_SIZE = int(os.getenv("QDRANT_VECTOR_SIZE", 1536))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a6fcfa5330baa75a Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:360
CACHED_STREAMING_CHUNK_DELAY = float(os.getenv("CACHED_STREAMING_CHUNK_DELAY", 0.02))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b668bd20d08017b4 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:362
    os.getenv("AUDIO_SPEECH_CHUNK_SIZE", 8192)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #31c6c9fa3d561a25 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:364
DEFAULT_MAX_TOKENS_FOR_TRITON = int(os.getenv("DEFAULT_MAX_TOKENS_FOR_TRITON", 2000))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f99eee2c064eb8bb Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:377
request_timeout: float = float(os.getenv("REQUEST_TIMEOUT", str(int(DEFAULT_REQUEST_TIMEOUT_SECONDS))))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #568342cbb1395f35 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:378
request_timeout_explicitly_set: bool = "REQUEST_TIMEOUT" in os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #094a17b2a454acbf Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:379
DEFAULT_A2A_AGENT_TIMEOUT: float = float(os.getenv("DEFAULT_A2A_AGENT_TIMEOUT", 6000))  # 10 minutes

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #095a0c77cda1720d Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:400
    os.getenv("DEFAULT_REPLICATE_GPU_PRICE_PER_SECOND", 0.001400)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #29fc2f005d95c4aa Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:402
FIREWORKS_AI_56_B_MOE = int(os.getenv("FIREWORKS_AI_56_B_MOE", 56))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0935a24404cd8c03 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:403
FIREWORKS_AI_176_B_MOE = int(os.getenv("FIREWORKS_AI_176_B_MOE", 176))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4450bab3b55484cc Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:404
FIREWORKS_AI_4_B = int(os.getenv("FIREWORKS_AI_4_B", 4))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #00f33e38e68db8d4 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:405
FIREWORKS_AI_16_B = int(os.getenv("FIREWORKS_AI_16_B", 16))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5d3372b43498e6d0 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:406
FIREWORKS_AI_80_B = int(os.getenv("FIREWORKS_AI_80_B", 80))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9e62e738ef9d950a Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:409
MAX_LANGFUSE_INITIALIZED_CLIENTS = int(os.getenv("MAX_LANGFUSE_INITIALIZED_CLIENTS", 50))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2824db5b7256a29e Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:410
LOGGING_WORKER_CONCURRENCY = int(os.getenv("LOGGING_WORKER_CONCURRENCY", 100))  # Must be above 0

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eeef13695a2a681e Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:411
LOGGING_WORKER_MAX_QUEUE_SIZE = int(os.getenv("LOGGING_WORKER_MAX_QUEUE_SIZE", 50_000))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0880b991b8afbe5f Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:412
LOGGING_WORKER_MAX_TIME_PER_COROUTINE = float(os.getenv("LOGGING_WORKER_MAX_TIME_PER_COROUTINE", 20.0))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #90bd10dd35d2cc45 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:414
    os.getenv("LOGGING_WORKER_CLEAR_PERCENTAGE", 50)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #79f8f0d105aa01c0 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:416
MAX_ITERATIONS_TO_CLEAR_QUEUE = int(os.getenv("MAX_ITERATIONS_TO_CLEAR_QUEUE", 200))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #190e197eba301ded Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:417
MAX_TIME_TO_CLEAR_QUEUE = float(os.getenv("MAX_TIME_TO_CLEAR_QUEUE", 5.0))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #51db819d45f43594 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:419
    os.getenv("LOGGING_WORKER_AGGRESSIVE_CLEAR_COOLDOWN_SECONDS", 0.5)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6dc2ea32f1b14188 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:421
DD_TRACER_STREAMING_CHUNK_YIELD_RESOURCE = os.getenv(
    "DD_TRACER_STREAMING_CHUNK_YIELD_RESOURCE", "streaming.chunk.yield"
)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d79aac54f55f59cb Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:427
EMAIL_BUDGET_ALERT_TTL = int(os.getenv("EMAIL_BUDGET_ALERT_TTL", 24 * 60 * 60))  # 24 hours in seconds

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1f4ba6f827c548f2 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:429
    os.getenv("EMAIL_BUDGET_ALERT_MAX_SPEND_ALERT_PERCENTAGE", 0.8)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d5e1e8813b46ae2c Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:433
ANTHROPIC_TOKEN_COUNTING_BETA_VERSION = os.getenv("ANTHROPIC_TOKEN_COUNTING_BETA_VERSION", "token-counting-2024-11-01")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b00c73af74bda784 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:448
DEFAULT_GOOGLE_VIDEO_DURATION_SECONDS = int(os.getenv("DEFAULT_GOOGLE_VIDEO_DURATION_SECONDS", 8))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ce9c954387e7ead6 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:452
    os.getenv("DEFAULT_DATAFORSEO_LOCATION_CODE", 2250)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #302031b3e2f50361 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1260
HUMANLOOP_PROMPT_CACHE_TTL_SECONDS = int(os.getenv("HUMANLOOP_PROMPT_CACHE_TTL_SECONDS", 60))  # 1 minute

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f9ea4d46634f9279 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1266
    os.getenv("PROMETHEUS_BUDGET_METRICS_REFRESH_INTERVAL_MINUTES", 5)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eb75a2284595cfda Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1268
CLOUDZERO_EXPORT_INTERVAL_MINUTES = int(os.getenv("CLOUDZERO_EXPORT_INTERVAL_MINUTES", 60))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1ee6aa447d5ecf33 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1270
MAXIMUM_TRACEBACK_LINES_TO_LOG = int(os.getenv("MAXIMUM_TRACEBACK_LINES_TO_LOG", 100))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #efdf3b64ecfb5c77 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1293
    os.getenv("MAX_SPENDLOG_ROWS_TO_QUERY", 1_000_000)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4657c38614f36f9f Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1296
    os.getenv("DEFAULT_SOFT_BUDGET", 50.0)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #28c27ab510ba5d73 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1303
PYTHON_GC_THRESHOLD = os.getenv("PYTHON_GC_THRESHOLD")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8fff67c34f82e8fe Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1331
BATCH_STATUS_POLL_INTERVAL_SECONDS = int(os.getenv("BATCH_STATUS_POLL_INTERVAL_SECONDS", 3600))  # 1 hour

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cfa43343efdebbf7 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1332
BATCH_STATUS_POLL_MAX_ATTEMPTS = int(os.getenv("BATCH_STATUS_POLL_MAX_ATTEMPTS", 24))  # for 24 hours

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c748582622671c0c Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1334
HEALTH_CHECK_TIMEOUT_SECONDS = int(os.getenv("HEALTH_CHECK_TIMEOUT_SECONDS", 60))  # 60 seconds

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c5684049f5c7bc4f Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1335
_background_health_check_max_tokens_env = os.getenv("BACKGROUND_HEALTH_CHECK_MAX_TOKENS")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a3b6ca40e39a1f40 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1347
_background_health_check_max_tokens_reasoning_env = os.getenv("BACKGROUND_HEALTH_CHECK_MAX_TOKENS_REASONING")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e12c62ff5f298c9f Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1378
LITELLM_KEY_ROTATION_ENABLED = os.getenv("LITELLM_KEY_ROTATION_ENABLED", "false")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b8c74dc57a238b83 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1380
    os.getenv("LITELLM_KEY_ROTATION_CHECK_INTERVAL_SECONDS", 86400)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cd176b5475e07607 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1382
LITELLM_KEY_ROTATION_GRACE_PERIOD: str = os.getenv(
    "LITELLM_KEY_ROTATION_GRACE_PERIOD", ""
)  # Duration to keep old key valid after rotation (e.g. "24h", "2d"); empty = immediate revoke (default)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a53e6070d56d3f57 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1386
    os.getenv("LITELLM_KEY_ROTATION_LOCK_TTL_SECONDS", 600)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e37f81883f0eff70 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1389
LITELLM_EXPIRED_UI_SESSION_KEY_CLEANUP_ENABLED = os.getenv("LITELLM_EXPIRED_UI_SESSION_KEY_CLEANUP_ENABLED", "false")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b537c41709289e30 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1391
    os.getenv("LITELLM_EXPIRED_UI_SESSION_KEY_CLEANUP_INTERVAL_SECONDS", 86400)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #700216ac145e1424 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1394
    os.getenv("LITELLM_EXPIRED_UI_SESSION_KEY_CLEANUP_BATCH_SIZE", 1000)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d1299f21d52d6fd0 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1406
    os.getenv("CLI_JWT_EXPIRATION_HOURS") or os.getenv("LITELLM_CLI_JWT_EXPIRATION_HOURS") or 24

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #521039d8798078aa Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1410
CLI_SSO_CLAIM_MAP = os.getenv("CLI_SSO_CLAIM_MAP") or os.getenv("LITELLM_CLI_SSO_CLAIM_MAP") or ""

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b21220c860126f11 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1416
LITELLM_UI_SESSION_DURATION = os.getenv("LITELLM_UI_SESSION_DURATION", "24h")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ff62c5d58419f1b0 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1424
CLOUDZERO_MAX_FETCHED_DATA_RECORDS = int(os.getenv("CLOUDZERO_MAX_FETCHED_DATA_RECORDS", 50000))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3862fb3ebd5b612e Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1428
SPEND_LOG_RUN_LOOPS = int(os.getenv("SPEND_LOG_RUN_LOOPS", 500))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0722ad9f4555a081 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1429
SPEND_LOG_CLEANUP_BATCH_SIZE = int(os.getenv("SPEND_LOG_CLEANUP_BATCH_SIZE", 1000))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ab254b8697aab83a Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1430
SPEND_LOG_CLEANUP_MAX_CONSECUTIVE_BATCH_FAILURES = int(os.getenv("SPEND_LOG_CLEANUP_MAX_CONSECUTIVE_BATCH_FAILURES", 3))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3f70287036c7e85e Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1432
    os.getenv("SPEND_LOG_CLEANUP_BATCH_FAILURE_BACKOFF_SECONDS", 0.5)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bfe2eb5fa784bf8a Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1434
SPEND_LOG_PARTITION_INTERVAL = os.getenv("SPEND_LOG_PARTITION_INTERVAL", "day")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c1e6c45e8381580e Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1435
SPEND_LOG_PARTITION_PRECREATE_AHEAD = int(os.getenv("SPEND_LOG_PARTITION_PRECREATE_AHEAD", 7))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1b8de57f10ab20d8 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1436
SPEND_LOG_QUEUE_SIZE_THRESHOLD = int(os.getenv("SPEND_LOG_QUEUE_SIZE_THRESHOLD", 100))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8fe64800e039eaf2 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1437
SPEND_LOG_QUEUE_POLL_INTERVAL = float(os.getenv("SPEND_LOG_QUEUE_POLL_INTERVAL", 2.0))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e9349e0f02a18bbd Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1438
SPEND_COUNTER_RESEED_LOCKS_MAX_SIZE = int(os.getenv("SPEND_COUNTER_RESEED_LOCKS_MAX_SIZE", 10000))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #33e151d43ccb03a6 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1439
DEFAULT_CRON_JOB_LOCK_TTL_SECONDS = int(os.getenv("DEFAULT_CRON_JOB_LOCK_TTL_SECONDS", 60))  # 1 minute

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #21db9aa645aeec27 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1440
PROXY_BUDGET_RESCHEDULER_MIN_TIME = int(os.getenv("PROXY_BUDGET_RESCHEDULER_MIN_TIME", 597))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #29ae1e993b44a591 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1441
PROXY_BATCH_POLLING_INTERVAL = int(os.getenv("PROXY_BATCH_POLLING_INTERVAL", 3600))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aa5fefcd4fcc5b8b Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1442
MAX_OBJECTS_PER_POLL_CYCLE = max(1, int(os.getenv("MAX_OBJECTS_PER_POLL_CYCLE", 50)))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cd9e7720678a768c Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1443
MANAGED_OBJECT_STALENESS_CUTOFF_DAYS = max(1, int(os.getenv("MANAGED_OBJECT_STALENESS_CUTOFF_DAYS", 7)))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7653f9f876363372 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1444
STALE_OBJECT_CLEANUP_BATCH_SIZE = max(1, int(os.getenv("STALE_OBJECT_CLEANUP_BATCH_SIZE", 1000)))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f400f6a6a860df8d Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1448
_batch_polling_env = os.getenv("PROXY_BATCH_POLLING_ENABLED", "true").lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8f31e30a0dee0ca3 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1450
PROXY_BUDGET_RESCHEDULER_MAX_TIME = int(os.getenv("PROXY_BUDGET_RESCHEDULER_MAX_TIME", 605))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bf0c67200ee500ac Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1451
PROXY_BATCH_WRITE_AT = int(os.getenv("PROXY_BATCH_WRITE_AT", 10))  # in seconds, increased from 10

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ce0146237c930d5e Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1455
APSCHEDULER_COALESCE = os.getenv("APSCHEDULER_COALESCE", "True").lower() in [

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1ae80992e637745c Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1460
    os.getenv("APSCHEDULER_MISFIRE_GRACE_TIME", 3600)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9f67b76c1dde1006 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1462
APSCHEDULER_MAX_INSTANCES = int(os.getenv("APSCHEDULER_MAX_INSTANCES", 1))  # prevent concurrent job instances

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #54832217af449d4e Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1463
APSCHEDULER_REPLACE_EXISTING = os.getenv("APSCHEDULER_REPLACE_EXISTING", "True").lower() in [

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #90b37c1496d7a74f Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1472
DEFAULT_HEALTH_CHECK_INTERVAL = int(os.getenv("DEFAULT_HEALTH_CHECK_INTERVAL", 300))  # 5 minutes

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e76f023f457456cd Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1474
    os.getenv("DEFAULT_SHARED_HEALTH_CHECK_TTL", 300)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #54fbe638e7d30abe Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1477
    os.getenv("DEFAULT_SHARED_HEALTH_CHECK_LOCK_TTL", 60)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #52c4b744c7132745 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1480
PROMETHEUS_FALLBACK_STATS_SEND_TIME_HOURS = int(os.getenv("PROMETHEUS_FALLBACK_STATS_SEND_TIME_HOURS", 9))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #71f01dbf5cf7a050 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1482
    os.getenv("DEFAULT_MODEL_CREATED_AT_TIME", 1677610602)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2ffc9eefb2030f3a Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1484
DEFAULT_SLACK_ALERTING_THRESHOLD = int(os.getenv("DEFAULT_SLACK_ALERTING_THRESHOLD", 300))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #056d24ed1ef646cb Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1485
MAX_TEAM_LIST_LIMIT = int(os.getenv("MAX_TEAM_LIST_LIMIT", 20))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #30b551f210f1a364 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1486
MAX_POLICY_ESTIMATE_IMPACT_ROWS = int(os.getenv("MAX_POLICY_ESTIMATE_IMPACT_ROWS", 1000))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #66091da0c53d7beb Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1487
DEFAULT_PROMPT_INJECTION_SIMILARITY_THRESHOLD = float(os.getenv("DEFAULT_PROMPT_INJECTION_SIMILARITY_THRESHOLD", 0.7))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ca2ade92e5ba5e8a Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1488
LENGTH_OF_LITELLM_GENERATED_KEY = int(os.getenv("LENGTH_OF_LITELLM_GENERATED_KEY", 16))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7bd38527cb2e744d Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1489
SECRET_MANAGER_REFRESH_INTERVAL = int(os.getenv("SECRET_MANAGER_REFRESH_INTERVAL", 86400))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e383c4e3c933866b Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1501
DEFAULT_MANAGEMENT_OBJECT_IN_MEMORY_CACHE_TTL = int(os.getenv("DEFAULT_MANAGEMENT_OBJECT_IN_MEMORY_CACHE_TTL", 60))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9cddabcd748efc44 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1502
DEFAULT_ACCESS_GROUP_CACHE_TTL = int(os.getenv("DEFAULT_ACCESS_GROUP_CACHE_TTL", 600))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #72db6273d0ecf450 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1581
COROUTINE_CHECKER_MAX_SIZE_IN_MEMORY = int(os.getenv("COROUTINE_CHECKER_MAX_SIZE_IN_MEMORY", 1000))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bf26b27ddf9a8ac1 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1584
DEFAULT_CHUNK_SIZE = int(os.getenv("DEFAULT_CHUNK_SIZE", 1000))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b0af186bce40e4e3 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1585
DEFAULT_CHUNK_OVERLAP = int(os.getenv("DEFAULT_CHUNK_OVERLAP", 200))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c0fbc7fdf3278d7b Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1588
S3_VECTORS_DEFAULT_DIMENSION = int(os.getenv("S3_VECTORS_DEFAULT_DIMENSION", 1024))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #07f84a22920ca540 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1589
S3_VECTORS_DEFAULT_DISTANCE_METRIC = str(os.getenv("S3_VECTORS_DEFAULT_DISTANCE_METRIC", "cosine"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2a6401ca41a52f49 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1593
MICROSOFT_USER_EMAIL_ATTRIBUTE = str(os.getenv("MICROSOFT_USER_EMAIL_ATTRIBUTE", "userPrincipalName"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #664b82fa2d04a3ac Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1594
MICROSOFT_USER_DISPLAY_NAME_ATTRIBUTE = str(os.getenv("MICROSOFT_USER_DISPLAY_NAME_ATTRIBUTE", "displayName"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b885503586ea3038 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1595
MICROSOFT_USER_ID_ATTRIBUTE = str(os.getenv("MICROSOFT_USER_ID_ATTRIBUTE", "id"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #40c251c5f9b29324 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1596
MICROSOFT_USER_FIRST_NAME_ATTRIBUTE = str(os.getenv("MICROSOFT_USER_FIRST_NAME_ATTRIBUTE", "givenName"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #92b558ade262d037 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1597
MICROSOFT_USER_LAST_NAME_ATTRIBUTE = str(os.getenv("MICROSOFT_USER_LAST_NAME_ATTRIBUTE", "surname"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ac10ad2a5a9fab01 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1601
MAX_PAYLOAD_SIZE_FOR_DEBUG_LOG = int(os.getenv("MAX_PAYLOAD_SIZE_FOR_DEBUG_LOG", 102400))  # 100 KB

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #674f09a966b812e6 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1604
MAX_COMPETITOR_NAMES = int(os.getenv("MAX_COMPETITOR_NAMES", 100))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #56eb0c1e69a20195 Environment-variable access.
pkgs/python/[email protected]/litellm/constants.py:1605
COMPETITOR_LLM_TEMPERATURE = float(os.getenv("COMPETITOR_LLM_TEMPERATURE", 0.3))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7a367c4808d36032 Filesystem access.
pkgs/python/[email protected]/litellm/containers/endpoint_factory.py:40
    with open(config_path) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3957c24b465aa2e4 Environment-variable access.
pkgs/python/[email protected]/litellm/experimental_mcp_client/client.py:326
            if key in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5738005d34ce4df2 Environment-variable access.
pkgs/python/[email protected]/litellm/experimental_mcp_client/client.py:327
                safe_env[key] = os.environ[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eed86db7519080d3 Environment-variable access.
pkgs/python/[email protected]/litellm/fine_tuning/main.py:201
                or os.getenv("OPENAI_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #56c0c0de70d2dab1 Environment-variable access.
pkgs/python/[email protected]/litellm/fine_tuning/main.py:202
                or os.getenv("OPENAI_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4d51bb89b4825f5a Environment-variable access.
pkgs/python/[email protected]/litellm/fine_tuning/main.py:208
                or os.getenv("OPENAI_ORGANIZATION", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cfabcf0a3fbf7c93 Environment-variable access.
pkgs/python/[email protected]/litellm/fine_tuning/main.py:216
                or os.getenv("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b1541628a7e727ee Environment-variable access.
pkgs/python/[email protected]/litellm/fine_tuning/main.py:414
                or os.getenv("OPENAI_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #959e3077fbf19c06 Environment-variable access.
pkgs/python/[email protected]/litellm/fine_tuning/main.py:415
                or os.getenv("OPENAI_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #026b0935e3ae04e6 Environment-variable access.
pkgs/python/[email protected]/litellm/fine_tuning/main.py:421
                or os.getenv("OPENAI_ORGANIZATION", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8b49c2473181fc9b Environment-variable access.
pkgs/python/[email protected]/litellm/fine_tuning/main.py:429
                or os.getenv("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ca952c6e2e352881 Environment-variable access.
pkgs/python/[email protected]/litellm/fine_tuning/main.py:572
                or os.getenv("OPENAI_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #49845ef5fa9acca2 Environment-variable access.
pkgs/python/[email protected]/litellm/fine_tuning/main.py:573
                or os.getenv("OPENAI_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #35a072e9c6e17623 Environment-variable access.
pkgs/python/[email protected]/litellm/fine_tuning/main.py:579
                or os.getenv("OPENAI_ORGANIZATION", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #02dd2e3dad1458ce Environment-variable access.
pkgs/python/[email protected]/litellm/fine_tuning/main.py:587
                or os.getenv("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #297ef5c94d04156d Environment-variable access.
pkgs/python/[email protected]/litellm/fine_tuning/main.py:725
                or os.getenv("OPENAI_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8f692b68a731f96b Environment-variable access.
pkgs/python/[email protected]/litellm/fine_tuning/main.py:726
                or os.getenv("OPENAI_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c28ff577483c0b15 Environment-variable access.
pkgs/python/[email protected]/litellm/fine_tuning/main.py:730
                optional_params.organization or litellm.organization or os.getenv("OPENAI_ORGANIZATION", None) or None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b7eac3a119ee201c Environment-variable access.
pkgs/python/[email protected]/litellm/fine_tuning/main.py:732
            api_key = optional_params.api_key or litellm.api_key or litellm.openai_key or os.getenv("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d1134604c23e63bb Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/SlackAlerting/slack_alerting.py:1041
    base_url={os.getenv("PROXY_BASE_URL", "http://0.0.0.0:4000")}

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d40e71fc66cb8885 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/SlackAlerting/slack_alerting.py:1086
        webhook_url = os.getenv("WEBHOOK_URL", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1838a1f2cd585acb Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/SlackAlerting/slack_alerting.py:1131
            email_logo_url = os.getenv("SMTP_SENDER_LOGO", os.getenv("EMAIL_LOGO_URL", None))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #61de194b7eef93d7 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/SlackAlerting/slack_alerting.py:1132
            email_support_contact = os.getenv("EMAIL_SUPPORT_CONTACT", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #81a45332aefc0fcc Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/SlackAlerting/slack_alerting.py:1150
            base_url = os.getenv("PROXY_BASE_URL", "http://0.0.0.0:4000")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #61d84ee49c4bc387 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/SlackAlerting/slack_alerting.py:1219
        email_logo_url = os.getenv("SMTP_SENDER_LOGO", os.getenv("EMAIL_LOGO_URL", None))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #243d54519e224544 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/SlackAlerting/slack_alerting.py:1220
        email_support_contact = os.getenv("EMAIL_SUPPORT_CONTACT", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #782d66ee81f01642 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/SlackAlerting/slack_alerting.py:1330
                _digest_webhook = os.getenv("SLACK_WEBHOOK_URL", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f772f37f7b2f6f7b Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/SlackAlerting/slack_alerting.py:1357
        _proxy_base_url = os.getenv("PROXY_BASE_URL", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1034d0735491ebad Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/SlackAlerting/slack_alerting.py:1383
            slack_webhook_url = os.getenv("SLACK_WEBHOOK_URL", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d1aa8757d4a83a5b Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/SlackAlerting/slack_alerting.py:1459
                _proxy_base_url = os.getenv("PROXY_BASE_URL", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c0a583dfecde8c23 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/agentops/agentops.py:24
            api_key=os.getenv("AGENTOPS_API_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #388af143416fa2c5 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/agentops/agentops.py:25
            service_name=os.getenv("AGENTOPS_SERVICE_NAME", "agentops"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #14f8d124ac88d395 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/agentops/agentops.py:26
            deployment_environment=os.getenv("AGENTOPS_ENVIRONMENT", "production"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3096d60c2286176d Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/argilla.py:59
            float(os.getenv("ARGILLA_SAMPLING_RATE"))  # type: ignore

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #30f8d9c59f865825 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/argilla.py:60
            if os.getenv("ARGILLA_SAMPLING_RATE") is not None and os.getenv("ARGILLA_SAMPLING_RATE").strip().isdigit()  # type: ignore

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #96fbb4c09b054da6 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/argilla.py:65
        _batch_size = os.getenv("ARGILLA_BATCH_SIZE", None) or litellm.argilla_batch_size

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3d3c9b5041533ce1 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/argilla.py:88
        _credentials_api_key = argilla_api_key or os.getenv("ARGILLA_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #18775475ea79c211 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/argilla.py:92
        _credentials_base_url = argilla_base_url or os.getenv("ARGILLA_BASE_URL") or "http://localhost:6900/"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f7f03f5d2fc577de Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/argilla.py:96
        _credentials_dataset_name = argilla_dataset_name or os.getenv("ARGILLA_DATASET_NAME") or "litellm-completion"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #08f46f8556b59dd4 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/argilla.py:199
                float(os.getenv("LANGSMITH_SAMPLING_RATE"))  # type: ignore

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2bcae688b92b408e Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/argilla.py:200
                if os.getenv("LANGSMITH_SAMPLING_RATE") is not None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #52adfe5f4e65fc18 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/argilla.py:201
                and os.getenv("LANGSMITH_SAMPLING_RATE").strip().isdigit()  # type: ignore

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e8441cecceb1e23a Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/arize/__init__.py:20
    api_key = getattr(litellm_params, "api_key", None) or os.environ.get("PHOENIX_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3cdf7b96bb2f6f3d Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/arize/arize.py:86
        space_id = os.environ.get("ARIZE_SPACE_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2b474f28a175dce3 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/arize/arize.py:87
        space_key = os.environ.get("ARIZE_SPACE_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8321ac995a2b9618 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/arize/arize.py:88
        api_key = os.environ.get("ARIZE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #264789f8579ed917 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/arize/arize.py:89
        project_name = os.environ.get("ARIZE_PROJECT_NAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3498af47c4489cf6 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/arize/arize.py:91
        grpc_endpoint = os.environ.get("ARIZE_ENDPOINT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fa75101be09aaaca Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/arize/arize.py:92
        http_endpoint = os.environ.get("ARIZE_HTTP_ENDPOINT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c1a1046285d63cbb Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/arize/arize_phoenix.py:284
            os.environ.get("PHOENIX_PROJECT_NAME") or os.environ.get("ARIZE_PROJECT_NAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a663e17b78262cdf Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/arize/arize_phoenix.py:396
        api_key = os.environ.get("PHOENIX_API_KEY", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f1be001ead34bdb8 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/arize/arize_phoenix.py:398
        collector_endpoint = os.environ.get("PHOENIX_COLLECTOR_HTTP_ENDPOINT", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4cf7cdea8e742086 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/arize/arize_phoenix.py:401
            grpc_endpoint = os.environ.get("PHOENIX_COLLECTOR_ENDPOINT", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7ed2e417f496dc0c Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/arize/arize_phoenix.py:402
            http_endpoint = os.environ.get("PHOENIX_COLLECTOR_HTTP_ENDPOINT", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bf18af594f32401a Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/arize/arize_phoenix.py:441
        project_name = os.environ.get("PHOENIX_PROJECT_NAME") or "default"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c7f590bbc02825bc Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/athina.py:10
        self.athina_api_key = os.getenv("ATHINA_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #26779097765603fe Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/athina.py:15
        self.athina_logging_url = os.getenv("ATHINA_BASE_URL", "https://log.athina.ai") + "/api/v1/log/inference"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0d25014f3db1d68f Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/azure_sentinel/azure_sentinel.py:68
        resolved_dcr_immutable_id = dcr_immutable_id or os.getenv("AZURE_SENTINEL_DCR_IMMUTABLE_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #27d750d3d6de9232 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/azure_sentinel/azure_sentinel.py:69
        resolved_stream_name = stream_name or os.getenv("AZURE_SENTINEL_STREAM_NAME") or "Custom-LiteLLM"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8ab862d8ba7e0723 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/azure_sentinel/azure_sentinel.py:71
        resolved_endpoint = endpoint or os.getenv("AZURE_SENTINEL_ENDPOINT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #34843a932c60bdf4 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/azure_sentinel/azure_sentinel.py:72
        resolved_tenant_id = tenant_id or os.getenv("AZURE_SENTINEL_TENANT_ID") or os.getenv("AZURE_TENANT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fdf8ca928493f8a9 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/azure_sentinel/azure_sentinel.py:73
        resolved_client_id = client_id or os.getenv("AZURE_SENTINEL_CLIENT_ID") or os.getenv("AZURE_CLIENT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5c78ea0affe47655 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/azure_sentinel/azure_sentinel.py:75
            client_secret or os.getenv("AZURE_SENTINEL_CLIENT_SECRET") or os.getenv("AZURE_CLIENT_SECRET")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f683134f52417691 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/azure_storage/azure_storage.py:30
            self.tenant_id = os.getenv("AZURE_STORAGE_TENANT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1d23ee9d52589386 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/azure_storage/azure_storage.py:31
            self.client_id = os.getenv("AZURE_STORAGE_CLIENT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ef8c6f2aa41bb5eb Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/azure_storage/azure_storage.py:32
            self.client_secret = os.getenv("AZURE_STORAGE_CLIENT_SECRET")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #38d84ac5b5404d4b Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/azure_storage/azure_storage.py:33
            self.azure_storage_account_key: Optional[str] = os.getenv("AZURE_STORAGE_ACCOUNT_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eedbd5f832c055ba Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/azure_storage/azure_storage.py:36
            _azure_storage_account_name = os.getenv("AZURE_STORAGE_ACCOUNT_NAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1d4bd75c008e737d Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/azure_storage/azure_storage.py:40
            _azure_storage_file_system = os.getenv("AZURE_STORAGE_FILE_SYSTEM")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1f45b9a78e552366 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/braintrust_logging.py:44
        self.api_base = api_base or os.getenv("BRAINTRUST_API_BASE") or API_BASE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d9bb53b5f2c3ebe6 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/braintrust_logging.py:46
        self.api_key: str = api_key or os.getenv("BRAINTRUST_API_KEY")  # type: ignore

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1ed911fde36fc2fe Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/braintrust_logging.py:63
        if api_key is None and os.getenv("BRAINTRUST_API_KEY", None) is None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cb4d4f1abacc39dd Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/braintrust_mock_client.py:54
_MOCK_LATENCY_SECONDS = float(os.getenv("BRAINTRUST_MOCK_LATENCY_MS", "100")) / 1000.0

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5d7be9993a1b0832 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/cloudzero/cloudzero.py:37
        self.api_key = api_key or os.getenv("CLOUDZERO_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ce2c9de8ed174348 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/cloudzero/cloudzero.py:38
        self.connection_id = connection_id or os.getenv("CLOUDZERO_CONNECTION_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6a778e8d6ebb00dd Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/cloudzero/cloudzero.py:39
        self.timezone = timezone or os.getenv("CLOUDZERO_TIMEZONE", "UTC")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2bb813401628c9cf Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/datadog/datadog.py:73
    raw = os.getenv("DD_BATCH_SIZE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1d9049524ae30cee Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/datadog/datadog.py:144
            resolved_agent_host = dd_agent_host or os.getenv("LITELLM_DD_AGENT_HOST")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #48ed6c5eaa6bcf12 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/datadog/datadog.py:206
        resolved_port = dd_agent_port or os.getenv("LITELLM_DD_AGENT_PORT", "10518")  # default port for logs

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9d4558cbf70f5e6e Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/datadog/datadog.py:209
            os.getenv("DD_API_KEY") if allow_env_credentials else None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1af48fac4d3b4164 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/datadog/datadog.py:230
        resolved_api_key = dd_api_key or (os.getenv("DD_API_KEY") if allow_env_credentials else None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d6a9c6bfb44689ad Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/datadog/datadog.py:231
        resolved_site = dd_site or os.getenv("DD_SITE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bd520c1471aed485 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/datadog/datadog_cost_management.py:49
        self.dd_api_key = os.getenv("DD_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8c530736cdd57a1a Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/datadog/datadog_cost_management.py:50
        self.dd_app_key = os.getenv("DD_APP_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #832701da5847e337 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/datadog/datadog_cost_management.py:51
        self.dd_site = os.getenv("DD_SITE", "datadoghq.com")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #26b114fdbe8e35a2 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/datadog/datadog_handler.py:12
    return os.getenv("DD_SOURCE", "litellm")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #25062d532fff7898 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/datadog/datadog_handler.py:16
    return os.getenv("DD_SERVICE", "litellm-server")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c064c0a48209effa Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/datadog/datadog_handler.py:20
    return os.getenv("HOSTNAME", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4365bc80c9ef94d9 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/datadog/datadog_handler.py:28
    return os.getenv("DD_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6b10767214342a04 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/datadog/datadog_handler.py:32
    return os.getenv("DD_ENV", "unknown")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d1580a0ebf3babd7 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/datadog/datadog_handler.py:36
    return os.getenv("POD_NAME", "unknown")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c930026e46a3367e Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/datadog/datadog_handler.py:52
        "version": os.getenv("DD_VERSION", "unknown"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6288b46ef7050f49 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/datadog/datadog_llm_obs.py:61
            dd_agent_host = os.getenv("LITELLM_DD_AGENT_HOST")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8771cd7886b9c3f4 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/datadog/datadog_llm_obs.py:64
            self.DD_API_KEY = os.getenv("DD_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6783c63d03bc9274 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/datadog/datadog_llm_obs.py:70
                if os.getenv("DD_API_KEY", None) is None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0dcfd4f52d6a2972 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/datadog/datadog_llm_obs.py:72
                if os.getenv("DD_SITE", None) is None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8453222c20a7a964 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/datadog/datadog_llm_obs.py:103
        agent_port = os.getenv("LITELLM_DD_LLM_OBS_PORT", "8126")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #495ed3a973735e02 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/datadog/datadog_llm_obs.py:115
        self.DD_SITE = os.getenv("DD_SITE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #937c6755db5b7adc Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/datadog/datadog_metrics.py:32
        self.dd_api_key = os.getenv("DD_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7f683023eb78d181 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/datadog/datadog_metrics.py:33
        self.dd_app_key = os.getenv("DD_APP_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7408c7eae707fc5f Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/datadog/datadog_metrics.py:34
        self.dd_site = os.getenv("DD_SITE", "datadoghq.com")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e42ca33792c91b59 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/datadog/datadog_metrics.py:72
            f"version:{os.getenv('DD_VERSION', 'unknown')}",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cf074d37addace02 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/deepeval/deepeval.py:24
        api_key = os.getenv("CONFIDENT_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ec435eda9ac28c25 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/deepeval/deepeval.py:25
        self.litellm_environment = os.getenv("LITELM_ENVIRONMENT", "development")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2b4ba669e6807fe1 Filesystem access.
pkgs/python/[email protected]/litellm/integrations/dotprompt/prompt_manager.py:151
        content = file_path.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9d9ddda942d9fb51 Filesystem access.
pkgs/python/[email protected]/litellm/integrations/dotprompt/prompt_manager.py:308
        content = file_path.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b0929e6d88f26131 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/dynamodb.py:19
        self.dynamodb: Any = boto3.resource("dynamodb", region_name=os.environ["AWS_REGION_NAME"])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2ce869c4fde4f4f7 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/email_alerting.py:79
    email_logo_url = os.getenv("SMTP_SENDER_LOGO", os.getenv("EMAIL_LOGO_URL", None))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a88d7e1f3f27c5f5 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/email_alerting.py:80
    email_support_contact = os.getenv("EMAIL_SUPPORT_CONTACT", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f6eaadae45496648 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/focus/destinations/factory.py:46
                "bucket_name": overrides.get("bucket_name") or os.getenv("FOCUS_S3_BUCKET_NAME"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #81d0065925a0210d Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/focus/destinations/factory.py:47
                "region_name": overrides.get("region_name") or os.getenv("FOCUS_S3_REGION_NAME"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #668f513aca5c2783 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/focus/destinations/factory.py:48
                "endpoint_url": overrides.get("endpoint_url") or os.getenv("FOCUS_S3_ENDPOINT_URL"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #af3ea8eddabb4402 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/focus/destinations/factory.py:49
                "aws_access_key_id": overrides.get("aws_access_key_id") or os.getenv("FOCUS_S3_ACCESS_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #359b493a89829d0e Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/focus/destinations/factory.py:50
                "aws_secret_access_key": overrides.get("aws_secret_access_key") or os.getenv("FOCUS_S3_SECRET_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2ef6774ad44ff23f Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/focus/destinations/factory.py:51
                "aws_session_token": overrides.get("aws_session_token") or os.getenv("FOCUS_S3_SESSION_TOKEN"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b15416b96ad39c9c Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/focus/destinations/factory.py:58
                "api_key": overrides.get("api_key") or os.getenv("VANTAGE_API_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e11e102edb1e662e Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/focus/destinations/factory.py:59
                "integration_token": overrides.get("integration_token") or os.getenv("VANTAGE_INTEGRATION_TOKEN"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fc3eb490af4d536d Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/focus/destinations/factory.py:60
                "base_url": overrides.get("base_url") or os.getenv("VANTAGE_BASE_URL", "https://api.vantage.sh"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a2dce8addbcf1731 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/focus/destinations/factory.py:69
                "bucket_name": overrides.get("bucket_name") or os.getenv("FOCUS_GCS_BUCKET_NAME"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #032441a2cfe16121 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/focus/destinations/factory.py:71
                or os.getenv("FOCUS_GCS_PATH_SERVICE_ACCOUNT"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5086db9e399d2fff Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/focus/destinations/factory.py:78
                "api_key": overrides.get("api_key") or os.getenv("MAVVRIK_API_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #df55229653c0b5df Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/focus/destinations/factory.py:79
                "api_endpoint": overrides.get("api_endpoint") or os.getenv("MAVVRIK_API_ENDPOINT"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1e583661cc390304 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/focus/destinations/factory.py:80
                "connection_id": overrides.get("connection_id") or os.getenv("MAVVRIK_CONNECTION_ID"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b7d087c8ceec0b63 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/focus/focus_logger.py:41
        self.provider = (provider or os.getenv("FOCUS_PROVIDER") or "s3").lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #99df268a27712bf8 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/focus/focus_logger.py:42
        self.export_format = (export_format or os.getenv("FOCUS_FORMAT") or "parquet").lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a78283ec09853d9c Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/focus/focus_logger.py:43
        self.frequency = (frequency or os.getenv("FOCUS_FREQUENCY") or "hourly").lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7b0d82f80d72e934 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/focus/focus_logger.py:45
            cron_offset_minute if cron_offset_minute is not None else int(os.getenv("FOCUS_CRON_OFFSET", "5"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d66df3294f9a923f Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/focus/focus_logger.py:47
        raw_interval = interval_seconds if interval_seconds is not None else os.getenv("FOCUS_INTERVAL_SECONDS")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4d1853a9c25a6a49 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/focus/focus_logger.py:57
        env_prefix = os.getenv("FOCUS_PREFIX")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b4bbb93fad85b8d1 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/galileo.py:64
        self.api_key = os.getenv("GALILEO_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #28580c7e58b68949 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/galileo.py:65
        self.project_id = os.getenv("GALILEO_PROJECT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #17ed3959b2d55a37 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/galileo.py:66
        self.log_stream_id = os.getenv("GALILEO_LOG_STREAM_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9968c1ccc2d72371 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/galileo.py:67
        self.username = os.getenv("GALILEO_USERNAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a1dd457f1984a4dd Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/galileo.py:68
        self.password = os.getenv("GALILEO_PASSWORD")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0351a5974ea0e3c3 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/galileo.py:69
        self.base_url = self._normalize_base_url(os.getenv("GALILEO_BASE_URL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1255ecdb337e1ca0 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/gcs_bucket/gcs_bucket.py:34
        self.batch_size = int(os.getenv("GCS_BATCH_SIZE", GCS_DEFAULT_BATCH_SIZE))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #51086b0451e72367 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/gcs_bucket/gcs_bucket.py:35
        self.flush_interval = int(os.getenv("GCS_FLUSH_INTERVAL", GCS_DEFAULT_FLUSH_INTERVAL_SECONDS))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f9455180f9b2bbb3 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/gcs_bucket/gcs_bucket.py:37
            os.getenv("GCS_USE_BATCHED_LOGGING", str(GCS_DEFAULT_USE_BATCHED_LOGGING).lower()).lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d7cdb29216704f79 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/gcs_bucket/gcs_bucket_base.py:41
        _path_service_account = os.getenv("GCS_PATH_SERVICE_ACCOUNT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b8f960b472b2d26a Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/gcs_bucket/gcs_bucket_base.py:42
        _bucket_name = bucket_name or os.getenv("GCS_BUCKET_NAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2051b8ed1004d4ac Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/gcs_bucket/gcs_bucket_base.py:92
        project_id = os.getenv("GOOGLE_SECRET_MANAGER_PROJECT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #497966c73136b838 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/gcs_pubsub/pub_sub.py:53
        self.project_id = project_id or os.getenv("GCS_PUBSUB_PROJECT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9c8f8ef96995db60 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/gcs_pubsub/pub_sub.py:54
        self.topic_id = topic_id or os.getenv("GCS_PUBSUB_TOPIC_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cfe15ac2e6edff13 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/gcs_pubsub/pub_sub.py:55
        self.path_service_account_json = credentials_path or os.getenv("GCS_PATH_SERVICE_ACCOUNT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e935d5afed21dd57 Filesystem access.
pkgs/python/[email protected]/litellm/integrations/generic_api/generic_api_callback.py:41
        with open(json_path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f2bd541b437b5201 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/generic_api/generic_api_callback.py:90
        return os.getenv(env_var_name, "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #699fa25a7c585b74 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/generic_api/generic_api_callback.py:154
        endpoint = endpoint or os.getenv("GENERIC_LOGGER_ENDPOINT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5e520d182e88417a Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/generic_api/generic_api_callback.py:206
        env_headers = os.getenv("GENERIC_LOGGER_HEADERS")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dcba49405fa40965 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/greenscale.py:12
        self.greenscale_api_key = os.getenv("GREENSCALE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ce5dea6c771dde6e Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/greenscale.py:17
        self.greenscale_logging_url = os.getenv("GREENSCALE_ENDPOINT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #37953280f4ff48b4 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/helicone.py:37
        self.key = os.getenv("HELICONE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #307596f467bd5477 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/helicone.py:38
        self.api_base = os.getenv("HELICONE_API_BASE") or "https://api.hconeai.com"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0835aa20cd46ffb3 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/lago.py:51
        if os.getenv("LAGO_API_KEY", None) is None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d20da42f7beb5d26 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/lago.py:54
        if os.getenv("LAGO_API_BASE", None) is None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cec40825e4d3ee6d Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/lago.py:57
        if os.getenv("LAGO_API_EVENT_CODE", None) is None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4ad33d1a29e28cc5 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/lago.py:89
        if os.getenv("LAGO_API_CHARGE_BY", None) is not None and isinstance(os.environ["LAGO_API_CHARGE_BY"], str):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7a266baeb307b437 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/lago.py:90
            if os.environ["LAGO_API_CHARGE_BY"] in [

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1134f121eba2c0cb Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/lago.py:95
                charge_by = os.environ["LAGO_API_CHARGE_BY"]  # type: ignore

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8125b45d6cef1bbf Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/lago.py:117
                "code": os.getenv("LAGO_API_EVENT_CODE"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f67471caab5a3c8e Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/lago.py:126
        _url = os.getenv("LAGO_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e736c372dcc33d8a Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/lago.py:135
        api_key = os.getenv("LAGO_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #556f987de8477c22 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/lago.py:160
            _url = os.getenv("LAGO_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d5673ca9c3956d75 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/lago.py:169
            api_key = os.getenv("LAGO_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a28b2532e01121d8 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/langfuse/langfuse.py:98
        secret_key = langfuse_secret or langfuse_secret_key or os.getenv("LANGFUSE_SECRET_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ed26c6db4a66262f Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/langfuse/langfuse.py:99
        public_key = langfuse_public_key or os.getenv("LANGFUSE_PUBLIC_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #940960537aaad4cb Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/langfuse/langfuse.py:101
    resolved_host = langfuse_host or os.getenv("LANGFUSE_HOST", "https://cloud.langfuse.com")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #defbc474609d5724 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/langfuse/langfuse.py:132
        self.langfuse_release = os.getenv("LANGFUSE_RELEASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b615dbe9a71cc78b Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/langfuse/langfuse.py:133
        self.langfuse_debug = os.getenv("LANGFUSE_DEBUG")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a52b4f1f150e0ecc Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/langfuse/langfuse.py:162
            os.environ["LANGFUSE_PROJECT_ID"] = "mock-project-id"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d379a3fba0b0542b Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/langfuse/langfuse.py:167
                os.environ["LANGFUSE_PROJECT_ID"] = project_id

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6ff9876a34c5de30 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/langfuse/langfuse.py:171
        if os.getenv("UPSTREAM_LANGFUSE_SECRET_KEY") is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b822bbba6ab03e53 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/langfuse/langfuse.py:172
            upstream_langfuse_debug_env = os.getenv("UPSTREAM_LANGFUSE_DEBUG")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9fb0a0373c30ecbe Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/langfuse/langfuse.py:176
            self.upstream_langfuse_secret_key = os.getenv("UPSTREAM_LANGFUSE_SECRET_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f4e30e80ec555fed Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/langfuse/langfuse.py:177
            self.upstream_langfuse_public_key = os.getenv("UPSTREAM_LANGFUSE_PUBLIC_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0706bb904ea12553 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/langfuse/langfuse.py:178
            self.upstream_langfuse_host = os.getenv("UPSTREAM_LANGFUSE_HOST")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #44697f08f59ba07d Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/langfuse/langfuse.py:179
            self.upstream_langfuse_release = os.getenv("UPSTREAM_LANGFUSE_RELEASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8ee6432cac2ed833 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/langfuse/langfuse.py:649
                proxy_base_url = os.environ.get("PROXY_BASE_URL", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8290f77c99de58cb Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/langfuse/langfuse.py:931
        return int(os.getenv("LANGFUSE_FLUSH_INTERVAL") or flush_interval)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2fce084750e84f87 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/langfuse/langfuse_otel.py:224
        langfuse_environment = os.environ.get("LANGFUSE_TRACING_ENVIRONMENT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4d37cb6d60ab3a2d Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/langfuse/langfuse_otel.py:254
        return os.environ.get("LANGFUSE_OTEL_HOST") or os.environ.get("LANGFUSE_HOST")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #971f755e59163699 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/langfuse/langfuse_otel.py:263
        public_key = os.environ.get("LANGFUSE_PUBLIC_KEY", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ac24b6789786a31c Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/langfuse/langfuse_otel.py:264
        secret_key = os.environ.get("LANGFUSE_SECRET_KEY", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c84ab1ec7a5b8896 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/langfuse/langfuse_otel.py:311
        public_key = os.environ.get("LANGFUSE_PUBLIC_KEY", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a2e55dedc8ed5bf2 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/langfuse/langfuse_otel.py:312
        secret_key = os.environ.get("LANGFUSE_SECRET_KEY", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #247c875e368a0d1d Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/langfuse/langfuse_prompt_management.py:86
    langfuse_release = os.getenv("LANGFUSE_RELEASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9d4478605243bf7d Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/langfuse/langfuse_prompt_management.py:87
    langfuse_debug = os.getenv("LANGFUSE_DEBUG")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eb958f1c97a14e0d Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/langfuse/langfuse_prompt_management.py:110
            cert=os.getenv("SSL_CERTIFICATE", litellm.ssl_certificate),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7b61468b250ecb2b Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/langsmith.py:66
            langsmith_sampling_rate or float(os.getenv("LANGSMITH_SAMPLING_RATE"))  # type: ignore

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8122ed8f95726468 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/langsmith.py:67
            if os.getenv("LANGSMITH_SAMPLING_RATE") is not None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6920b7c3c40de89d Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/langsmith.py:68
            and os.getenv("LANGSMITH_SAMPLING_RATE").strip().isdigit()  # type: ignore

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cf757041f85c9204 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/langsmith.py:71
        self.langsmith_default_run_name = os.getenv("LANGSMITH_DEFAULT_RUN_NAME", "LLMRun")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #79db490eee35d856 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/langsmith.py:73
        _batch_size = os.getenv("LANGSMITH_BATCH_SIZE", None) or litellm.langsmith_batch_size

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a27cdde583dfbb96 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/langsmith.py:111
            _credentials_api_key = langsmith_api_key or os.getenv("LANGSMITH_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c0050615ba69888e Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/langsmith.py:112
            _credentials_project = langsmith_project or os.getenv("LANGSMITH_PROJECT") or "litellm-completion"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #64981875c7b62447 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/langsmith.py:114
                langsmith_base_url or os.getenv("LANGSMITH_BASE_URL") or "https://api.smith.langchain.com"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #85dfe0da84675e00 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/langsmith.py:116
            _credentials_tenant_id = langsmith_tenant_id or os.getenv("LANGSMITH_TENANT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c4dba388c8f35d3e Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/levo/levo.py:52
        api_key = os.environ.get("LEVOAI_API_KEY", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e06aa923541cf76b Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/levo/levo.py:53
        org_id = os.environ.get("LEVOAI_ORG_ID", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c1bbaf3c2567f05c Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/levo/levo.py:54
        workspace_id = os.environ.get("LEVOAI_WORKSPACE_ID", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9be9d6e98975ec49 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/levo/levo.py:55
        collector_url = os.environ.get("LEVOAI_COLLECTOR_URL", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b099473dadbf8f25 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/literal_ai.py:28
        self.literalai_api_url = os.getenv("LITERAL_API_URL") or literalai_api_url

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #37167c27015a623b Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/literal_ai.py:31
            "x-api-key": literalai_api_key or os.getenv("LITERAL_API_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0f0c419a893d7b0f Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/literal_ai.py:38
        batch_size = os.getenv("LITERAL_BATCH_SIZE", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6e119e3f2f48af41 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/logfire_logger.py:36
                logfire.configure(token=os.getenv("LOGFIRE_TOKEN"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a029508c6c667d8f Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/mavvrik_focus/mavvrik_focus_logger.py:87
        frequency = os.getenv("MAVVRIK_FOCUS_FREQUENCY", "daily").lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dc677ebaab2c577b Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/mavvrik_focus/mavvrik_focus_logger.py:101
                "api_key": os.getenv("MAVVRIK_API_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #174e031270ab1a1f Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/mavvrik_focus/mavvrik_focus_logger.py:102
                "api_endpoint": os.getenv("MAVVRIK_API_ENDPOINT"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #83a5a4386c1dc3f9 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/mavvrik_focus/mavvrik_focus_logger.py:103
                "connection_id": os.getenv("MAVVRIK_CONNECTION_ID"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aa0f90ac49ffa0cd Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/mavvrik_focus/mavvrik_focus_logger.py:107
        raw = os.getenv("MAVVRIK_FOCUS_MAX_ROWS")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dd73ee26a5857041 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/mock_client_factory.py:123
    _MOCK_LATENCY_SECONDS = float(os.getenv(latency_env, str(config.default_latency_ms))) / 1000.0

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #81b1dbc86350a1fc Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/mock_client_factory.py:270
        mock_mode = os.getenv(config.env_var, "false")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eb0ec17ba873daca Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/newrelic/newrelic.py:96
        self.license_key = os.getenv("NEW_RELIC_LICENSE_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bc0f1720f9efc7f6 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/newrelic/newrelic.py:97
        self.app_name = os.getenv("NEW_RELIC_APP_NAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2027056898cbbfc0 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/newrelic/newrelic.py:164
        raw = os.getenv(var_name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6c1a14ce5199ce65 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/openmeter.py:44
        if os.getenv("OPENMETER_API_KEY", None) is None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #75d27267f086abbe Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/openmeter.py:70
        trust_request_user = os.getenv("OPENMETER_TRUST_REQUEST_USER", "true").lower() != "false"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #644d4c7bca1d4b9e Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/openmeter.py:90
            "type": os.getenv("OPENMETER_EVENT_TYPE", "litellm_tokens"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fa6403da58f7570b Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/openmeter.py:99
        _url = os.getenv("OPENMETER_API_ENDPOINT", "https://openmeter.cloud")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9cecbff5d5d5ad1f Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/openmeter.py:105
        api_key = os.getenv("OPENMETER_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #19f6577cbe7dc994 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/openmeter.py:125
        _url = os.getenv("OPENMETER_API_ENDPOINT", "https://openmeter.cloud")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fde55c5a36b44589 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/openmeter.py:131
        api_key = os.getenv("OPENMETER_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f54f1a1a6b45dd71 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:69
LITELLM_TRACER_NAME = os.getenv("OTEL_TRACER_NAME", "litellm")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #228bf25cd639b064 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:70
LITELLM_METER_NAME = os.getenv("LITELLM_METER_NAME", "litellm")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #96330e057bbc11b2 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:71
LITELLM_LOGGER_NAME = os.getenv("LITELLM_LOGGER_NAME", "litellm")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3e1767e77431e8ce Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:250
            self.service_name = os.getenv("OTEL_SERVICE_NAME", "litellm")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d695dab80b505c63 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:252
            self.deployment_environment = os.getenv("OTEL_ENVIRONMENT_NAME", "production")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #913cd231bdf607e2 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:254
            self.model_id = os.getenv("OTEL_MODEL_ID", self.service_name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e785025bef3bc7fa Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:256
            self.ignore_context_propagation = str_to_bool(os.getenv("OTEL_IGNORE_CONTEXT_PROPAGATION"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fdaf952fb63cd709 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:259
        self.semconv_stability_opt_in |= parse_semconv_opt_in(os.getenv(OTEL_SEMCONV_STABILITY_OPT_IN_ENV))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c25864b93f20498d Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:262
        ) or _normalize_team_metadata_keys(os.getenv("LITELLM_OTEL_BAGGAGE_TEAM_METADATA_KEYS"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6df8d4a33e541658 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:277
        exporter = os.getenv("OTEL_EXPORTER_OTLP_PROTOCOL", os.getenv("OTEL_EXPORTER", "console"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dad29c2046491f4c Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:278
        endpoint = os.getenv("OTEL_EXPORTER_OTLP_ENDPOINT", os.getenv("OTEL_ENDPOINT"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ecaa27b25f4e833d Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:279
        headers = os.getenv(
            "OTEL_EXPORTER_OTLP_HEADERS", os.getenv("OTEL_HEADERS")
        )  # example: OTEL_HEADERS=x-honeycomb-team=B85YgLm96***"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1123d779c5db9328 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:280
            "OTEL_EXPORTER_OTLP_HEADERS", os.getenv("OTEL_HEADERS")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ecab41b9aa6a1bcc Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:282
        enable_metrics: bool = os.getenv("LITELLM_OTEL_INTEGRATION_ENABLE_METRICS", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8015a63406e16686 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:283
        enable_events: bool = os.getenv("LITELLM_OTEL_INTEGRATION_ENABLE_EVENTS", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #db3cbdb170bcda1a Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:284
        service_name = os.getenv("OTEL_SERVICE_NAME", "litellm")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2dbfb248305f7488 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:285
        deployment_environment = os.getenv("OTEL_ENVIRONMENT_NAME", "production")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #53d2570ea1e9fc92 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:286
        model_id = os.getenv("OTEL_MODEL_ID", service_name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ada84bd3125317c3 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:339
        _debug_otel = str(os.getenv("DEBUG_OTEL", "False")).lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e872fe30f71f5972 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:495
        explicit = self.config.capture_message_content or os.getenv(
            "OTEL_INSTRUMENTATION_GENAI_CAPTURE_MESSAGE_CONTENT"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9caf16bae5d908ea Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/opentelemetry.py:2866
        otel_logs_exporter = os.getenv("OTEL_LOGS_EXPORTER")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4786daa10967b493 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/opik/utils.py:56
    return os.getenv((env_prefix + key).upper(), None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fc566ee08eb39125 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/otel/mount.py:116
            os.environ.get("OTEL_PYTHON_FASTAPI_EXCLUDED_URLS")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #13294174dd577eb0 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/otel/mount.py:117
            if "OTEL_PYTHON_FASTAPI_EXCLUDED_URLS" in os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #60d1174803390161 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/posthog.py:54
            if os.getenv("POSTHOG_API_KEY", None) is None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e9690ed620e100a5 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/posthog.py:60
            self.POSTHOG_API_KEY = os.getenv("POSTHOG_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f325764beb5a792f Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/posthog.py:61
            posthog_api_url = os.getenv("POSTHOG_API_URL", "https://us.i.posthog.com")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #43561981978120cd Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/prometheus.py:3578
        if "PROMETHEUS_MULTIPROC_DIR" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6f43f5caf15d25b5 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/prompt_layer.py:15
        self.key = os.getenv("PROMPTLAYER_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3d3b6d3067a11160 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/rubrik.py:80
        rbrk_sampling_rate = os.getenv("RUBRIK_SAMPLING_RATE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bdb9095887064412 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/rubrik.py:90
        self.key = api_key or os.getenv("RUBRIK_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #016a359375d7a365 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/rubrik.py:93
        _batch_size = os.getenv("RUBRIK_BATCH_SIZE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #105a328361c18b74 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/rubrik.py:109
        _webhook_url = api_base or os.getenv("RUBRIK_WEBHOOK_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6505366156b29f33 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/supabase.py:18
        self.supabase_url = os.getenv("SUPABASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #23b3c340cbd88db2 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/supabase.py:19
        self.supabase_key = os.getenv("SUPABASE_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4b09cf77e5f03948 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/vantage/vantage_logger.py:46
        resolved_api_key = api_key or os.getenv("VANTAGE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e90abd63e4d086e5 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/vantage/vantage_logger.py:47
        resolved_token = integration_token or os.getenv("VANTAGE_INTEGRATION_TOKEN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #205b8932e0cb33d1 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/vantage/vantage_logger.py:48
        resolved_base_url = base_url or os.getenv("VANTAGE_BASE_URL", "https://api.vantage.sh")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a753dc1a8389dc4a Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/vantage/vantage_logger.py:49
        resolved_frequency = (frequency or os.getenv("VANTAGE_EXPORT_FREQUENCY") or "hourly").lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ab69e40b9538c196 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/vantage/vantage_logger.py:51
        raw_interval = interval_seconds or os.getenv("VANTAGE_EXPORT_INTERVAL_SECONDS")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ee8c2030ed871277 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/weave/weave_otel.py:134
    api_key = os.getenv("WANDB_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f739e6a881118826 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/weave/weave_otel.py:135
    project_id = os.getenv("WANDB_PROJECT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3e67f98775718057 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/weave/weave_otel.py:136
    host = os.getenv("WANDB_HOST")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3bad6cfc19a479e4 Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/weave/weave_otel.py:161
    os.environ["OTEL_EXPORTER_OTLP_ENDPOINT"] = endpoint

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #195a96ac7f605cef Environment-variable access.
pkgs/python/[email protected]/litellm/integrations/weave/weave_otel.py:162
    os.environ["OTEL_EXPORTER_OTLP_HEADERS"] = otlp_auth_headers

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #873548b7876cc951 Filesystem access.
pkgs/python/[email protected]/litellm/litellm_core_utils/audio_utils/utils.py:70
        with open(file_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d4f75dacc02fc632 Filesystem access.
pkgs/python/[email protected]/litellm/litellm_core_utils/audio_utils/utils.py:88
                with open(str(content), "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fb744600f2a8f82b Filesystem access.
pkgs/python/[email protected]/litellm/litellm_core_utils/audio_utils/utils.py:174
                with open(str(file_content_obj), "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e8e4b3ad95534107 Filesystem access.
pkgs/python/[email protected]/litellm/litellm_core_utils/audio_utils/utils.py:220
    return open(file_path, "rb")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e70f34dd91c3303c Filesystem access.
pkgs/python/[email protected]/litellm/litellm_core_utils/audio_utils/utils.py:257
            with open(str(file), "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f2764edf482379d4 Filesystem access.
pkgs/python/[email protected]/litellm/litellm_core_utils/cli_token_utils.py:28
        with open(token_file, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #82c97bf4782f6a88 Environment-variable access.
pkgs/python/[email protected]/litellm/litellm_core_utils/default_encoding.py:19
custom_cache_dir = os.getenv("CUSTOM_TIKTOKEN_CACHE_DIR")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8deae79baea1d96b Environment-variable access.
pkgs/python/[email protected]/litellm/litellm_core_utils/default_encoding.py:27
os.environ["TIKTOKEN_CACHE_DIR"] = (

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7dc9bc215ded1e4a Environment-variable access.
pkgs/python/[email protected]/litellm/litellm_core_utils/env_utils.py:14
    raw = os.getenv(env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f625dc8846e6d96d Filesystem access.
pkgs/python/[email protected]/litellm/litellm_core_utils/get_blog_posts.py:54
        content = json.loads(files("litellm").joinpath("blog_posts.json").read_text(encoding="utf-8"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b2171e90bfd3e2b2 Environment-variable access.
pkgs/python/[email protected]/litellm/litellm_core_utils/get_blog_posts.py:131
        if os.getenv("LITELLM_LOCAL_BLOG_POSTS", "").lower() == "true":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0a5c139684ee43ad Filesystem access.
pkgs/python/[email protected]/litellm/litellm_core_utils/get_model_cost_map.py:40
            files("litellm").joinpath("model_prices_and_context_window_backup.json").read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4ae0399579a8bbf6 Environment-variable access.
pkgs/python/[email protected]/litellm/litellm_core_utils/get_model_cost_map.py:251
    if os.getenv("LITELLM_LOCAL_MODEL_COST_MAP", "").lower() == "true":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2711563d071bc264 Environment-variable access.
pkgs/python/[email protected]/litellm/litellm_core_utils/litellm_logging.py:3392
                    os.environ.get("SENTRY_API_TRACE_RATE") if "SENTRY_API_TRACE_RATE" in os.environ else "1.0"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e9c382615f3c00ad Environment-variable access.
pkgs/python/[email protected]/litellm/litellm_core_utils/litellm_logging.py:3395
                    os.environ.get("SENTRY_API_SAMPLE_RATE") if "SENTRY_API_SAMPLE_RATE" in os.environ else "1.0"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #79d450f2077a5baf Environment-variable access.
pkgs/python/[email protected]/litellm/litellm_core_utils/litellm_logging.py:3398
                    dsn=os.environ.get("SENTRY_DSN"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b16beba819a0ee76 Environment-variable access.
pkgs/python/[email protected]/litellm/litellm_core_utils/litellm_logging.py:3403
                    environment=os.environ.get("SENTRY_ENVIRONMENT", "production"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8a10e30d28cf0356 Environment-variable access.
pkgs/python/[email protected]/litellm/litellm_core_utils/litellm_logging.py:3415
                    token=os.environ.get("SLACK_API_TOKEN"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #758cc3872f5c8853 Environment-variable access.
pkgs/python/[email protected]/litellm/litellm_core_utils/litellm_logging.py:3416
                    signing_secret=os.environ.get("SLACK_API_SECRET"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #600dbab87378aec7 Environment-variable access.
pkgs/python/[email protected]/litellm/litellm_core_utils/litellm_logging.py:3418
                alerts_channel = os.environ["SLACK_API_CHANNEL"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #da90a7c3dc5b74be Environment-variable access.
pkgs/python/[email protected]/litellm/litellm_core_utils/litellm_logging.py:3664
            os.environ["OTEL_EXPORTER_OTLP_TRACES_HEADERS"] = (

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ca88d02125cb382f Environment-variable access.
pkgs/python/[email protected]/litellm/litellm_core_utils/litellm_logging.py:3691
                os.environ["OTEL_EXPORTER_OTLP_TRACES_HEADERS"] = arize_phoenix_config.otlp_auth_headers

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #49fc61632e9e1766 Environment-variable access.
pkgs/python/[email protected]/litellm/litellm_core_utils/litellm_logging.py:3817
            if "LOGFIRE_TOKEN" not in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #215ed46e03ede45c Environment-variable access.
pkgs/python/[email protected]/litellm/litellm_core_utils/litellm_logging.py:3824
            logfire_base_url = os.getenv("LOGFIRE_BASE_URL", "https://logfire-api.pydantic.dev")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #474a2bfdf59906aa Environment-variable access.
pkgs/python/[email protected]/litellm/litellm_core_utils/litellm_logging.py:3828
                headers=f"Authorization={os.getenv('LOGFIRE_TOKEN')}",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #baeb06b782912cb6 Environment-variable access.
pkgs/python/[email protected]/litellm/litellm_core_utils/litellm_logging.py:3878
            if "LANGTRACE_API_KEY" not in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c6c5b262d5cdf2f8 Environment-variable access.
pkgs/python/[email protected]/litellm/litellm_core_utils/litellm_logging.py:3893
            os.environ["OTEL_EXPORTER_OTLP_TRACES_HEADERS"] = f"api_key={os.getenv('LANGTRACE_API_KEY')}"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0d6c80b050da975d Environment-variable access.
pkgs/python/[email protected]/litellm/litellm_core_utils/litellm_logging.py:4123
    if not any(os.environ.get(v) for v in phoenix_env_vars):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #89b1dcc3a56f6846 Environment-variable access.
pkgs/python/[email protected]/litellm/litellm_core_utils/litellm_logging.py:4269
            if "ARIZE_API_KEY" not in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #caced0fe3537e1fa Environment-variable access.
pkgs/python/[email protected]/litellm/litellm_core_utils/litellm_logging.py:4275
            if "LOGFIRE_TOKEN" not in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #220bbdbc1f3e3753 Environment-variable access.
pkgs/python/[email protected]/litellm/litellm_core_utils/litellm_logging.py:4304
            if "LANGTRACE_API_KEY" not in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #743fdf20eb8e4ec9 Environment-variable access.
pkgs/python/[email protected]/litellm/litellm_core_utils/litellm_logging.py:5351
    if os.getenv("LITELLM_PRINT_STANDARD_LOGGING_PAYLOAD"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cad83f2b257b09f6 Filesystem access.
pkgs/python/[email protected]/litellm/litellm_core_utils/prompt_templates/common_utils.py:800
        with open(file_content, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #80dfbd284ff71f80 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/anthropic/count_tokens/token_counter.py:60
            api_key = os.getenv("ANTHROPIC_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5b9ae31f59940e1d Environment-variable access.
pkgs/python/[email protected]/litellm/llms/anthropic/experimental_pass_through/utils.py:10
    return litellm.reasoning_auto_summary or os.getenv("LITELLM_REASONING_AUTO_SUMMARY", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a8b10566d158c165 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/azure/common_utils.py:173
    azure_authority_host = os.getenv("AZURE_AUTHORITY_HOST", "https://login.microsoftonline.com")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3d3c0acc5b1a3027 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/azure/common_utils.py:174
    azure_client_id = azure_client_id or os.getenv("AZURE_CLIENT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #acdef17e88ce0f8b Environment-variable access.
pkgs/python/[email protected]/litellm/llms/azure/common_utils.py:175
    azure_tenant_id = azure_tenant_id or os.getenv("AZURE_TENANT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ce6fc368083bd63f Environment-variable access.
pkgs/python/[email protected]/litellm/llms/azure/common_utils.py:284
    tenant_id = litellm_params.get("tenant_id") or os.getenv("AZURE_TENANT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b924eda3e673cd0f Environment-variable access.
pkgs/python/[email protected]/litellm/llms/azure/common_utils.py:285
    client_id = litellm_params.get("client_id") or os.getenv("AZURE_CLIENT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c8a5f4250e65de2d Environment-variable access.
pkgs/python/[email protected]/litellm/llms/azure/common_utils.py:286
    client_secret = litellm_params.get("client_secret") or os.getenv("AZURE_CLIENT_SECRET")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #93c74cdeca9acb05 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/azure/common_utils.py:287
    azure_username = litellm_params.get("azure_username") or os.getenv("AZURE_USERNAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a10fd4aa94c70589 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/azure/common_utils.py:288
    azure_password = litellm_params.get("azure_password") or os.getenv("AZURE_PASSWORD")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9834d18ae5abdf49 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/azure/common_utils.py:289
    scope = litellm_params.get("azure_scope") or os.getenv(
        "AZURE_SCOPE", "https://cognitiveservices.azure.com/.default"
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #455b428646a4dd41 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/azure/common_utils.py:575
            api_version = os.getenv("AZURE_API_VERSION", litellm.AZURE_DEFAULT_API_VERSION)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f6a6290331550b44 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/azure/common_utils.py:626
        tenant_id = litellm_params.get("tenant_id", os.getenv("AZURE_TENANT_ID"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #de56fbd5c6fe8303 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/azure/common_utils.py:627
        client_id = litellm_params.get("client_id", os.getenv("AZURE_CLIENT_ID"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #df09b23e8a7f3ab0 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/azure/common_utils.py:630
            os.getenv("AZURE_SCOPE", "https://cognitiveservices.azure.com/.default"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b5d234154f0c11fa Environment-variable access.
pkgs/python/[email protected]/litellm/llms/azure/common_utils.py:761
        return os.getenv(env_var_key)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c23352d826daa9b8 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/azure_ai/anthropic/count_tokens/token_counter.py:62
            api_key = os.getenv("AZURE_AI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #50b90cf074f385c5 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/azure_ai/anthropic/count_tokens/token_counter.py:67
            api_base = os.getenv("AZURE_AI_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a737b7db973a2ced Environment-variable access.
pkgs/python/[email protected]/litellm/llms/bedrock/base_aws_llm.py:219
            value if value is not None else os.getenv(env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1de4dba3c199ae85 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/bedrock/base_aws_llm.py:624
            or os.getenv("AWS_REGION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #90664bfde5d0f3fd Environment-variable access.
pkgs/python/[email protected]/litellm/llms/bedrock/base_aws_llm.py:625
            or os.getenv("AWS_DEFAULT_REGION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f72398fd1b223b8a Environment-variable access.
pkgs/python/[email protected]/litellm/llms/bedrock/base_aws_llm.py:735
        current_role_arn = os.getenv("AWS_ROLE_ARN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #95df0a7b954b09b8 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/bedrock/base_aws_llm.py:736
        web_identity_token_file = os.getenv("AWS_WEB_IDENTITY_TOKEN_FILE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5ef68e14659f94a4 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/bedrock/base_aws_llm.py:812
        if aws_web_identity_token.startswith("os.environ/") or aws_web_identity_token in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #21e1d512a3aa7a0e Filesystem access.
pkgs/python/[email protected]/litellm/llms/bedrock/base_aws_llm.py:936
        with open(web_identity_token_file, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #09f957cf8ad931f6 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/bedrock/base_aws_llm.py:1067
        web_identity_token_file = os.getenv("AWS_WEB_IDENTITY_TOKEN_FILE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7a0fe41a93088344 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/bedrock/base_aws_llm.py:1068
        irsa_role_arn = os.getenv("AWS_ROLE_ARN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #18a04761e4f41b61 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/bedrock/batches/transformation.py:107
        output_bucket = litellm_params.get("s3_output_bucket_name") or os.getenv("AWS_S3_OUTPUT_BUCKET_NAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e4933e7da0ce105e Environment-variable access.
pkgs/python/[email protected]/litellm/llms/bedrock/batches/transformation.py:116
            or os.getenv("AWS_BATCH_ROLE_ARN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #42a83bb1a4cb2389 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/bedrock/common_utils.py:1512
            litellm_params.get("s3_bucket_name") or optional_params.get("s3_bucket_name") or os.getenv(bucket_env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #277fd7b1c717f301 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/bedrock/files/transformation.py:128
    bucket_name = bucket_name or os.getenv("AWS_S3_BUCKET_NAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0ed824b38c027aca Filesystem access.
pkgs/python/[email protected]/litellm/llms/bedrock/files/transformation.py:199
            with open(str(file_content), "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #95c7e3ddbaad9653 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/bedrock/files/transformation.py:268
        bucket_name = litellm_params.get("s3_bucket_name") or os.getenv("AWS_S3_BUCKET_NAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #234f3b0ef5c65fe6 Filesystem access.
pkgs/python/[email protected]/litellm/llms/bedrock/files/transformation.py:1141
            with open(str(file_content), "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #952718a417b33f9f Filesystem access.
pkgs/python/[email protected]/litellm/llms/bedrock/image_edit/amazon_nova_canvas_image_edit_transformation.py:145
        with open(image, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #749f4cce20ed8b17 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/chatgpt/authenticator.py:33
        self.token_dir = os.getenv(
            "CHATGPT_TOKEN_DIR",
            os.path.expanduser("~/.config/litellm/chatgpt"),
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6bae3969f675217f Environment-variable access.
pkgs/python/[email protected]/litellm/llms/chatgpt/authenticator.py:37
        self.auth_file = os.path.join(self.token_dir, os.getenv("CHATGPT_AUTH_FILE", "auth.json"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3ae8fd9539162ea7 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/chatgpt/authenticator.py:41
        return os.getenv("CHATGPT_API_BASE") or os.getenv("OPENAI_CHATGPT_API_BASE") or CHATGPT_API_BASE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #29f3396cc574e719 Filesystem access.
pkgs/python/[email protected]/litellm/llms/chatgpt/authenticator.py:87
            with open(self.auth_file, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ba9b52153c49f05e Filesystem access.
pkgs/python/[email protected]/litellm/llms/chatgpt/authenticator.py:97
            with open(self.auth_file, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2a40f3008b16697e Environment-variable access.
pkgs/python/[email protected]/litellm/llms/chatgpt/common_utils.py:153
    term_program = os.getenv("TERM_PROGRAM")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dbfa4bb1b99b1d48 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/chatgpt/common_utils.py:155
        version = os.getenv("TERM_PROGRAM_VERSION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6383299b23e63b12 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/chatgpt/common_utils.py:159
    wezterm_version = os.getenv("WEZTERM_VERSION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fc4c963bd1f3e02e Environment-variable access.
pkgs/python/[email protected]/litellm/llms/chatgpt/common_utils.py:164
    if os.getenv("ITERM_SESSION_ID") or os.getenv("ITERM_PROFILE") or os.getenv("ITERM_PROFILE_NAME"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #360edc1f6c440af5 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/chatgpt/common_utils.py:167
    if os.getenv("TERM_SESSION_ID"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #387c8c5a9c06dc10 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/chatgpt/common_utils.py:170
    if os.getenv("KITTY_WINDOW_ID") or "kitty" in (os.getenv("TERM") or ""):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #15bd5409f9c4d942 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/chatgpt/common_utils.py:173
    if os.getenv("ALACRITTY_SOCKET") or os.getenv("TERM") == "alacritty":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c724d3c03eab1856 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/chatgpt/common_utils.py:176
    konsole_version = os.getenv("KONSOLE_VERSION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #47e4e22a18c76afd Environment-variable access.
pkgs/python/[email protected]/litellm/llms/chatgpt/common_utils.py:181
    if os.getenv("GNOME_TERMINAL_SCREEN"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #83019d05711d180a Environment-variable access.
pkgs/python/[email protected]/litellm/llms/chatgpt/common_utils.py:184
    vte_version = os.getenv("VTE_VERSION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #40a27f87bbf8fe70 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/chatgpt/common_utils.py:189
    if os.getenv("WT_SESSION"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fc4eb88d630ff3f4 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/chatgpt/common_utils.py:192
    term = os.getenv("TERM")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aa34dbf69f55e60e Environment-variable access.
pkgs/python/[email protected]/litellm/llms/chatgpt/common_utils.py:209
    originator = os.getenv("CHATGPT_ORIGINATOR") or DEFAULT_ORIGINATOR

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bb4c8f49161ed864 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/chatgpt/common_utils.py:214
    override = os.getenv("CHATGPT_USER_AGENT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #909c346c721eb23f Environment-variable access.
pkgs/python/[email protected]/litellm/llms/chatgpt/common_utils.py:222
    suffix = os.getenv("CHATGPT_USER_AGENT_SUFFIX", "").strip()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d05d31abee4065d5 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/chatgpt/common_utils.py:250
    return os.getenv("CHATGPT_DEFAULT_INSTRUCTIONS") or CHATGPT_DEFAULT_INSTRUCTIONS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f4b59eea4dff11be Environment-variable access.
pkgs/python/[email protected]/litellm/llms/custom_httpx/aiohttp_transport.py:352
        if not (litellm.disable_aiohttp_trust_env or str_to_bool(os.getenv("DISABLE_AIOHTTP_TRUST_ENV", "False"))):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d7335840f1fb6491 Filesystem access.
pkgs/python/[email protected]/litellm/llms/custom_httpx/container_handler.py:45
    with open(config_path) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a7fbf3741eafad9f Environment-variable access.
pkgs/python/[email protected]/litellm/llms/custom_httpx/http_handler.py:115
    user_agent = os.environ.get("LITELLM_USER_AGENT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c668e33004900e08 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/custom_httpx/http_handler.py:258
        ssl_verify = os.getenv("SSL_VERIFY", litellm.ssl_verify)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b93b4e37d9aa020c Environment-variable access.
pkgs/python/[email protected]/litellm/llms/custom_httpx/http_handler.py:273
        ssl_cert_file = os.getenv("SSL_CERT_FILE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #80732f841c9c66ca Environment-variable access.
pkgs/python/[email protected]/litellm/llms/custom_httpx/http_handler.py:315
    ssl_security_level = os.getenv("SSL_SECURITY_LEVEL", litellm.ssl_security_level)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1d8aaf67da851868 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/custom_httpx/http_handler.py:316
    ssl_ecdh_curve = os.getenv("SSL_ECDH_CURVE", litellm.ssl_ecdh_curve)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8b23a0d6136c1b0e Environment-variable access.
pkgs/python/[email protected]/litellm/llms/custom_httpx/http_handler.py:322
        ssl_cert_file = os.getenv("SSL_CERT_FILE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0a0bc10b1f92dddf Environment-variable access.
pkgs/python/[email protected]/litellm/llms/custom_httpx/http_handler.py:541
        cert = os.getenv("SSL_CERTIFICATE", litellm.ssl_certificate)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0b643b3b6485a3fa Environment-variable access.
pkgs/python/[email protected]/litellm/llms/custom_httpx/http_handler.py:941
            or str_to_bool(os.getenv("DISABLE_AIOHTTP_TRANSPORT", "False")) is True

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #57f5194f04a4e3fd Environment-variable access.
pkgs/python/[email protected]/litellm/llms/custom_httpx/http_handler.py:1001
        if str_to_bool(os.getenv("AIOHTTP_TRUST_ENV", "False")) is True:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ea66fd77b18a7cc0 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/custom_httpx/http_handler.py:1085
        cert = os.getenv("SSL_CERTIFICATE", litellm.ssl_certificate)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2bfb74bafaadbf3c Environment-variable access.
pkgs/python/[email protected]/litellm/llms/custom_httpx/httpx_handler.py:19
    user_agent = os.environ.get("LITELLM_USER_AGENT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6a23175867afc411 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/databricks/chat/transformation.py:167
            or os.getenv("LITELLM_USER_AGENT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ae60917a799289a4 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/databricks/chat/transformation.py:168
            or os.getenv("DATABRICKS_USER_AGENT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #546a5f6322049f0a Environment-variable access.
pkgs/python/[email protected]/litellm/llms/databricks/common_utils.py:335
        client_id = os.getenv("DATABRICKS_CLIENT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6f4570e047efe803 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/databricks/common_utils.py:336
        client_secret = os.getenv("DATABRICKS_CLIENT_SECRET")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e2dee20937cbbe45 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/databricks/common_utils.py:340
            api_base = os.getenv("DATABRICKS_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6732739b84036ac7 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/databricks/embed/handler.py:36
            or os.getenv("LITELLM_USER_AGENT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c8aa11c18f24eecf Environment-variable access.
pkgs/python/[email protected]/litellm/llms/databricks/embed/handler.py:37
            or os.getenv("DATABRICKS_USER_AGENT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4229f8482e17a341 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/databricks/responses/transformation.py:48
        api_key = litellm_params.api_key or os.getenv("DATABRICKS_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #431366513973ca4c Environment-variable access.
pkgs/python/[email protected]/litellm/llms/databricks/responses/transformation.py:49
        api_base = litellm_params.api_base or os.getenv("DATABRICKS_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a37b0b8658685749 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/databricks/responses/transformation.py:71
        api_base = api_base or os.getenv("DATABRICKS_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bda0526a5d397d04 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/github_copilot/authenticator.py:31
        self.token_dir = os.getenv(
            "GITHUB_COPILOT_TOKEN_DIR",
            os.path.expanduser("~/.config/litellm/github_copilot"),
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5cd9ebf3ea94ece6 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/github_copilot/authenticator.py:37
            os.getenv("GITHUB_COPILOT_ACCESS_TOKEN_FILE", "access-token"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4dc897bd8919e1bd Environment-variable access.
pkgs/python/[email protected]/litellm/llms/github_copilot/authenticator.py:39
        self.api_key_file = os.path.join(self.token_dir, os.getenv("GITHUB_COPILOT_API_KEY_FILE", "api-key.json"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f4e3b46040520472 Filesystem access.
pkgs/python/[email protected]/litellm/llms/github_copilot/authenticator.py:53
            with open(self.access_token_file, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #011b9f2ea667a6d4 Filesystem access.
pkgs/python/[email protected]/litellm/llms/github_copilot/authenticator.py:65
                    with open(self.access_token_file, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e928b7d55c3e27d7 Filesystem access.
pkgs/python/[email protected]/litellm/llms/github_copilot/authenticator.py:90
            with open(self.api_key_file, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0c9918ea07dfdbf8 Filesystem access.
pkgs/python/[email protected]/litellm/llms/github_copilot/authenticator.py:109
            with open(self.api_key_file, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c5ea27c091cde9f9 Filesystem access.
pkgs/python/[email protected]/litellm/llms/github_copilot/authenticator.py:139
            with open(self.api_key_file, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9082ea4c679c2710 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/github_copilot/authenticator.py:160
        api_key_url = os.getenv("GITHUB_COPILOT_API_KEY_URL", DEFAULT_GITHUB_API_KEY_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c2b1f02ed3cbeb04 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/github_copilot/authenticator.py:228
            device_code_url = os.getenv("GITHUB_COPILOT_DEVICE_CODE_URL", DEFAULT_GITHUB_DEVICE_CODE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #79b538d9943f7cff Environment-variable access.
pkgs/python/[email protected]/litellm/llms/github_copilot/authenticator.py:229
            client_id = os.getenv("GITHUB_COPILOT_CLIENT_ID", DEFAULT_GITHUB_CLIENT_ID)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e62384c65cb01bd5 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/github_copilot/authenticator.py:282
        access_token_url = os.getenv("GITHUB_COPILOT_ACCESS_TOKEN_URL", DEFAULT_GITHUB_ACCESS_TOKEN_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #34d1f222e3b8390c Environment-variable access.
pkgs/python/[email protected]/litellm/llms/github_copilot/authenticator.py:283
        client_id = os.getenv("GITHUB_COPILOT_CLIENT_ID", DEFAULT_GITHUB_CLIENT_ID)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bbc83187722322cc Environment-variable access.
pkgs/python/[email protected]/litellm/llms/github_copilot/chat/transformation.py:42
            or os.getenv("GITHUB_COPILOT_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d0aed7f296f274e4 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/github_copilot/embedding/transformation.py:106
            or os.getenv("GITHUB_COPILOT_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bfbfe31441b3f006 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/github_copilot/responses/transformation.py:256
            or os.getenv("GITHUB_COPILOT_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #214af2a713c824b1 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/heroku/chat/transformation.py:52
        api_base = api_base or os.getenv("HEROKU_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d21f7f7ee932b8e4 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/heroku/chat/transformation.py:53
        api_key = api_key or os.getenv("HEROKU_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #465d9ce7622ed522 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/huggingface/chat/transformation.py:80
            base_url = os.getenv("HF_API_BASE") or os.getenv("HUGGINGFACE_API_BASE", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2d55d368ad1b70ff Environment-variable access.
pkgs/python/[email protected]/litellm/llms/huggingface/chat/transformation.py:100
        elif os.getenv("HF_API_BASE") or os.getenv("HUGGINGFACE_API_BASE"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e136b2708eb1b86a Environment-variable access.
pkgs/python/[email protected]/litellm/llms/huggingface/chat/transformation.py:101
            complete_url = str(os.getenv("HF_API_BASE")) or str(os.getenv("HUGGINGFACE_API_BASE"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cd8af6597af94c23 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/huggingface/common_utils.py:76
    if os.getenv("HUGGINGFACE_API_KEY"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #91477c4a769baddd Environment-variable access.
pkgs/python/[email protected]/litellm/llms/huggingface/common_utils.py:77
        headers["Authorization"] = f"Bearer {os.getenv('HUGGINGFACE_API_KEY')}"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f3ad9a87850b8f08 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/huggingface/embedding/handler.py:329
        elif "HF_API_BASE" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3712c8e5ab13df8d Environment-variable access.
pkgs/python/[email protected]/litellm/llms/huggingface/embedding/handler.py:330
            embed_url = os.getenv("HF_API_BASE", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d1e4ab95e215d9ae Environment-variable access.
pkgs/python/[email protected]/litellm/llms/huggingface/embedding/handler.py:331
        elif "HUGGINGFACE_API_BASE" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5f12ae1c9c43dcea Environment-variable access.
pkgs/python/[email protected]/litellm/llms/huggingface/embedding/handler.py:332
            embed_url = os.getenv("HUGGINGFACE_API_BASE", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f6328df3e0a20134 Filesystem access.
pkgs/python/[email protected]/litellm/llms/huggingface/embedding/transformation.py:160
            with open(file_path, "r") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0111c5647cd159e2 Filesystem access.
pkgs/python/[email protected]/litellm/llms/huggingface/embedding/transformation.py:174
            with open(file_path, "r") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a9ba9ce646d8c78c Environment-variable access.
pkgs/python/[email protected]/litellm/llms/huggingface/embedding/transformation.py:329
        elif "HF_API_BASE" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #02f95a462ebc2234 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/huggingface/embedding/transformation.py:330
            completion_url = os.getenv("HF_API_BASE", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ae5d97f25f695472 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/huggingface/embedding/transformation.py:331
        elif "HUGGINGFACE_API_BASE" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #18678058e12a620e Environment-variable access.
pkgs/python/[email protected]/litellm/llms/huggingface/embedding/transformation.py:332
            completion_url = os.getenv("HUGGINGFACE_API_BASE", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #29921e97d4041d44 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/huggingface/rerank/transformation.py:56
        elif os.getenv("HF_API_BASE") is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f753ca8b95377748 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/huggingface/rerank/transformation.py:57
            return os.getenv("HF_API_BASE", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1bf34fa747d17113 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/huggingface/rerank/transformation.py:58
        elif os.getenv("HUGGINGFACE_API_BASE") is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c9bce173d421ff95 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/huggingface/rerank/transformation.py:59
            return os.getenv("HUGGINGFACE_API_BASE", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #911438a80ff9958d Filesystem access.
pkgs/python/[email protected]/litellm/llms/litellm_proxy/skills/sandbox_executor.py:102
                        with open(local_path, "wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #29623828cb92db45 Filesystem access.
pkgs/python/[email protected]/litellm/llms/litellm_proxy/skills/sandbox_executor.py:260
                        with open(tmp_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #77506bf035bd0f69 Filesystem access.
pkgs/python/[email protected]/litellm/llms/oci/common_utils.py:130
        with open(file_path, "r", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #579052ce38aa81b6 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/oci/common_utils.py:166
        "oci_region": optional_params.get("oci_region") or os.environ.get(_OCI_REGION_ENV) or "us-ashburn-1",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7a1014d2e55bfee2 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/oci/common_utils.py:167
        "oci_user": optional_params.get("oci_user") or os.environ.get(_OCI_USER_ENV),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2927012206abbe47 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/oci/common_utils.py:168
        "oci_fingerprint": optional_params.get("oci_fingerprint") or os.environ.get(_OCI_FINGERPRINT_ENV),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cc9e7d549ce0467a Environment-variable access.
pkgs/python/[email protected]/litellm/llms/oci/common_utils.py:169
        "oci_tenancy": optional_params.get("oci_tenancy") or os.environ.get(_OCI_TENANCY_ENV),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #55845bc1b43f9f64 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/oci/common_utils.py:170
        "oci_key": optional_params.get("oci_key") or os.environ.get(_OCI_KEY_ENV),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #af04fb16972ed4ce Environment-variable access.
pkgs/python/[email protected]/litellm/llms/oci/common_utils.py:171
        "oci_key_file": optional_params.get("oci_key_file") or os.environ.get(_OCI_KEY_FILE_ENV),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #105776115e2d43d9 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/oci/common_utils.py:172
        "oci_compartment_id": optional_params.get("oci_compartment_id") or os.environ.get(_OCI_COMPARTMENT_ID_ENV),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #01c34ccdfe6a1f04 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/ollama/common_utils.py:65
            or os.environ.get("OLLAMA_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #219704a9da48aaa2 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/ollama/completion/transformation.py:216
            os.environ.get("OLLAMA_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bae28b021789e544 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/openai/chat/gpt_transformation.py:416
        resolved_api_base = api_base or litellm.api_base or os.getenv("OPENAI_BASE_URL") or os.getenv("OPENAI_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dc80fcc07fd66b57 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/openai/common_utils.py:259
        or os.getenv("OPENAI_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f313f96a546c9e5a Environment-variable access.
pkgs/python/[email protected]/litellm/llms/openai/common_utils.py:260
        or os.getenv("OPENAI_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a78debaa574a537d Environment-variable access.
pkgs/python/[email protected]/litellm/llms/openai/common_utils.py:263
    resolved_organization = organization or litellm.organization or os.getenv("OPENAI_ORGANIZATION", None) or None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9a27ddffa4091ce3 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/openai/common_utils.py:264
    resolved_api_key = api_key or litellm.api_key or litellm.openai_key or os.getenv("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7c9a471381ec9953 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/openai/responses/count_tokens/token_counter.py:54
            api_key = os.getenv("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d82d1abac672f9f5 Filesystem access.
pkgs/python/[email protected]/litellm/llms/openai_like/json_loader.py:47
            with open(json_path) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #be025eba3dc69777 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/predibase/chat/transformation.py:324
        elif "PREDIBASE_API_BASE" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d0b57cecd94eba1c Environment-variable access.
pkgs/python/[email protected]/litellm/llms/predibase/chat/transformation.py:325
            base_url = os.getenv("PREDIBASE_API_BASE", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a489c4623e2eb541 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/sap/credentials.py:30
    return os.getenv(HOME_PATH_ENV_VAR, DEFAULT_HOME_PATH)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4ebf8cf3060d39fe Environment-variable access.
pkgs/python/[email protected]/litellm/llms/sap/credentials.py:55
    raw = os.environ.get(var_name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #298ba3bf82a1eec9 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/sap/credentials.py:132
    profile = profile or os.environ.get(PROFILE_ENV_VAR)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d2b53b910dfd4e98 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/sap/credentials.py:133
    cfg_env = os.getenv(CONFIG_FILE_ENV_VAR)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #33cc5cafda7a1513 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/sap/credentials.py:250
    service_key = _parse_service_key_once(service_key or litellm.sap_service_key or os.environ.get(SERVICE_KEY_ENV_VAR))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #942a5d9dbe548242 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/sap/credentials.py:261
            lambda cv: _str_or_none(os.environ.get(f"AICORE_{cv.name.upper()}")),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #89565e4dfc267b05 Filesystem access.
pkgs/python/[email protected]/litellm/llms/sap/credentials.py:448
                with open(cert_path, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a99b3be255f0e049 Filesystem access.
pkgs/python/[email protected]/litellm/llms/sap/credentials.py:450
                with open(key_path, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #40ef84bce7730f83 Filesystem access.
pkgs/python/[email protected]/litellm/llms/vertex_ai/files/transformation.py:223
        with open(str(content), "rb") as handle:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c9b9720a2ebdba42 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/vertex_ai/files/transformation.py:357
            litellm_params.get("gcs_bucket_name") or litellm_params.get("bucket_name") or os.getenv("GCS_BUCKET_NAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d038c04daf99ef50 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/vertex_ai/image_edit/vertex_gemini_transformation.py:65
            or os.environ.get("VERTEXAI_PROJECT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #88808f9e62a2764f Environment-variable access.
pkgs/python/[email protected]/litellm/llms/vertex_ai/image_edit/vertex_gemini_transformation.py:73
            or os.environ.get("VERTEXAI_LOCATION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #66ab5b331ca53905 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/vertex_ai/image_edit/vertex_gemini_transformation.py:74
            or os.environ.get("VERTEX_LOCATION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #257f3d2f858bb595 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/vertex_ai/image_edit/vertex_gemini_transformation.py:83
            or os.environ.get("VERTEXAI_CREDENTIALS")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e1db2c9f1230ca77 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/vertex_ai/image_edit/vertex_gemini_transformation.py:85
            or os.environ.get("GOOGLE_APPLICATION_CREDENTIALS")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b39f042119b484c7 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/vertex_ai/image_edit/vertex_imagen_transformation.py:73
            or os.environ.get("VERTEXAI_PROJECT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3a45610c5e0cf979 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/vertex_ai/image_edit/vertex_imagen_transformation.py:81
            or os.environ.get("VERTEXAI_LOCATION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b9d529557a9cbcb5 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/vertex_ai/image_edit/vertex_imagen_transformation.py:82
            or os.environ.get("VERTEX_LOCATION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f108b88bc106457e Environment-variable access.
pkgs/python/[email protected]/litellm/llms/vertex_ai/image_edit/vertex_imagen_transformation.py:91
            or os.environ.get("VERTEXAI_CREDENTIALS")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c1a5a6a6bbbd87d8 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/vertex_ai/image_edit/vertex_imagen_transformation.py:93
            or os.environ.get("GOOGLE_APPLICATION_CREDENTIALS")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cccaf4f872d99d59 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/vertex_ai/image_generation/vertex_gemini_transformation.py:108
            or os.environ.get("VERTEXAI_PROJECT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b45b230a8d230d6b Environment-variable access.
pkgs/python/[email protected]/litellm/llms/vertex_ai/image_generation/vertex_gemini_transformation.py:116
            or os.environ.get("VERTEXAI_LOCATION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2b74aaa19881c1f9 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/vertex_ai/image_generation/vertex_gemini_transformation.py:117
            or os.environ.get("VERTEX_LOCATION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #20d2ae3db1bb0ef2 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/vertex_ai/image_generation/vertex_gemini_transformation.py:126
            or os.environ.get("VERTEXAI_CREDENTIALS")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9cdda965f41f5122 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/vertex_ai/image_generation/vertex_gemini_transformation.py:128
            or os.environ.get("GOOGLE_APPLICATION_CREDENTIALS")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #67ce3cd34f08da8c Environment-variable access.
pkgs/python/[email protected]/litellm/llms/vertex_ai/image_generation/vertex_imagen_transformation.py:88
            or os.environ.get("VERTEXAI_PROJECT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #48c6f0adc89cfbbf Environment-variable access.
pkgs/python/[email protected]/litellm/llms/vertex_ai/image_generation/vertex_imagen_transformation.py:96
            or os.environ.get("VERTEXAI_LOCATION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0ad2271463c85574 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/vertex_ai/image_generation/vertex_imagen_transformation.py:97
            or os.environ.get("VERTEX_LOCATION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ca04ebb2d75bb1a6 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/vertex_ai/image_generation/vertex_imagen_transformation.py:106
            or os.environ.get("VERTEXAI_CREDENTIALS")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #916531352ef4dd31 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/vertex_ai/image_generation/vertex_imagen_transformation.py:108
            or os.environ.get("GOOGLE_APPLICATION_CREDENTIALS")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #80158d1d0bd0c6e4 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/vertex_ai/rag_engine/ingestion.py:89
        self.gcs_bucket = self.vector_store_config.get("gcs_bucket") or os.environ.get("GCS_BUCKET_NAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #64b1b89e763a90ff Environment-variable access.
pkgs/python/[email protected]/litellm/llms/vertex_ai/rag_engine/ingestion.py:127
        original_bucket = os.environ.get("GCS_BUCKET_NAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e19f45a5f36ec333 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/vertex_ai/rag_engine/ingestion.py:129
            os.environ["GCS_BUCKET_NAME"] = self.gcs_bucket

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #35c946c918381043 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/vertex_ai/rag_engine/ingestion.py:157
                os.environ["GCS_BUCKET_NAME"] = original_bucket

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6f1291cc7ab9d0a8 Environment-variable access.
pkgs/python/[email protected]/litellm/llms/vertex_ai/rag_engine/ingestion.py:158
            elif "GCS_BUCKET_NAME" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f3688e076e106b5a Environment-variable access.
pkgs/python/[email protected]/litellm/llms/vertex_ai/rag_engine/ingestion.py:159
                del os.environ["GCS_BUCKET_NAME"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b3ee09472ba13bbf Environment-variable access.
pkgs/python/[email protected]/litellm/llms/vertex_ai/vertex_ai_non_gemini.py:145
                f"VERTEX AI: creds={creds}; google application credentials: {os.getenv('GOOGLE_APPLICATION_CREDENTIALS')}"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #86db736efc112805 Filesystem access.
pkgs/python/[email protected]/litellm/llms/vertex_ai/vertex_llm_base.py:114
                        with open(credentials) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #85e9060a86f66313 Filesystem access.
pkgs/python/[email protected]/litellm/llms/xai/oauth.py:182
            with open(self.auth_file, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6598855c8fe9bc18 Environment-variable access.
pkgs/python/[email protected]/litellm/main.py:2534
    api_key = api_key or litellm.anthropic_key or litellm.api_key or os.environ.get("ANTHROPIC_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b3f2877a7c8919c1 Environment-variable access.
pkgs/python/[email protected]/litellm/main.py:2588
    api_key = api_key or litellm.anthropic_key or litellm.api_key or os.environ.get("ANTHROPIC_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #771eda3c125ef606 Environment-variable access.
pkgs/python/[email protected]/litellm/main.py:2889
        or os.environ.get("HF_TOKEN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #981ca9773a2e4d5c Environment-variable access.
pkgs/python/[email protected]/litellm/main.py:2890
        or os.environ.get("HUGGINGFACE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b8bb80671c4bac32 Environment-variable access.
pkgs/python/[email protected]/litellm/main.py:3042
        or os.getenv("DATABRICKS_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #380950c6856b973f Environment-variable access.
pkgs/python/[email protected]/litellm/main.py:4112
    api_key = api_key or litellm.ollama_key or os.environ.get("OLLAMA_API_KEY") or litellm.api_key

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #19c076a7eabe68da Filesystem access.
pkgs/python/[email protected]/litellm/ocr/main.py:515
        with open(file_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f8abb3da1d46a7e2 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/_experimental/mcp_server/oauth_utils.py:75
    configured = os.environ.get("PROXY_BASE_URL", "").strip()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dbdd7cb48735e76c Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/_experimental/mcp_server/oauth_utils.py:214
    raw = os.environ.get(_TRUSTED_REDIRECT_ORIGINS_ENV, "").strip()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #89dab7129f6572dc Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/_experimental/mcp_server/oauth_utils.py:272
    raw = os.environ.get(_TRUSTED_NATIVE_REDIRECT_URIS_ENV, "").strip()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5ad087a8697176ba Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/_experimental/mcp_server/oauth_utils.py:470
        os.environ.get("PROXY_BASE_URL"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #80495a1505272e13 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/_experimental/mcp_server/oauth_utils.py:475
        os.environ.get(_TRUSTED_REDIRECT_ORIGINS_ENV),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #210eea3b68724dc9 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/_experimental/mcp_server/oauth_utils.py:476
        os.environ.get(_TRUSTED_NATIVE_REDIRECT_URIS_ENV),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3f8b52aa3eef28ee Filesystem access.
pkgs/python/[email protected]/litellm/proxy/_experimental/mcp_server/openapi_to_mcp_generator.py:114
    with open(filepath, "r", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #082c592dc8bbb7b9 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/_experimental/mcp_server/utils.py:33
LITELLM_MCP_SERVER_NAME = os.environ.get("LITELLM_MCP_SERVER_NAME", "litellm-mcp-server")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c1c33b219306258f Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/_experimental/mcp_server/utils.py:35
LITELLM_MCP_SERVER_DESCRIPTION = os.environ.get("LITELLM_MCP_SERVER_DESCRIPTION", "MCP Server for LiteLLM")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #20914f940c823f90 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/_experimental/mcp_server/utils.py:36
MCP_TOOL_PREFIX_SEPARATOR = os.environ.get("MCP_TOOL_PREFIX_SEPARATOR", "-")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3bd9c60a82758574 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/_experimental/mcp_server/utils.py:86
    raw = os.environ.get("LITELLM_USE_SHORT_MCP_TOOL_PREFIX", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ffdc44d065dc4914 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/_experimental/mcp_server/utils.py:529
    base = os.environ.get("PROXY_BASE_URL", "").rstrip("/")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #092a50970b6e87ab Filesystem access.
pkgs/python/[email protected]/litellm/proxy/_lazy_openapi_snapshot.py:131
    SNAPSHOT_FILE.write_text(json.dumps(fragments, indent=2, sort_keys=True) + "\n")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #97b7ae46834a37bb Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/_logging.py:11
log_level = os.getenv("LITELLM_LOG", "INFO")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cab722d190b0795a Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/agent_endpoints/endpoints.py:136
AGENT_HEALTH_CHECK_TIMEOUT_SECONDS = float(os.environ.get("LITELLM_AGENT_HEALTH_CHECK_TIMEOUT", "5.0"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1d7e8bf416252333 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/agent_endpoints/endpoints.py:137
AGENT_HEALTH_CHECK_GATHER_TIMEOUT_SECONDS = float(os.environ.get("LITELLM_AGENT_HEALTH_CHECK_GATHER_TIMEOUT", "30.0"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8a2fe4010973705b Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/auth/auth_utils.py:1035
    microsoft_client_id = os.getenv("MICROSOFT_CLIENT_ID", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #46738506337117cd Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/auth/auth_utils.py:1036
    google_client_id = os.getenv("GOOGLE_CLIENT_ID", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a8ca77d59602a7e3 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/auth/auth_utils.py:1037
    generic_client_id = os.getenv("GENERIC_CLIENT_ID", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8fdd9afdb916d49b Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/auth/handle_jwt.py:679
        keys_url = os.getenv("JWT_PUBLIC_KEY_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #feb70c4ba1bbc5f9 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/auth/handle_jwt.py:798
        audience = os.getenv("JWT_AUDIENCE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8ea6796f36fd3a25 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/auth/handle_jwt.py:799
        issuer = os.getenv("JWT_ISSUER")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #88bece25eeba29aa Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/auth/litellm_license.py:28
        self.license_str = os.getenv("LITELLM_LICENSE", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d795f81b16146322 Filesystem access.
pkgs/python/[email protected]/litellm/proxy/auth/litellm_license.py:46
                with open(_path_to_public_key, "rb") as key_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fbd00f9b62f2457d Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/auth/litellm_license.py:109
                self.license_str = os.getenv("LITELLM_LICENSE", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7058c48c76405877 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/auth/login_utils.py:68
    ui_username = os.getenv("UI_USERNAME", "admin")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4a83a9db0cec425b Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/auth/login_utils.py:69
    ui_password = os.getenv("UI_PASSWORD", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c6932bcefd891399 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/auth/login_utils.py:175
            os.getenv("PROXY_ADMIN_ID", None) is not None and os.environ["PROXY_ADMIN_ID"] == user_id

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9a274add324748ae Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/auth/login_utils.py:178
            key_user_id = os.getenv("PROXY_ADMIN_ID", LITELLM_PROXY_ADMIN_NAME)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #46b26088d8a78b51 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/auth/login_utils.py:193
        if os.getenv("DATABASE_URL") is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8e1a27bb1e6ab949 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/auth/login_utils.py:268
            if os.getenv("DATABASE_URL") is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0c353606c194f310 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/auth/oauth2_check.py:139
        token_info_endpoint = os.getenv("OAUTH_TOKEN_INFO_ENDPOINT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a613b9b8ad923b26 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/auth/oauth2_check.py:140
        user_id_field_name = os.environ.get("OAUTH_USER_ID_FIELD_NAME", "sub")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c6308cd94de12654 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/auth/oauth2_check.py:141
        user_role_field_name = os.environ.get("OAUTH_USER_ROLE_FIELD_NAME", "role")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3150ccb9cbede824 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/auth/oauth2_check.py:142
        user_team_id_field_name = os.environ.get("OAUTH_USER_TEAM_ID_FIELD_NAME", "team_id")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #27b2dfbfa615ec6a Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/auth/oauth2_check.py:145
        oauth_client_id = os.environ.get("OAUTH_CLIENT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b3c6e7c501669ca4 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/auth/oauth2_check.py:146
        oauth_client_secret = os.environ.get("OAUTH_CLIENT_SECRET")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ccacb68eb765faf1 Filesystem access.
pkgs/python/[email protected]/litellm/proxy/auth/rds_iam_token.py:76
            oidc_token = open(aws_web_identity_token).read()  # check if filepath

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #844d3047c8d1ff93 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/auth/rds_iam_token.py:161
            aws_region_name=os.getenv("AWS_REGION_NAME"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #da8a930692ee0388 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/auth/rds_iam_token.py:162
            aws_access_key_id=os.getenv("AWS_ACCESS_KEY_ID"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #69e74e132fe8e9de Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/auth/rds_iam_token.py:163
            aws_secret_access_key=os.getenv("AWS_SECRET_ACCESS_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7888cb4489645480 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/auth/rds_iam_token.py:164
            aws_session_name=os.getenv("AWS_SESSION_NAME"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5a99e8d09a5827a3 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/auth/rds_iam_token.py:165
            aws_profile_name=os.getenv("AWS_PROFILE_NAME"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #22d1f34e41d69527 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/auth/rds_iam_token.py:166
            aws_role_name=os.getenv("AWS_ROLE_NAME", os.getenv("AWS_ROLE_ARN")),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b3eb895498dfb6de Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/auth/rds_iam_token.py:167
            aws_web_identity_token=os.getenv("AWS_WEB_IDENTITY_TOKEN", os.getenv("AWS_WEB_IDENTITY_TOKEN_FILE")),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2bf2f88d26ba7ecd Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/client/cli/commands/agents.py:200
        base_env if base_env is not None else os.environ,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bd0232e5209c6523 Filesystem access.
pkgs/python/[email protected]/litellm/proxy/client/cli/commands/auth.py:30
    with open(token_file, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b757d2cdb6ae58fd Filesystem access.
pkgs/python/[email protected]/litellm/proxy/client/cli/commands/auth.py:43
        with open(token_file, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f84196c08dcfd15a Filesystem access.
pkgs/python/[email protected]/litellm/proxy/client/cli/commands/chat.py:275
        with open(filename, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1f8cc06832f91e76 Filesystem access.
pkgs/python/[email protected]/litellm/proxy/client/cli/commands/chat.py:294
        with open(filename, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e18bdece7a69d508 Filesystem access.
pkgs/python/[email protected]/litellm/proxy/client/cli/commands/models.py:368
    with open(yaml_file, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #12d9c387f1b14009 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/common_utils/debug_utils.py:85
if os.environ.get("LITELLM_PROFILE", "false").lower() == "true":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #69d5f0901920a2be Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/common_utils/debug_utils.py:759
            litellm_log_setting = os.environ.get("LITELLM_LOG", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bb187aae7482978d Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/common_utils/encrypt_decrypt_utils.py:11
    salt_key = os.getenv("LITELLM_SALT_KEY", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d87954adea850d6c Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/common_utils/html_forms/ui_login.py:5
url_to_redirect_to = os.getenv("PROXY_BASE_URL", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f2991fa11440b16b Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/common_utils/html_forms/ui_login.py:6
server_root_path = os.getenv("SERVER_ROOT_PATH", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a7a481b38cb6b4cf Filesystem access.
pkgs/python/[email protected]/litellm/proxy/common_utils/load_config_utils.py:108
        with open(local_file_path, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #78ba2701705c7c31 Filesystem access.
pkgs/python/[email protected]/litellm/proxy/common_utils/load_config_utils.py:155
        with open(local_file_path, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9501920911f41f98 Filesystem access.
pkgs/python/[email protected]/litellm/proxy/common_utils/static_asset_utils.py:38
        with open(resolved, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ec7f4c9f0c9b3b3a Filesystem access.
pkgs/python/[email protected]/litellm/proxy/container_endpoints/handler_factory.py:31
    with open(config_path) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6fd0a044b8cd0b55 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/db/check_migration.py:95
        db_url = os.getenv("DATABASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fb6f6664f65b3e69 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/db/db_spend_update_writer.py:729
        spend_logs_url: Optional[str] = os.getenv("SPEND_LOGS_URL"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c7faec72e584d38d Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/db/db_url_settings.py:285
            os.environ["DATABASE_URL"] = writer_url

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cd3fc439ef86727c Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/db/db_url_settings.py:289
                os.environ[_IAM_ENV_KEY] = "True"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d5dfd49798ca47b5 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/db/db_url_settings.py:294
            os.environ["DATABASE_URL_READ_REPLICA"] = reader_url

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a71de19847dcffd1 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/db/dynamo_db.py:68
        os.environ["AWS_ACCESS_KEY_ID"] = aws_access_key_id

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #06c1d42c10a599ed Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/db/dynamo_db.py:69
        os.environ["AWS_SECRET_ACCESS_KEY"] = aws_secret_access_key

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #695cde2d43781e3e Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/db/dynamo_db.py:70
        os.environ["AWS_SESSION_TOKEN"] = aws_session_token

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f4108049187f252c Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/db/prisma_client.py:250
        db_url = os.getenv(self._db_url_env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7e8a7ce4c42694fc Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/db/prisma_client.py:305
            db_host = os.getenv("DATABASE_HOST")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a619a4f2a9a3b1b9 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/db/prisma_client.py:309
            db_port = os.getenv("DATABASE_PORT", "5432")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3f98febdd6a806f4 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/db/prisma_client.py:310
            db_user = os.getenv("DATABASE_USER")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5c66c05d9c258029 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/db/prisma_client.py:311
            db_name = os.getenv("DATABASE_NAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f09b2e07fbfe40f1 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/db/prisma_client.py:312
            db_schema = os.getenv("DATABASE_SCHEMA")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cf7d2e69bf923979 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/db/prisma_client.py:320
        os.environ[self._db_url_env_var] = _db_url

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9b6f56e7445e6ad8 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/db/prisma_client.py:514
            if self._token_refresh_not_needed(os.getenv(self._db_url_env_var)):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b7abedecd0ee7190 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/db/prisma_client.py:577
            db_url = os.getenv(self._db_url_env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8393664cc6605373 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/db/prisma_client.py:705
        disable_updates = os.getenv("DISABLE_SCHEMA_UPDATE", "false")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c156faedf723394f Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/db/routing_prisma_wrapper.py:200
        reader_url = os.getenv("DATABASE_URL_READ_REPLICA", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c033c3d33b9e3e1d Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/discovery_endpoints/ui_discovery_endpoints.py:22
        os.getenv("AUTO_REDIRECT_UI_LOGIN_TO_SSO", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f34cee6c2df38373 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/discovery_endpoints/ui_discovery_endpoints.py:25
    admin_ui_disabled = os.getenv("DISABLE_ADMIN_UI", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7cf3b1998a6350f6 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/discovery_endpoints/ui_discovery_endpoints.py:27
        os.getenv("LITELLM_HIDE_DEFAULT_CREDENTIALS_HINT", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e5f6c76897b6f8d7 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/example_config_yaml/custom_auth.py:10
        modified_master_key = f"{os.getenv('LITELLM_MASTER_KEY')}-1234"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ea1ccd926c27a23d Filesystem access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_endpoints.py:1371
        with open(category_file_path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2af8389d79fefbe5 Filesystem access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_endpoints.py:1406
        with open(airlines_path, "r", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cd92808ec8e9b73c Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/aim/aim.py:53
        self.api_key = api_key or os.environ.get("AIM_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8116fde760e0fe1c Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/aim/aim.py:60
        self.api_base = api_base or os.environ.get("AIM_API_BASE") or "https://api.aim.security"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9318b43dd68697c2 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/akto/akto.py:80
        self.akto_base_url = (akto_base_url or os.environ.get("AKTO_GUARDRAIL_API_BASE", "")).rstrip("/")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9027ac1712e725b4 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/akto/akto.py:84
        self.akto_api_key = akto_api_key or os.environ.get("AKTO_API_KEY", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7139409f2aba7584 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/akto/akto.py:90
        self.akto_account_id = akto_account_id or os.environ.get("AKTO_ACCOUNT_ID", "1000000")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3230313ae1d36ebd Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/akto/akto.py:91
        self.akto_vxlan_id = akto_vxlan_id or os.environ.get("AKTO_VXLAN_ID", "0")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f1e6ce91f57c2160 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/aporia_ai/aporia_ai.py:42
        self.aporia_api_key = api_key or os.environ["APORIO_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a9c5d94a1ac3dd6c Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/aporia_ai/aporia_ai.py:43
        self.aporia_api_base = api_base or os.environ["APORIO_API_BASE"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6ef23283942c6e90 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/cato_networks/cato_networks.py:58
        self.api_key = api_key or os.environ.get("CATO_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5f457e2ad8ca6e6b Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/cato_networks/cato_networks.py:65
        self.api_base = api_base or os.environ.get("CATO_API_BASE") or "https://api.aisec.catonetworks.com"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #13d0f614e6a8b982 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/cisco_ai_defense/cisco_ai_defense.py:159
        resolved_api_key = api_key or os.environ.get("CISCO_AI_DEFENSE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0dc83ec895b928cd Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/cisco_ai_defense/cisco_ai_defense.py:168
        self.api_base: str = (api_base or os.environ.get("CISCO_AI_DEFENSE_API_BASE") or CISCO_DEFAULT_API_BASE).rstrip(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c3a68ae6e94839b4 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/cisco_ai_defense/cisco_ai_defense.py:220
            env_timeout = os.environ.get("CISCO_AI_DEFENSE_TIMEOUT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8e13aadab7da28aa Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/cisco_ai_defense/cisco_ai_defense.py:269
        candidate = value if value is not None else os.environ.get(env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c18204d1821b53b5 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/crowdstrike_aidr/crowdstrike_aidr.py:136
        self.api_key = api_key or os.environ.get("CS_AIDR_TOKEN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #526565fc02c21558 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/crowdstrike_aidr/crowdstrike_aidr.py:142
        self.api_base = api_base or os.environ.get("CS_AIDR_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #89727c18628d6cb1 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/dynamoai/dynamoai.py:54
        self.api_key = api_key or os.getenv("DYNAMOAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3b3d7de86391e9ff Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/dynamoai/dynamoai.py:60
        self.api_base = api_base or os.getenv("DYNAMOAI_API_BASE", "https://api.dynamo.ai")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #04d093fea329697e Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/dynamoai/dynamoai.py:64
        self.model_id = model_id or os.getenv("DYNAMOAI_MODEL_ID", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b17fc96d14746f24 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/dynamoai/dynamoai.py:67
        env_policy_ids = os.getenv("DYNAMOAI_POLICY_IDS", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #243fb7fbbaf77cfb Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/enkryptai/enkryptai.py:65
        self.api_key = api_key or os.getenv("ENKRYPTAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #94d396b45bbf095c Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/enkryptai/enkryptai.py:71
        self.api_base = api_base or os.getenv("ENKRYPTAI_API_BASE", "https://api.enkryptai.com")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #431ae6a1bbda5f27 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/generic_guardrail_api/generic_guardrail_api.py:191
        base_url = api_base or os.environ.get("GENERIC_GUARDRAIL_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2c54073f59b0f9f9 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/grayswan/grayswan.py:82
        api_key_value = api_key or os.getenv("GRAYSWAN_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2f76c61b63df8dd8 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/grayswan/grayswan.py:89
        base = api_base or os.getenv("GRAYSWAN_API_BASE") or self.BASE_API_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #72cc2034fc9d4fa2 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/grayswan/grayswan.py:607
        env_val = os.getenv("GRAYSWAN_VIOLATION_THRESHOLD")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1a64bc87d04f0740 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/grayswan/grayswan.py:618
        env_val = os.getenv("GRAYSWAN_REASONING_MODE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #878eabd31a268ba1 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/guardrails_ai/guardrails_ai.py:73
        self.guardrails_ai_api_base = api_base or os.getenv("GUARDRAILS_AI_API_BASE") or "http://0.0.0.0:8000"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #51eb8615012e455f Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/hiddenlayer/hiddenlayer.py:74
        self.hiddenlayer_client_id = api_id or os.getenv("HIDDENLAYER_CLIENT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7462704e63192938 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/hiddenlayer/hiddenlayer.py:75
        self.hiddenlayer_client_secret = api_key or os.getenv("HIDDENLAYER_CLIENT_SECRET")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #02274c0405ec70f0 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/hiddenlayer/hiddenlayer.py:76
        self.api_base = api_base or os.getenv("HIDDENLAYER_API_BASE") or "https://api.hiddenlayer.ai"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fbedb8eb137677be Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/hiddenlayer/hiddenlayer.py:79
        auth_url = auth_url or os.getenv("HIDDENLAYER_AUTH_URL") or "https://auth.hiddenlayer.ai"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #df2a74863873c9dd Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/hiddenlayer/hiddenlayer.py:278
        self.hiddenlayer_client_id = api_id or os.getenv("HIDDENLAYER_CLIENT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d76416eab65c8105 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/hiddenlayer/hiddenlayer.py:279
        self.hiddenlayer_client_secret = api_key or os.getenv("HIDDENLAYER_CLIENT_SECRET")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3fe3d3da293ce2cf Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/hiddenlayer/hiddenlayer.py:280
        self.api_base = api_base or os.getenv("HIDDENLAYER_API_BASE") or "https://api.hiddenlayer.ai"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #56426e875ac83fa5 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/hiddenlayer/hiddenlayer.py:283
        auth_url = auth_url or os.getenv("HIDDENLAYER_AUTH_URL") or "https://auth.hiddenlayer.ai"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #379044215c5b65cc Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/ibm_guardrails/ibm_detector.py:55
        self.auth_token = auth_token or os.getenv("IBM_GUARDRAILS_AUTH_TOKEN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fd2b13b2d323f0ae Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/lakera_ai.py:58
        self.lakera_api_key = api_key or os.environ.get("LAKERA_API_KEY") or ""

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3abe363dcb27f0d3 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/lakera_ai_v2.py:63
        self.lakera_api_key = api_key or os.environ.get("LAKERA_API_KEY") or ""

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c431883f975d9e79 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/lasso/lasso.py:107
        self.lasso_api_key = lasso_api_key or api_key or os.environ.get("LASSO_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2da72e36b0420203 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/lasso/lasso.py:108
        self.user_id = user_id or os.environ.get("LASSO_USER_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #88b07ccc74f5c966 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/lasso/lasso.py:109
        self.conversation_id = conversation_id or os.environ.get("LASSO_CONVERSATION_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ef287886cd02f2e6 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/lasso/lasso.py:118
        self.api_base = api_base or os.getenv("LASSO_API_BASE") or "https://server.lasso.security/gateway/v3"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9a95a3e1329a4b87 Filesystem access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/litellm_content_filter/competitor_intent/airline.py:126
        with open(_MAJOR_AIRLINES_PATH, encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cb9cb2da06a566c8 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/litellm_content_filter/content_filter.py:357
        allow_external = os.environ.get("LITELLM_CONTENT_FILTER_ALLOW_EXTERNAL_PATHS", "").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #89fc7e4a7a07d94f Filesystem access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/litellm_content_filter/content_filter.py:613
        with open(file_path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9e1bdaf96f7f4cf1 Filesystem access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/litellm_content_filter/content_filter.py:639
        with open(file_path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ce85720a22867340 Filesystem access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/litellm_content_filter/content_filter.py:739
            with open(file_path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f01576048884124e Filesystem access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/litellm_content_filter/guardrail_benchmarks/test_eval.py:40
    with open(path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #961bfe714ca3159b Filesystem access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/litellm_content_filter/guardrail_benchmarks/test_eval.py:147
    with open(result_path, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #32d8df5f08e32012 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/litellm_content_filter/guardrail_benchmarks/test_eval.py:556
    not os.environ.get("OPENAI_API_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9f5ac9a258459f40 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/litellm_content_filter/guardrail_benchmarks/test_eval.py:575
    not os.environ.get("ANTHROPIC_API_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #df41a68f9711dc86 Filesystem access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/litellm_content_filter/patterns.py:18
    with open(json_path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cbccc91aa223926f Filesystem access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/litellm_content_filter/patterns.py:151
                with open(category_file_path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f1adb24931b86735 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/mcp_jwt_signer/mcp_jwt_signer.py:109
    key_material = os.environ.get(env_var, "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a024e3c7d6199af1 Filesystem access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/mcp_jwt_signer/mcp_jwt_signer.py:114
        with open(path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a313da7ca1a343c7 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/mcp_jwt_signer/mcp_jwt_signer.py:246
        key_material = os.environ.get(self.SIGNING_KEY_ENV)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a7944eff8e619470 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/mcp_jwt_signer/mcp_jwt_signer.py:264
            issuer or os.environ.get("MCP_JWT_ISSUER") or os.environ.get("LITELLM_EXTERNAL_URL") or "litellm"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8ac71c67560ee5e4 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/mcp_jwt_signer/mcp_jwt_signer.py:266
        self.audience: str = audience or os.environ.get("MCP_JWT_AUDIENCE") or self.DEFAULT_AUDIENCE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ce44af20c366da9d Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/mcp_jwt_signer/mcp_jwt_signer.py:268
            ttl_seconds if ttl_seconds is not None else os.environ.get("MCP_JWT_TTL_SECONDS", str(self.DEFAULT_TTL))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #90ace861f3d7e50c Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/noma/noma.py:130
        self.api_key = api_key or os.environ.get("NOMA_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b5621c5eb861df0a Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/noma/noma.py:131
        self.api_base = api_base or os.environ.get("NOMA_API_BASE", NomaGuardrail._DEFAULT_API_BASE)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d3ca4c8633a79b1a Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/noma/noma.py:132
        self.application_id = application_id or os.environ.get("NOMA_APPLICATION_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #debce7c832ebab3e Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/noma/noma.py:136
            self.monitor_mode = os.environ.get("NOMA_MONITOR_MODE", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aab302bf9bf86624 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/noma/noma.py:141
            self.block_failures = os.environ.get("NOMA_BLOCK_FAILURES", "true").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #43900f65b2ed0b51 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/noma/noma.py:146
            self.anonymize_input = os.environ.get("NOMA_ANONYMIZE_INPUT", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f7e0099bd2e5da6b Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/noma/noma_v2.py:58
        self.api_key = api_key or os.environ.get("NOMA_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1d6763c40e0b7054 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/noma/noma_v2.py:59
        self.api_base = (api_base or os.environ.get("NOMA_API_BASE") or _DEFAULT_API_BASE).rstrip("/")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a47e1af9f53326b6 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/noma/noma_v2.py:60
        self.application_id = application_id or os.environ.get("NOMA_APPLICATION_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cfbe55c9cb32b680 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/noma/noma_v2.py:62
            self.monitor_mode = os.environ.get("NOMA_MONITOR_MODE", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #434dc93a17bbcbb5 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/noma/noma_v2.py:67
            self.block_failures = os.environ.get("NOMA_BLOCK_FAILURES", "true").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1eb7dc254a23f359 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/onyx/onyx.py:38
        timeout = timeout or int(os.getenv("ONYX_TIMEOUT", 10.0))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fac588875c0e3f40 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/onyx/onyx.py:43
        self.api_base = api_base or os.getenv(
            "ONYX_API_BASE",
            "https://ai-guard.onyx.security",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #efa1f47ef7e339ad Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/onyx/onyx.py:47
        self.api_key = api_key or os.getenv("ONYX_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4ec414a0d56c27ce Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/openai/moderations.py:112
            os.environ.get("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #68f199b833840554 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/ovalix/ovalix.py:78
        self._tracker_api_base = tracker_api_base or os.environ.get("OVALIX_TRACKER_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1f84578415852bc4 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/ovalix/ovalix.py:79
        self._tracker_api_key = tracker_api_key or os.environ.get("OVALIX_TRACKER_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #60c5e6c522496de2 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/ovalix/ovalix.py:80
        self._application_id = application_id or os.environ.get("OVALIX_APPLICATION_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7c98b8fdb2df0f4b Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/ovalix/ovalix.py:81
        self._pre_checkpoint_id = pre_checkpoint_id or os.environ.get("OVALIX_PRE_CHECKPOINT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #57b0e841c8d379b4 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/ovalix/ovalix.py:82
        self._post_checkpoint_id = post_checkpoint_id or os.environ.get("OVALIX_POST_CHECKPOINT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #296576069b525be3 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/pangea/pangea.py:81
        self.api_key = api_key or os.environ.get("PANGEA_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8d8804a459418b48 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/pangea/pangea.py:88
        self.api_base = api_base or os.environ.get("PANGEA_API_BASE") or "https://ai-guard.aws.us.pangea.cloud"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2435104034c24d9e Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/panw_prisma_airs/panw_prisma_airs.py:112
        self.api_key = api_key or os.getenv("PANW_PRISMA_AIRS_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8aba529266e44e4d Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/panw_prisma_airs/panw_prisma_airs.py:114
            api_base or os.getenv("PANW_PRISMA_AIRS_API_BASE") or "https://service.api.aisecurity.paloaltonetworks.com"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #56d5b662cc6a77e2 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/pillar/pillar.py:199
        self.api_key = api_key or os.environ.get("PILLAR_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #86c894160e14b79c Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/pillar/pillar.py:208
        self.api_base = api_base or os.getenv("PILLAR_API_BASE") or self.BASE_API_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3119da70c706d82a Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/pillar/pillar.py:211
        action = on_flagged_action or os.environ.get("PILLAR_ON_FLAGGED_ACTION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e3c5809b285222e5 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/pillar/pillar.py:247
        action = fallback_on_error or os.environ.get("PILLAR_FALLBACK_ON_ERROR")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a1f7793199f798d4 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/pillar/pillar.py:264
                self.timeout = float(os.environ.get("PILLAR_TIMEOUT", str(self.DEFAULT_TIMEOUT)))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7fb1c44e7f4405dc Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/pillar/pillar.py:267
                    f"Pillar Guardrail: Invalid PILLAR_TIMEOUT value '{os.environ.get('PILLAR_TIMEOUT')}', "

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #72c90a6c9954e4c7 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/pillar/pillar.py:585
            env_value = os.getenv(env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #27db293df6a9c9aa Filesystem access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/presidio.py:129
                with open(ad_hoc_recognizers, "r") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #87b21ed0afe45c63 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/prompt_security/prompt_security.py:39
        self.api_key = api_key or os.environ.get("PROMPT_SECURITY_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #58599d0985db1351 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/prompt_security/prompt_security.py:40
        self.api_base = api_base or os.environ.get("PROMPT_SECURITY_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b55cfcb154042f06 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/prompt_security/prompt_security.py:41
        self.user = user or os.environ.get("PROMPT_SECURITY_USER")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #975ce5bc620422f6 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/prompt_security/prompt_security.py:42
        self.system_prompt = system_prompt or os.environ.get("PROMPT_SECURITY_SYSTEM_PROMPT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d9ff7f791ad0f580 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/prompt_security/prompt_security.py:48
            check_tool_results_env = os.environ.get("PROMPT_SECURITY_CHECK_TOOL_RESULTS", "false").lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b3c2b91dde27d4c5 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/promptguard/promptguard.py:57
        self.api_key = api_key or os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a28f833aea3cf984 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/promptguard/promptguard.py:57
        self.api_key = api_key or os.environ.get(
            "PROMPTGUARD_API_KEY",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c4446bf0fc78bb0a Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/promptguard/promptguard.py:68
        self.api_base = (api_base or os.environ.get("PROMPTGUARD_API_BASE") or _DEFAULT_API_BASE).rstrip("/")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0236a214d3659866 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/promptguard/promptguard.py:71
            env = os.environ.get("PROMPTGUARD_BLOCK_ON_ERROR", "true")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2309911fbd93cca2 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/qohash/qohash.py:29
        api_base = api_base or os.environ.get("QOSTODIAN_NEXUS_API_BASE", "http://nexus:8800")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5e6b5b2c9d16c350 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/qualifire/qualifire.py:65
        self.qualifire_api_key = api_key or get_secret_str("QUALIFIRE_API_KEY") or os.environ.get("QUALIFIRE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2ac734bf3cdc925c Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/qualifire/qualifire.py:69
            or os.environ.get("QUALIFIRE_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #57442abd5ef53eed Filesystem access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/semantic_guard/route_loader.py:38
        with open(file_path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4c0f71fe1356cb31 Filesystem access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/semantic_guard/route_loader.py:56
        with open(file_path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #65a12d1d578cada3 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/xecguard/xecguard.py:92
        self.api_key = api_key or os.environ.get("XECGUARD_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #407fbab612973ba8 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/xecguard/xecguard.py:101
        self.api_base = (api_base or os.environ.get("XECGUARD_API_BASE") or _DEFAULT_API_BASE).rstrip("/")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fc07599eca71d807 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/xecguard/xecguard.py:107
            env = os.environ.get("XECGUARD_BLOCK_ON_ERROR", "true")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9956868892e367e2 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/zscaler_ai_guard/zscaler_ai_guard.py:41
        self.zscaler_ai_guard_url = api_base or os.getenv(
            "ZSCALER_AI_GUARD_URL",
            "https://api.us1.zseclipse.net/v1/detection/execute-policy",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e0ac8f09d9c7c927 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/zscaler_ai_guard/zscaler_ai_guard.py:45
        self.policy_id = policy_id if policy_id is not None else int(os.getenv("ZSCALER_AI_GUARD_POLICY_ID", -1))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a81c85cf615431b7 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/zscaler_ai_guard/zscaler_ai_guard.py:46
        self.api_key = api_key or os.getenv("ZSCALER_AI_GUARD_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9e626929d25bf926 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/zscaler_ai_guard/zscaler_ai_guard.py:50
            else os.getenv("SEND_USER_API_KEY_ALIAS", "False").lower() in ("true", "1")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ee6f77427bdae10e Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/zscaler_ai_guard/zscaler_ai_guard.py:55
            else os.getenv("SEND_USER_API_KEY_USER_ID", "False").lower() in ("true", "1")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ebfa04a8ba80ebe5 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/guardrails/guardrail_hooks/zscaler_ai_guard/zscaler_ai_guard.py:60
            else os.getenv("SEND_USER_API_KEY_TEAM_ID", "False").lower() in ("true", "1")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #587550dc60b0d416 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/health_endpoints/_health_endpoints.py:414
                user_email=os.getenv("TEST_EMAIL_ADDRESS"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d1be620f0935baba Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/health_endpoints/_health_endpoints.py:1504
    env_token = os.getenv("DRAIN_ENDPOINT_TOKEN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #daacd3cb8debf158 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/hooks/__init__.py:31
if os.getenv("LEGACY_MULTI_INSTANCE_RATE_LIMITING", "false").lower() == "true":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e8a36cecff0694b1 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/hooks/dynamic_rate_limiter.py:114
                if os.getenv("LITELLM_LICENSE", None) is None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7b2bef13b994df6b Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/hooks/dynamic_rate_limiter_v3.py:120
            if os.getenv("LITELLM_LICENSE", None) is None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #446b6e79fd426c0c Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/hooks/max_budget_per_session_limiter.py:71
            os.getenv(
                "LITELLM_MAX_BUDGET_PER_SESSION_TTL",
                DEFAULT_MAX_BUDGET_PER_SESSION_TTL,
            )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bc1da434b8b6fc69 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/hooks/max_iterations_limiter.py:73
        self.ttl = int(os.getenv("LITELLM_MAX_ITERATIONS_TTL", DEFAULT_MAX_ITERATIONS_TTL))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5a1196662a69fbd3 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/hooks/parallel_request_limiter_v3.py:308
        self.window_size = int(os.getenv("LITELLM_RATE_LIMIT_WINDOW_SIZE", 60))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #17ec726d0f7dd5bf Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/hooks/parallel_request_limiter_v3.py:314
        self.tpm_reservation_enabled = os.getenv("LITELLM_TPM_TOKEN_RESERVATION_ENABLED", "true").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #442a190320440e2c Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/hooks/responses_id_security.py:166
        salt_key = os.getenv("LITELLM_SALT_KEY", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e3f636d92759e42f Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/hooks/sensitive_data_routing.py:46
            os.getenv(
                "LITELLM_SENSITIVE_ROUTING_TTL",
                str(DEFAULT_SENSITIVE_ROUTING_TTL),
            )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5732a1d1c7318dc1 Filesystem access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/callback_management_endpoints.py:52
    with open(config_path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5e7ac09673e25946 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/config_override_endpoints.py:153
        env_value = os.environ.get(env_var_name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3991a6aff409944c Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/config_override_endpoints.py:195
            os.environ[env_var_name] = str(value)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #90e58e7f4e67ddbc Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/config_override_endpoints.py:197
            os.environ.pop(env_var_name, None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #af4f00bd51165582 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/key_management_endpoints.py:4128
    grace_period_value = grace_period or os.getenv("LITELLM_KEY_ROTATION_GRACE_PERIOD", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #be37fcf085c1e29c Filesystem access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/mcp_management_endpoints.py:2390
            with open(_MCP_REGISTRY_PATH, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0da8993faada876b Filesystem access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/mcp_management_endpoints.py:2460
        with open(_OPENAPI_REGISTRY_PATH, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b13d50247de0bd50 Filesystem access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/policy_endpoints/endpoints.py:616
    with open(path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bbc9ed222caa6de5 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/policy_endpoints/endpoints.py:636
    use_local = os.getenv("LITELLM_LOCAL_POLICY_TEMPLATES", "").strip().lower() in (

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b8921afe12d7f02c Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/sso/custom_microsoft_sso.py:59
        custom_authorization_endpoint = os.getenv("MICROSOFT_AUTHORIZATION_ENDPOINT", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e547e02b69af25a6 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/sso/custom_microsoft_sso.py:60
        custom_token_endpoint = os.getenv("MICROSOFT_TOKEN_ENDPOINT", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5a87116739204f02 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/sso/custom_microsoft_sso.py:61
        custom_userinfo_endpoint = os.getenv("MICROSOFT_USERINFO_ENDPOINT", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #06702d05152857af Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:803
                generic_user_role_attribute_name = os.getenv("GENERIC_USER_ROLE_ATTRIBUTE", "role")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6b5763b61d573f91 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:845
    microsoft_client_id = os.getenv("MICROSOFT_CLIENT_ID", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b3bb214addc1fa4e Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:846
    google_client_id = os.getenv("GOOGLE_CLIENT_ID", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d42da3a803a14a04 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:847
    generic_client_id = os.getenv("GENERIC_CLIENT_ID", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a1619365a03b3350 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:850
    _disable_ui_flag = os.getenv("DISABLE_ADMIN_UI")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #242ec9bd5909ce53 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:945
        os.getenv("LITELLM_HIDE_DEFAULT_CREDENTIALS_HINT", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1a6706bacae0c640 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:964
    generic_user_id_attribute_name = os.getenv("GENERIC_USER_ID_ATTRIBUTE", "preferred_username")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b6de5783cbdcb035 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:965
    generic_user_display_name_attribute_name = os.getenv("GENERIC_USER_DISPLAY_NAME_ATTRIBUTE", "sub")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6e84d5a7f839a9a9 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:966
    generic_user_email_attribute_name = os.getenv("GENERIC_USER_EMAIL_ATTRIBUTE", "email")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c3dcdf8aa0cd72b9 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:968
    generic_user_first_name_attribute_name = os.getenv("GENERIC_USER_FIRST_NAME_ATTRIBUTE", "first_name")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #81ca87a1a7916182 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:969
    generic_user_last_name_attribute_name = os.getenv("GENERIC_USER_LAST_NAME_ATTRIBUTE", "last_name")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8d1512f10a576ed7 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:971
    generic_provider_attribute_name = os.getenv("GENERIC_USER_PROVIDER_ATTRIBUTE", "provider")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2024fa5d32493295 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:973
    generic_user_role_attribute_name = os.getenv("GENERIC_USER_ROLE_ATTRIBUTE", "role")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cfeaf35512991767 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:975
    generic_user_extra_attributes = os.getenv("GENERIC_USER_EXTRA_ATTRIBUTES", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d4ca5927aecd238a Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:1072
    generic_client_secret = os.getenv("GENERIC_CLIENT_SECRET", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d1755ad9db21acbe Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:1073
    generic_scope = os.getenv("GENERIC_SCOPE", "openid email profile").split(" ")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a91fd92c823c0036 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:1074
    generic_authorization_endpoint = os.getenv("GENERIC_AUTHORIZATION_ENDPOINT", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eec05a48c6879dd2 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:1075
    generic_token_endpoint = os.getenv("GENERIC_TOKEN_ENDPOINT", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aa20072cac00e8e4 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:1076
    generic_userinfo_endpoint = os.getenv("GENERIC_USERINFO_ENDPOINT", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #049f4e66e1ad0ff6 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:1077
    generic_include_client_id = os.getenv("GENERIC_INCLUDE_CLIENT_ID", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8234c95949a95718 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:1187
    generic_role_mappings = os.getenv("GENERIC_ROLE_MAPPINGS_ROLES", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2324163a9d5b2887 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:1188
    generic_role_mappings_group_claim = os.getenv("GENERIC_ROLE_MAPPINGS_GROUP_CLAIM", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ca4fdc54fb62b8e7 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:1189
    generic_role_mappings_default_role = os.getenv("GENERIC_ROLE_MAPPINGS_DEFAULT_ROLE", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b01344a1de39a197 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:1220
    raw = os.getenv("GENERIC_SSO_HEADERS", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8817bf55f05bc32c Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:1244
    pkce_configured = os.getenv("GENERIC_CLIENT_USE_PKCE", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bed3b68eaebd09b3 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:1728
    proxy_admin_id = os.getenv("PROXY_ADMIN_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ff4c91cf64597bdc Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:1777
    microsoft_client_id = os.getenv("MICROSOFT_CLIENT_ID", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e6717336bd0490cd Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:1778
    google_client_id = os.getenv("GOOGLE_CLIENT_ID", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e3d3dc12ca607387 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:1779
    generic_client_id = os.getenv("GENERIC_CLIENT_ID", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #59fa086096c03391 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:2010
            generic_client_id=os.getenv("GENERIC_CLIENT_ID", None),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #760f115db99ffeb3 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:2279
    _proxy_base_url = os.getenv("PROXY_BASE_URL", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b941bb9ea29aa374 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:2280
    _logout_url = os.getenv("PROXY_LOGOUT_URL", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #76cbcc5991864b48 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:2281
    _api_doc_base_url = os.getenv("LITELLM_UI_API_DOC_BASE_URL", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #762b1888dd70ed92 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:2287
    if "PROXY_DEFAULT_TEAM_DISABLED" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cf6b19fc12eaf692 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:2288
        if os.environ["PROXY_DEFAULT_TEAM_DISABLED"].lower() == "true":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ee7f99ebc27a0d37 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:2312
    microsoft_client_id = os.getenv("MICROSOFT_CLIENT_ID", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4a00aa9a4f60352e Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:2313
    google_client_id = os.getenv("GOOGLE_CLIENT_ID", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dc6a995d505c1f20 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:2314
    generic_client_id = os.getenv("GENERIC_CLIENT_ID", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ced61cbbaacd9109 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:2337
        google_client_secret = os.getenv("GOOGLE_CLIENT_SECRET", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #709830fb860e769d Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:2342
        microsoft_client_secret = os.getenv("MICROSOFT_CLIENT_SECRET", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f07d01656f35a078 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:2343
        microsoft_tenant = os.getenv("MICROSOFT_TENANT", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2a2f5926f3529901 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:2350
        generic_client_secret = os.getenv("GENERIC_CLIENT_SECRET", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #70f779318d4d0183 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:2351
        generic_authorization_endpoint = os.getenv("GENERIC_AUTHORIZATION_ENDPOINT", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b1371b2ea81d68f2 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:2352
        generic_token_endpoint = os.getenv("GENERIC_TOKEN_ENDPOINT", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4e0f6cb98ffed366 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:2353
        generic_userinfo_endpoint = os.getenv("GENERIC_USERINFO_ENDPOINT", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e8d6c205c9af125b Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:2448
            google_client_secret = os.getenv("GOOGLE_CLIENT_SECRET", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4cfc3717ddf50cbc Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:2468
            microsoft_client_secret = os.getenv("MICROSOFT_CLIENT_SECRET", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ad819389755de3e9 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:2469
            microsoft_tenant = os.getenv("MICROSOFT_TENANT", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7b3c3d4513ee11b8 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:2490
            generic_client_secret = os.getenv("GENERIC_CLIENT_SECRET", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f0682523b928a5b3 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:2491
            generic_scope = os.getenv("GENERIC_SCOPE", "openid email profile").split(" ")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #917ea4243065a725 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:2492
            generic_authorization_endpoint = os.getenv("GENERIC_AUTHORIZATION_ENDPOINT", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c0fadd28194bc155 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:2493
            generic_token_endpoint = os.getenv("GENERIC_TOKEN_ENDPOINT", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #31c60ff17d463771 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:2494
            generic_userinfo_endpoint = os.getenv("GENERIC_USERINFO_ENDPOINT", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #640ba808baec2efd Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:2697
            generic_client_state = os.getenv("GENERIC_CLIENT_STATE", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9c11067b5f40b3df Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:2705
        use_pkce = os.getenv("GENERIC_CLIENT_USE_PKCE", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #901bbdbbfd00b7b5 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:2962
        if user_email is not None and os.getenv("ALLOWED_EMAIL_DOMAINS") is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9443fac6326bca75 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:2964
            allowed_domains = os.getenv("ALLOWED_EMAIL_DOMAINS").split(",")  # type: ignore

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #272e937034f488af Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:2985
            generic_user_role_attribute_name = os.getenv("GENERIC_USER_ROLE_ATTRIBUTE", "role")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5e729a9b60b19279 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:3238
        use_pkce = os.getenv("GENERIC_CLIENT_USE_PKCE", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e2c34c7c7f38bb02 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:3326
        strict_cache_miss = os.getenv("PKCE_STRICT_CACHE_MISS", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #089acf06e9a3d78e Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:3760
        microsoft_client_secret = os.getenv("MICROSOFT_CLIENT_SECRET", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dfb5ac48462ccbe9 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:3761
        microsoft_tenant = os.getenv("MICROSOFT_TENANT", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6c6daea4be13fa8f Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:3903
            service_principal_id = os.getenv("MICROSOFT_SERVICE_PRINCIPAL_ID", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0bee8b867087a403 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:4081
        google_client_secret = os.getenv("GOOGLE_CLIENT_SECRET", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #997066b2073628a9 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:4118
    microsoft_client_id = os.getenv("MICROSOFT_CLIENT_ID", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d6196cae556a6c23 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:4119
    google_client_id = os.getenv("GOOGLE_CLIENT_ID", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a742394b335b3e5d Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:4120
    generic_client_id = os.getenv("GENERIC_CLIENT_ID", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b247278b38867b20 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:4187
    microsoft_client_id = os.getenv("MICROSOFT_CLIENT_ID", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ae4222c69b572d34 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:4188
    google_client_id = os.getenv("GOOGLE_CLIENT_ID", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bedacca78477de7c Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:4189
    generic_client_id = os.getenv("GENERIC_CLIENT_ID", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #16ad7492baf7a377 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/management_endpoints/ui_sso.py:4191
    redirect_url = os.getenv("PROXY_BASE_URL", str(request.base_url))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cc000a09c83d458d Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/middleware/in_flight_requests_middleware.py:65
            if "PROMETHEUS_MULTIPROC_DIR" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f8115e056b47ff6f Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/middleware/security_headers_middleware.py:29
    return os.getenv("LITELLM_ENABLE_HSTS", "false").strip().lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dec1f24058bddbfd Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/pass_through_endpoints/llm_passthrough_endpoints.py:196
    base_target_url = os.getenv("GEMINI_API_BASE") or "https://generativelanguage.googleapis.com"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6e0603b611d1f467 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/pass_through_endpoints/llm_passthrough_endpoints.py:259
    base_target_url = os.getenv("COHERE_API_BASE") or "https://api.cohere.com"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c45c1521033212c8 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/pass_through_endpoints/llm_passthrough_endpoints.py:382
    base_target_url = os.getenv("MISTRAL_API_BASE") or "https://api.mistral.ai"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #654052540c0cfd3f Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/pass_through_endpoints/llm_passthrough_endpoints.py:573
    base_target_url = os.getenv("ANTHROPIC_API_BASE") or os.getenv("ANTHROPIC_BASE_URL") or "https://api.anthropic.com"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f1eff33479346995 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/pass_through_endpoints/llm_passthrough_endpoints.py:1909
    base_target_url = os.getenv("OPENAI_API_BASE") or "https://api.openai.com/"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1a170eac0eaf4b83 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/pass_through_endpoints/llm_passthrough_endpoints.py:2061
    base_target_url = os.getenv("CURSOR_API_BASE") or "https://api.cursor.com"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d8ffba8a070f2c84 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/plugin_routes.py:133
    salt = os.getenv("LITELLM_SALT_KEY", "").encode()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #371ac054ef8ae43c Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/plugin_routes.py:232
    if not os.getenv("LITELLM_SALT_KEY"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d579504fb8c7fa20 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/prometheus_cleanup.py:31
    if not os.environ.get("PROMETHEUS_MULTIPROC_DIR"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b164ef723f622955 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_cli.py:29
litellm_mode = os.getenv("LITELLM_MODE", "DEV")  # "PRODUCTION", "DEV"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #046a27f2b083b182 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_cli.py:298
        os.environ["LITELLM_DEV_ENV_HOT_RELOAD"] = "True"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #03c9d4a0793a8d09 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_cli.py:483
        if os.environ.get("PROMETHEUS_MULTIPROC_DIR"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e71a8270a75f9ed7 Filesystem access.
pkgs/python/[email protected]/litellm/proxy/proxy_cli.py:505
            with open(os.devnull, "w") as devnull:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fcf1878d590268a2 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_cli.py:557
        multiproc_dir = os.environ.get("PROMETHEUS_MULTIPROC_DIR") or os.environ.get("prometheus_multiproc_dir")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #74b636833876b149 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_cli.py:562
            os.environ["PROMETHEUS_MULTIPROC_DIR"] = multiproc_dir

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4d484d693acb01ad Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_cli.py:984
            db_host = os.getenv("DATABASE_HOST")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #190d71a93368a42a Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_cli.py:990
            db_port = os.getenv("DATABASE_PORT", "5432")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5e528118df6f66a3 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_cli.py:991
            db_user = os.getenv("DATABASE_USER")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0cbe9a4f75ae18ba Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_cli.py:992
            db_name = os.getenv("DATABASE_NAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b26ca52ee26e306e Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_cli.py:993
            db_schema = os.getenv("DATABASE_SCHEMA")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5ecedf1a965ca7ec Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_cli.py:1002
            os.environ["DATABASE_URL"] = _db_url

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #53618cbf3b5f3948 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_cli.py:1003
            os.environ["IAM_TOKEN_DB_AUTH"] = "True"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8898434435c5b101 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_cli.py:1009
        if os.getenv("USE_AWS_KMS", None) is not None and os.getenv("USE_AWS_KMS") == "True":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #147dddea8048518d Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_cli.py:1014
                os.environ[k] = v

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f7a0947a421444c8 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_cli.py:1062
            if database_url is None and os.getenv("DATABASE_URL") is None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #76fde8caeddb52bc Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_cli.py:1068
                    os.environ["DATABASE_URL"] = database_url

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #214021f0a869043d Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_cli.py:1100
                os.environ["DATABASE_URL"] = database_url

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8d0408c21a8066db Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_cli.py:1103
        if config is None and os.getenv("DATABASE_URL") is None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fd5510127aeff700 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_cli.py:1109
                os.environ["DATABASE_URL"] = database_url

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #46fcbc057cb0df8a Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_cli.py:1116
        if os.getenv("DATABASE_URL", None) is not None or os.getenv("DIRECT_URL", None) is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1810883191f7fb3b Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_cli.py:1123
                _candidate_url = os.getenv(_db_env)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c09fac9a4e571ef9 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_cli.py:1145
                if os.getenv("DATABASE_URL", None) is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #81331dbd6e4f49d2 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_cli.py:1151
                    os.environ["DATABASE_URL"] = modified_url

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7fc38f3feaa9cccf Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_cli.py:1152
                if os.getenv("DIRECT_URL", None) is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f866eeb146eb8f00 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_cli.py:1153
                    database_url = os.getenv("DIRECT_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d9ed5f51ba25f821 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_cli.py:1155
                    os.environ["DIRECT_URL"] = modified_url

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #43c16c9c79f54823 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:632
global_max_parallel_request_retries_env: Optional[str] = os.getenv("LITELLM_GLOBAL_MAX_PARALLEL_REQUEST_RETRIES")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b9fe242141a7c5dd Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:640
global_max_parallel_request_retry_timeout_env: Optional[str] = os.getenv(
    "LITELLM_GLOBAL_MAX_PARALLEL_REQUEST_RETRY_TIMEOUT"
)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #905fd586b7351b15 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:661
_title = os.getenv("DOCS_TITLE", "LiteLLM API") if premium_user else "LiteLLM API"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b6dfd7618cddaa8e Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:663
    os.getenv(
        "DOCS_DESCRIPTION",
        f"Enterprise Edition \n\nProxy Server to call 100+ LLMs in the OpenAI format. {custom_swagger_message}\n\n{ui_message}",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0c146a3cde38d3b3 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:796
    _startup_hooks_env = os.environ.get("LITELLM_WORKER_STARTUP_HOOKS", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #15601c10a8f4b46b Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:851
        elif os.environ.get("LITELLM_CONFIG_BUCKET_NAME") is not None and isinstance(worker_config, str):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #580b7b30cf64aa7a Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:1283
if os.getenv("DOCS_FILTERED", "False") == "True" and premium_user:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #03fa7537ff70adeb Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:1384
    _origins_raw = cors_origins_env if cors_origins_env is not None else os.getenv("LITELLM_CORS_ORIGINS")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d230a68854dfcd6b Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:1397
        cors_credentials_env if cors_credentials_env is not None else os.getenv("LITELLM_CORS_ALLOW_CREDENTIALS")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #78ae91c348830617 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:1517
    is_non_root = os.getenv("LITELLM_NON_ROOT", "").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #edd64a7bc4a3d697 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:1526
    runtime_ui_path = os.getenv("LITELLM_UI_PATH", default_runtime_ui_path)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #04b0d18c373af54a Filesystem access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:1620
                        with open(file_path, "r", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c1fc75d4ca4c6d85 Filesystem access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:1635
                        with open(file_path, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #272c1a87dc798abc Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:1815
root_redirect_url: Optional[str] = os.getenv("ROOT_REDIRECT_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #945fedd486b7371a Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:1947
        KVUri = os.getenv("AZURE_KEY_VAULT_URI", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b66f4af8b2813bd9 Filesystem access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:2921
        with open(os.devnull, "w") as devnull:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4948fbeab37d8934 Filesystem access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:3488
            with open(file_path, "r") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #18dd2e084217aa05 Filesystem access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:3509
            with open(f"{file_path}", "r") as config_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b3cb2eacb2d95274 Filesystem access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:3599
            with open(f"{user_config_file_path}", "w") as config_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #78796313f61df387 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:3742
        if os.environ.get("LITELLM_CONFIG_BUCKET_NAME") is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3a1035b93252b6d1 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:3743
            bucket_name = os.environ.get("LITELLM_CONFIG_BUCKET_NAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9cc8aa54fdd38cff Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:3744
            object_key = os.environ.get("LITELLM_CONFIG_BUCKET_OBJECT_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5f77c91b378ba6fb Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:3745
            bucket_type = os.environ.get("LITELLM_CONFIG_BUCKET_TYPE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3b67b78f393fd396 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:3899
                        os.environ[key] = resolved_secret_string

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #75648e4cc9aecdf6 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:3908
                    os.environ[key] = str(value)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1648170bb66e1904 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:3912
                _license_check.license_str = os.getenv("LITELLM_LICENSE", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0a596f637db8ff5e Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:4315
            use_pkce = os.getenv("GENERIC_CLIENT_USE_PKCE", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fe65211d57ab9bd4 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:4492
                    v = os.getenv(_v)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9d8b7432dff74496 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:5120
                    os.environ[k] = decrypted_value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7d5cdb43f7b57099 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:5533
                os.environ[upper_key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #16973a6536373090 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:6367
    os.environ["WORKER_CONFIG"] = json.dumps(data)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #22a187cbbc73cbd4 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:6409
    if os.getenv("LITELLM_DONT_SHOW_FEEDBACK_BOX", "").lower() != "true":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #45bc9dd9b44d10d9 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:6440
        litellm_log_setting = os.environ.get("LITELLM_LOG", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6a5c25aa741b7bbe Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:6482
        os.environ["AZURE_API_VERSION"] = api_version  # set this for azure - litellm can read this from the env

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5a9d8d377e4780fd Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:7838
            if os.getenv("PROMETHEUS_URL"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bc43c69204592198 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:7950
            app_name = os.getenv("PYROSCOPE_APP_NAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ab8cbc2305b50d91 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:7956
            server_address = os.getenv("PYROSCOPE_SERVER_ADDRESS")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #afc5df253d58dd77 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:7963
            env_name = os.getenv("OTEL_ENVIRONMENT_NAME") or os.getenv(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f61381052d420b99 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:7963
            env_name = os.getenv("OTEL_ENVIRONMENT_NAME") or os.getenv(
                "LITELLM_DEPLOYMENT_ENVIRONMENT",
            )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1efedbe0c19e845b Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:7968
            sample_rate_env = os.getenv("PYROSCOPE_SAMPLE_RATE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8b381b70362848b8 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:12880
        os.getenv("LITELLM_HIDE_DEFAULT_CREDENTIALS_HINT", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5c2af0b7a91daaa6 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:13492
    logo_path = os.getenv("UI_LOGO_PATH", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #76ae4cd6698f82f5 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:13506
    is_non_root = os.getenv("LITELLM_NON_ROOT", "").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fcadd2868b574d64 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:13511
    assets_dir = os.getenv("LITELLM_ASSETS_PATH", default_assets_dir)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7d150527ab5e0974 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:13530
    logo_path = os.getenv("UI_LOGO_PATH", default_logo)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #86ad18804ab1d52b Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:13571
    favicon_url = os.getenv("LITELLM_FAVICON_URL", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fb0d2ab549d460d3 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/proxy_server.py:14624
                _var: (value if (value := environment_variables.get(_var)) is not None else os.getenv(_var))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #66dd9a8e4099fe92 Filesystem access.
pkgs/python/[email protected]/litellm/proxy/public_endpoints/public_endpoints.py:143
    raw = json.loads(files("litellm").joinpath("provider_endpoints_support_backup.json").read_text(encoding="utf-8"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d53c6a222b38abb0 Filesystem access.
pkgs/python/[email protected]/litellm/proxy/public_endpoints/public_endpoints.py:344
    with open(provider_create_fields_path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #47c4cb0a2ec3541b Filesystem access.
pkgs/python/[email protected]/litellm/proxy/public_endpoints/public_endpoints.py:432
    with open(agent_create_fields_path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dc845328903d6756 Filesystem access.
pkgs/python/[email protected]/litellm/proxy/public_endpoints/public_endpoints.py:435
    with open(provider_create_fields_path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #afe87b7d219d1f20 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/shutdown/graceful_shutdown_manager.py:58
        raw = os.getenv("GRACEFUL_SHUTDOWN_TIMEOUT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d5dc27e377025686 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/spend_tracking/spend_log_error_logger.py:43
    return str_to_bool(os.getenv(SUPPRESS_SPEND_LOG_TRACEBACKS_ENV)) is True

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dd4f5e26a8058485 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/spend_tracking/spend_management_endpoints.py:2577
            db_url = os.getenv("DATABASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #59cb97be2e8bd5bc Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/spend_tracking/spend_tracking_utils.py:49
    max_length_str = os.getenv("MAX_STRING_LENGTH_PROMPT_IN_DB")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fda1d054753902ee Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/ui_crud_endpoints/proxy_setting_endpoints.py:806
                os.environ[env_var_name] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b7fa7e6f61bfd30e Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/ui_crud_endpoints/proxy_setting_endpoints.py:809
                os.environ.pop(env_var_name, None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4a7d3aafb449650a Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/ui_crud_endpoints/proxy_setting_endpoints.py:965
        os.environ["UI_LOGO_PATH"] = logo_url

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #655c0bd0972a0fd3 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/ui_crud_endpoints/proxy_setting_endpoints.py:972
        if "UI_LOGO_PATH" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e26db302b06e8fd1 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/ui_crud_endpoints/proxy_setting_endpoints.py:973
            del os.environ["UI_LOGO_PATH"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e930541e597ec91e Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/ui_crud_endpoints/proxy_setting_endpoints.py:984
        os.environ["LITELLM_FAVICON_URL"] = favicon_url

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0c7621d78a9f3c40 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/ui_crud_endpoints/proxy_setting_endpoints.py:991
        if "LITELLM_FAVICON_URL" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #755965ac6740cb08 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/ui_crud_endpoints/proxy_setting_endpoints.py:992
            del os.environ["LITELLM_FAVICON_URL"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7ae64723a89f2c74 Filesystem access.
pkgs/python/[email protected]/litellm/proxy/ui_crud_endpoints/proxy_setting_endpoints.py:1306
    with open(file_path, "wb") as buffer:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #139220c2a80f4327 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/utils.py:209
    if SendGridEmailLogger is not None and os.getenv("SENDGRID_API_KEY"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d6504e055a21566e Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/utils.py:213
    if ResendEmailLogger is not None and os.getenv("RESEND_API_KEY"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fe867958f27ce71b Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/utils.py:217
    if SMTPEmailLogger is not None and os.getenv("SMTP_HOST"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0c86759e636e7c24 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/utils.py:1895
        _proxy_base_url = os.getenv("PROXY_BASE_URL", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bdb3e215f1e8e10d Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/utils.py:2702
LITELLM_CONFIG_CACHE_TTL_SECONDS: int = int(os.environ.get("LITELLM_CONFIG_PARAM_CACHE_TTL_SECONDS", "60"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0de36f96eef3d0f5 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/utils.py:2790
        self.iam_token_db_auth: Optional[bool] = str_to_bool(os.getenv("IAM_TOKEN_DB_AUTH"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e35c7e9e52a80451 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/utils.py:2803
        read_replica_url = os.getenv("DATABASE_URL_READ_REPLICA")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1a0112bbebdea2bf Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/utils.py:2850
                    os.environ["DATABASE_URL_READ_REPLICA"] = read_replica_url

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2c8fd65c14bf9993 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/utils.py:2889
        self._db_reconnect_cooldown_seconds: int = max(1, int(os.getenv("PRISMA_RECONNECT_COOLDOWN_SECONDS", "15")))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #161753c1bdf6d149 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/utils.py:2891
            5, int(os.getenv("PRISMA_HEALTH_WATCHDOG_INTERVAL_SECONDS", "30"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a16f48f36f9dcd3b Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/utils.py:2894
            str_to_bool(os.getenv("PRISMA_HEALTH_WATCHDOG_ENABLED", "true")) is True

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9e0980513ea918ad Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/utils.py:2898
            float(os.getenv("PRISMA_HEALTH_WATCHDOG_PROBE_TIMEOUT_SECONDS", "5.0")),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9015210a8a89c106 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/utils.py:2901
            1.0, float(os.getenv("PRISMA_WATCHDOG_RECONNECT_TIMEOUT_SECONDS", "30.0"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1efc04894f0fff17 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/utils.py:2904
            0.5, float(os.getenv("PRISMA_AUTH_RECONNECT_TIMEOUT_SECONDS", "2.0"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9a5b42dacd918341 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/utils.py:2908
            float(os.getenv("PRISMA_AUTH_RECONNECT_LOCK_TIMEOUT_SECONDS", "0.1")),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #981f6340b61e6eaf Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/utils.py:2911
        self._reconnect_escalation_threshold: int = max(1, int(os.getenv("PRISMA_RECONNECT_ESCALATION_THRESHOLD", "3")))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0b9c612ae6a486cf Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/utils.py:3003
            pg_schema = os.getenv("DATABASE_SCHEMA", "public")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a92577caff0393f1 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/utils.py:4485
                db_url = os.getenv("DATABASE_URL", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e08e00487985cc8e Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/utils.py:4510
                db_url = os.getenv("DATABASE_URL", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bcf062fcb54f1ac4 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/utils.py:4954
    return os.getenv("SMTP_USE_SSL", "False") == "True" or smtp_port == 465

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #627c8e2b4efba190 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/utils.py:4978
    smtp_host = os.getenv("SMTP_HOST")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6c7a19c98e624d06 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/utils.py:4979
    smtp_port = int(os.getenv("SMTP_PORT", "587"))  # default to port 587

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6ac585a079a4a828 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/utils.py:4980
    smtp_username = os.getenv("SMTP_USERNAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #85e61293c24add37 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/utils.py:4981
    smtp_password = os.getenv("SMTP_PASSWORD")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a079053a68ce0a3f Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/utils.py:4982
    sender_email = os.getenv("SMTP_SENDER_EMAIL", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #72299f67f23cf4f5 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/utils.py:5011
            if not using_ssl and os.getenv("SMTP_TLS", "True") != "False":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8816db4d2a6f2a8a Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/utils.py:5178
                    base_url = os.getenv("SPEND_LOGS_URL", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4f8ed22c8ec20770 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/utils.py:5664
    if redoc_url := os.getenv("REDOC_URL"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #627519b4ffeaa828 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/utils.py:5667
    if str_to_bool(os.getenv("NO_REDOC")) is True:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #28e981357756dc09 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/utils.py:5681
    if docs_url := os.getenv("DOCS_URL"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e3fd4f01b6d0bbce Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/utils.py:5684
    if str_to_bool(os.getenv("NO_DOCS")) is True:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3ec12fa0cb6cb5c0 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/utils.py:5698
    if openapi_url := os.getenv("OPENAPI_URL"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #05a47c7638593bdb Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/utils.py:5701
    if str_to_bool(os.getenv("NO_OPENAPI")) is True:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #202a4417fec3a2df Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/utils.py:5827
    return os.getenv("PROXY_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cb864dbbf7da980a Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/utils.py:5837
    return os.getenv("SERVER_ROOT_PATH", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2b3b11f779460a64 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/utils.py:5889
    database_host = os.getenv("DATABASE_HOST")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #02483a53721993bd Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/utils.py:5890
    database_username = os.getenv("DATABASE_USERNAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a515367214ec63a7 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/utils.py:5891
    database_password = os.getenv("DATABASE_PASSWORD")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #691aa3c9aad9e9f0 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/utils.py:5892
    database_name = os.getenv("DATABASE_NAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #22925c68f566c981 Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/utils.py:5893
    database_schema = os.getenv("DATABASE_SCHEMA")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4a22c6702324a75e Environment-variable access.
pkgs/python/[email protected]/litellm/proxy/vertex_ai_endpoints/langfuse_endpoints.py:196
        dynamic_langfuse_host or os.getenv("LANGFUSE_HOST", _DEFAULT_LANGFUSE_HOST) or _DEFAULT_LANGFUSE_HOST

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #96c31fee5b8bb60f Environment-variable access.
pkgs/python/[email protected]/litellm/realtime_api/main.py:358
            or os.environ.get("LITELLM_AZURE_REALTIME_PROTOCOL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0bd93b6cd75cb5f4 Environment-variable access.
pkgs/python/[email protected]/litellm/repositories/config_repository.py:152
                os.environ[env_key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a537998e31212e99 Environment-variable access.
pkgs/python/[email protected]/litellm/router.py:7848
                    params[param_key] = os.environ.get(env_name, "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9b65416340a74943 Environment-variable access.
pkgs/python/[email protected]/litellm/rust_bridge/ocr.py:49
    return os.getenv("LITELLM_USE_RUST_OCR", "").strip().lower() in {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1801a4580657eab4 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/aws_secret_manager.py:22
    if "AWS_REGION_NAME" not in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b4ac53349732e572 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/aws_secret_manager.py:35
        kms_client = boto3.client("kms", region_name=os.getenv("AWS_REGION_NAME"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4bc263948ffcfde6 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/aws_secret_manager.py:56
        if "AWS_REGION_NAME" not in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #808332050a171313 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/aws_secret_manager.py:62
        if os.getenv("LITELLM_LICENSE", None) is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ae01ba6e84cb9614 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/aws_secret_manager.py:64
        elif os.getenv("LITELLM_SECRET_AWS_KMS_LITELLM_LICENSE", None) is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0be816a87e14e091 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/aws_secret_manager.py:80
            kms_client = boto3.client("kms", region_name=os.getenv("AWS_REGION_NAME"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8118790f8de80ec7 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/aws_secret_manager.py:89
        encrypted_value = os.getenv(secret_name, None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4faf8fc3beac9750 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/aws_secret_manager.py:130
    for k, v in os.environ.items():

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e925a4eda2208b63 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/aws_secret_manager_v2.py:68
            "AWS_REGION_NAME" not in os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2bfd2ab2cc1a7ff6 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/aws_secret_manager_v2.py:69
            and "AWS_REGION" not in os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4b03a59f27ef6c29 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/aws_secret_manager_v2.py:70
            and "AWS_DEFAULT_REGION" not in os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #91c1112ba9b5322a Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/aws_secret_manager_v2.py:178
            return os.getenv(secret_name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e6c85e26401e7fd1 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/cyberark_secret_manager.py:27
        self.conjur_addr = os.getenv("CYBERARK_API_BASE", "http://127.0.0.1:8080")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0dfdc06e75a3aef4 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/cyberark_secret_manager.py:28
        self.conjur_account = os.getenv("CYBERARK_ACCOUNT", "default")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fda6c4fc2ed6c901 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/cyberark_secret_manager.py:29
        self.conjur_username = os.getenv("CYBERARK_USERNAME", "admin")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #da619c5f380588db Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/cyberark_secret_manager.py:30
        self.conjur_api_key = os.getenv("CYBERARK_API_KEY", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7e62b186f7f9cf68 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/cyberark_secret_manager.py:33
        self.tls_cert_path = os.getenv("CYBERARK_CLIENT_CERT", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #04cd79ff69119af4 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/cyberark_secret_manager.py:34
        self.tls_key_path = os.getenv("CYBERARK_CLIENT_KEY", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c901b668c8bb829b Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/cyberark_secret_manager.py:38
        ssl_verify_env = str_to_bool(os.getenv("CYBERARK_SSL_VERIFY"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f6fcbad3066e9206 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/cyberark_secret_manager.py:51
        _refresh_interval = int(os.environ.get("CYBERARK_REFRESH_INTERVAL", "300"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3957285cd736e2cc Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/get_azure_ad_token_provider.py:12
        os.environ.get("AZURE_CLIENT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c02798d021c2a159 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/get_azure_ad_token_provider.py:13
        and os.environ.get("AZURE_CLIENT_SECRET")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e42008a3ab166554 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/get_azure_ad_token_provider.py:14
        and os.environ.get("AZURE_TENANT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d0ae23e5dca166e3 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/get_azure_ad_token_provider.py:17
    elif os.environ.get("AZURE_CLIENT_ID"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d687c7b7a9077695 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/get_azure_ad_token_provider.py:20
        os.environ.get("AZURE_CLIENT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5f1795f487d7c2a4 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/get_azure_ad_token_provider.py:21
        and os.environ.get("AZURE_TENANT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #70ef5159fc6c72e7 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/get_azure_ad_token_provider.py:22
        and os.environ.get("AZURE_CERTIFICATE_PATH")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a320959feed098e6 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/get_azure_ad_token_provider.py:23
        and os.environ.get("AZURE_CERTIFICATE_PASSWORD")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ce6f8fe063d43ed6 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/get_azure_ad_token_provider.py:26
    elif os.environ.get("AZURE_CERTIFICATE_PASSWORD"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8d5a7949151a036e Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/get_azure_ad_token_provider.py:28
    elif os.environ.get("AZURE_CERTIFICATE_PATH"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #93cdafee5725e404 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/get_azure_ad_token_provider.py:64
        azure_scope = os.environ.get("AZURE_SCOPE") or "https://cognitiveservices.azure.com/.default"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8431e7d82d7e418c Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/get_azure_ad_token_provider.py:69
        else None or os.environ.get("AZURE_CREDENTIAL") or infer_credential_type_from_environment()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fc097d9e132179ce Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/get_azure_ad_token_provider.py:83
            client_id=os.environ["AZURE_CLIENT_ID"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ff5435bf83c592f7 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/get_azure_ad_token_provider.py:84
            client_secret=os.environ["AZURE_CLIENT_SECRET"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #377f21022589fabb Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/get_azure_ad_token_provider.py:85
            tenant_id=os.environ["AZURE_TENANT_ID"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #49556d2661b66741 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/get_azure_ad_token_provider.py:88
        credential = ManagedIdentityCredential(client_id=os.environ["AZURE_CLIENT_ID"])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fb404bd8040f4176 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/get_azure_ad_token_provider.py:90
        if os.getenv("AZURE_CERTIFICATE_PASSWORD"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6467df5ee253ea8b Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/get_azure_ad_token_provider.py:92
                client_id=os.environ["AZURE_CLIENT_ID"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #659eed22f6e34a86 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/get_azure_ad_token_provider.py:93
                tenant_id=os.environ["AZURE_TENANT_ID"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a73f6facbee61337 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/get_azure_ad_token_provider.py:94
                certificate_path=os.environ["AZURE_CERTIFICATE_PATH"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3722bae1e1cfe9da Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/get_azure_ad_token_provider.py:95
                password=os.environ["AZURE_CERTIFICATE_PASSWORD"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7b0b30d37f00b6b1 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/get_azure_ad_token_provider.py:99
                client_id=os.environ["AZURE_CLIENT_ID"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cfaaa32af12dcc04 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/get_azure_ad_token_provider.py:100
                tenant_id=os.environ["AZURE_TENANT_ID"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d0558bb50de04005 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/get_azure_ad_token_provider.py:101
                certificate_path=os.environ["AZURE_CERTIFICATE_PATH"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a452f22ef5cbc89b Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/google_kms.py:19
    if "GOOGLE_APPLICATION_CREDENTIALS" not in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9e98d8735705f59c Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/google_kms.py:21
    if "GOOGLE_KMS_RESOURCE_NAME" not in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bf75dff5f03b265c Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/google_kms.py:37
        litellm._google_kms_resource_name = os.getenv("GOOGLE_KMS_RESOURCE_NAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #093a1eac95ed6e51 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/google_secret_manager.py:32
        self.PROJECT_ID = os.environ.get("GOOGLE_SECRET_MANAGER_PROJECT_ID", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #62defddf6f8e36f5 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/google_secret_manager.py:40
        _refresh_interval = os.environ.get("GOOGLE_SECRET_MANAGER_REFRESH_INTERVAL", refresh_interval)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f4cf24a5d8464213 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/google_secret_manager.py:44
        _always_read_secret_manager = os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #722dd42fc87fbabb Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/google_secret_manager.py:44
        _always_read_secret_manager = os.environ.get(
            "GOOGLE_SECRET_MANAGER_ALWAYS_READ_SECRET_MANAGER",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #13d050c8710db91b Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/hashicorp_secret_manager.py:25
        self.vault_addr = os.getenv("HCP_VAULT_ADDR", "http://127.0.0.1:8200")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d021e7dc2309a924 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/hashicorp_secret_manager.py:26
        self.vault_token = os.getenv("HCP_VAULT_TOKEN", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #41b9bd339dc1fcc9 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/hashicorp_secret_manager.py:28
        self.vault_namespace = os.getenv("HCP_VAULT_NAMESPACE", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fd76fdd52e2bac14 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/hashicorp_secret_manager.py:31
        self.vault_mount_name = os.getenv("HCP_VAULT_MOUNT_NAME", "secret")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #da75b8659801ac8e Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/hashicorp_secret_manager.py:33
        self.vault_path_prefix = os.getenv("HCP_VAULT_PATH_PREFIX", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f31fc86636f6a3aa Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/hashicorp_secret_manager.py:36
        self.tls_cert_path = os.getenv("HCP_VAULT_CLIENT_CERT", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #449353040b5df9fb Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/hashicorp_secret_manager.py:37
        self.tls_key_path = os.getenv("HCP_VAULT_CLIENT_KEY", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #377d39bcbcf57d42 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/hashicorp_secret_manager.py:38
        self.vault_cert_role = os.getenv("HCP_VAULT_CERT_ROLE", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1dbc918b90095e7f Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/hashicorp_secret_manager.py:41
        self.approle_role_id = os.getenv("HCP_VAULT_APPROLE_ROLE_ID", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #48734900172f4dc6 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/hashicorp_secret_manager.py:42
        self.approle_secret_id = os.getenv("HCP_VAULT_APPROLE_SECRET_ID", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ea74bf11ccbb2411 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/hashicorp_secret_manager.py:43
        self.approle_mount_path = os.getenv("HCP_VAULT_APPROLE_MOUNT_PATH", "approle")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bf3cf926df16f683 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/hashicorp_secret_manager.py:54
        _refresh_interval = os.environ.get("HCP_VAULT_REFRESH_INTERVAL", SECRET_MANAGER_REFRESH_INTERVAL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #463f60b4b05af86f Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/main.py:31
    override = os.getenv("LITELLM_OIDC_ALLOWED_CREDENTIAL_DIRS")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6624a9bc4ced8ad3 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/main.py:196
            env_secret = os.getenv("CIRCLE_OIDC_TOKEN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #58eb76156675bd40 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/main.py:202
            env_secret = os.getenv("CIRCLE_OIDC_TOKEN_V2")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #973986a94fdc0fe1 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/main.py:208
            actions_id_token_request_url = os.getenv("ACTIONS_ID_TOKEN_REQUEST_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4d4b7416f2758d7a Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/main.py:209
            actions_id_token_request_token = os.getenv("ACTIONS_ID_TOKEN_REQUEST_TOKEN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #009cf36dbeb5829e Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/main.py:236
            azure_federated_token_file = os.getenv("AZURE_FEDERATED_TOKEN_FILE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #531a635e616cb31b Filesystem access.
pkgs/python/[email protected]/litellm/secret_managers/main.py:251
            with open(azure_federated_token_file, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ce89e22b893ebe20 Filesystem access.
pkgs/python/[email protected]/litellm/secret_managers/main.py:257
            with open(safe_path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7b3c456bbaf3fc6a Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/main.py:262
            oidc_token = os.getenv(oidc_aud)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8bffd33c84195f92 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/main.py:268
            token_file_path = os.getenv(oidc_aud)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #48b79a3ef47697b5 Filesystem access.
pkgs/python/[email protected]/litellm/secret_managers/main.py:271
            with open(token_file_path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ee8b21f613f88626 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/main.py:303
                secret = os.getenv(secret_name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f17047a4ea7f10dd Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/main.py:314
            secret = os.environ.get(secret_name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fde4120ae2d32fab Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/secret_manager_handler.py:59
        encrypted_secret: Any = os.getenv(secret_name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6c486af5d33f7eb7 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/secret_manager_handler.py:82
        encrypted_value = os.getenv(secret_name, None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e206e7a0bf37c904 Environment-variable access.
pkgs/python/[email protected]/litellm/secret_managers/secret_manager_handler.py:160
        secret = os.getenv(secret_name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c98b6aded0c581b0 Environment-variable access.
pkgs/python/[email protected]/litellm/setup_wizard.py:135
    return sys.stdout.isatty() and os.environ.get("NO_COLOR") is None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1d9c77fead18df7f Filesystem access.
pkgs/python/[email protected]/litellm/setup_wizard.py:241
            config_path.write_text(SetupWizard._build_config(providers, env_vars, master_key))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fd4159ba571ff5e3 Filesystem access.
pkgs/python/[email protected]/litellm/setup_wizard.py:281
        with open("/dev/tty", "rb") as tty_fh:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b4ced94e3d78dc83 Environment-variable access.
pkgs/python/[email protected]/litellm/types/integrations/slack_alerting.py:55
            os.getenv(
                "SLACK_DAILY_REPORT_FREQUENCY",
                int(SlackAlertingArgsEnum.daily_report_frequency.value),
            )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #129155a03d0ae32b Environment-variable access.
pkgs/python/[email protected]/litellm/types/proxy/guardrails/guardrail_hooks/zscaler_ai_guard.py:91
        api_base = self.api_base or os.getenv(
            "ZSCALER_AI_GUARD_URL",
            "https://api.us1.zseclipse.net/v1/detection/execute-policy",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bd8f44afdc218320 Environment-variable access.
pkgs/python/[email protected]/litellm/types/proxy/guardrails/guardrail_hooks/zscaler_ai_guard.py:99
            env_policy = os.getenv("ZSCALER_AI_GUARD_POLICY_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a8c5e148fbf43a9e Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:5757
    no_proxy = os.getenv("NO_PROXY", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #675981b2fc8db87b Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:5810
            if "OPENAI_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a0646f7677245811 Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:5815
            if "AZURE_API_BASE" in os.environ and "AZURE_API_VERSION" in os.environ and "AZURE_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c3ff0448ab53bda9 Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:5820
            if "ANTHROPIC_API_KEY" in os.environ or "ANTHROPIC_AUTH_TOKEN" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6903a6e20767a0d0 Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:5825
            if "COHERE_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bf0e920aff8aba25 Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:5830
            if "REPLICATE_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0757fb6185d1f793 Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:5835
            if "OPENROUTER_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c03f00dd9317277a Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:5840
            if "VERCEL_AI_GATEWAY_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5fce7176510371f0 Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:5845
            if "DATAROBOT_API_TOKEN" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1011e740a9f9d79e Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:5850
            if "VERTEXAI_PROJECT" in os.environ and "VERTEXAI_LOCATION" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #73ece66a70b1d14d Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:5855
            if "HUGGINGFACE_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #78312fe7db3e364c Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:5860
            if "AI21_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3468eb43a1f56a42 Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:5865
            if "TOGETHERAI_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #81e342c94fa77400 Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:5870
            if "ALEPH_ALPHA_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3c01c8b159e4fdc4 Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:5875
            if "BASETEN_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8c43b7b935f68604 Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:5880
            if "NLP_CLOUD_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #13bb55e18de792fc Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:5885
            if ("AWS_ACCESS_KEY_ID" in os.environ and "AWS_SECRET_ACCESS_KEY" in os.environ) or (

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eb2579b486aac2ae Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:5887
                "AWS_ROLE_ARN" in os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #15daeba126e41c7c Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:5888
                or "AWS_PROFILE" in os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #db1c6b04eae70a86 Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:5889
                or "AWS_WEB_IDENTITY_TOKEN_FILE" in os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2947fa9b001a7cd2 Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:5890
                or "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" in os.environ  # ECS task role

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d0479927a5973c39 Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:5891
                or "AWS_CONTAINER_CREDENTIALS_FULL_URI" in os.environ  # ECS/Fargate full URI credential delivery

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0a2d98c2080e93eb Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:5898
            if "OLLAMA_API_BASE" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5ffbc4d7d824f974 Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:5903
            if "ANYSCALE_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ef5301792969bc8b Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:5908
            if "DEEPINFRA_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cffc4b0e964fd9b2 Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:5913
            if "FEATHERLESS_AI_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b8a8b9e43e32bd63 Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:5918
            if ("GOOGLE_API_KEY" in os.environ) or ("GEMINI_API_KEY" in os.environ):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3f8d3845275345f2 Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:5924
            if "GROQ_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e0286412bb1ee79d Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:5929
            if "NVIDIA_NIM_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #65f439c71f084e23 Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:5934
            if "CEREBRAS_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9f00ed83468dcf1b Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:5939
            if "BASETEN_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7186852c8b2aa9dd Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:5944
            if "XAI_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2906b8f5d735f5f2 Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:5949
            if "AI21_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ddbaf696afe7e892 Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:5954
            if "VOLCENGINE_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8d89d226f61099c0 Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:5959
            if "CODESTRAL_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f8d5ca1ee2c9fed6 Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:5964
            if "INCEPTION_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #559957305b87ced1 Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:5969
            if "DEEPSEEK_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #11028df87a324672 Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:5974
            if "MISTRAL_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5a4836d2c4c2ddeb Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:5979
            if "PALM_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2d6727fd8515ffe4 Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:5984
            if "PERPLEXITYAI_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #adf6c99751f10ad4 Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:5989
            if "VOYAGE_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c18a2498589cef11 Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:5994
            if "INFINITY_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #45eaeb181cbf842d Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:6000
                "FIREWORKS_AI_API_KEY" in os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #45de8d0e653875de Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:6001
                or "FIREWORKS_API_KEY" in os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8c85bd1774e40a75 Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:6002
                or "FIREWORKSAI_API_KEY" in os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #05ad8b7380ea987c Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:6003
                or "FIREWORKS_AI_TOKEN" in os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #afbbfda930113503 Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:6009
            if "CLOUDFLARE_API_KEY" in os.environ and (

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #92f7cf9742923dd6 Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:6010
                "CLOUDFLARE_ACCOUNT_ID" in os.environ or "CLOUDFLARE_API_BASE" in os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #23a016e97c1e24e5 Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:6017
            if "NOVITA_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c8b2afda68d1fef3 Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:6022
            if "NEBIUS_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f1b9cb62aad917dd Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:6027
            if "WANDB_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7d2be530e9a7c3b2 Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:6032
            if "DASHSCOPE_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5a30996568f344d6 Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:6037
            if "MODELSCOPE_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #134edbcb1b84aa2f Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:6042
            if "MOONSHOT_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4a61084547b26b37 Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:6055
            if "OPENAI_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3dd5a73c7a2d4a61 Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:6061
            if "ANTHROPIC_API_KEY" in os.environ or "ANTHROPIC_AUTH_TOKEN" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #adc04bf7e91af176 Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:6067
            if "COHERE_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eb14b84f214a84f3 Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:6073
            if "REPLICATE_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6e8d662325a39bb5 Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:6079
            if "OPENROUTER_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8a12e0d77e446917 Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:6085
            if "VERCEL_AI_GATEWAY_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3daf62b3a22a204b Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:6091
            if "DATAROBOT_API_TOKEN" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #82dd3f0abb54c434 Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:6101
            if "VERTEXAI_PROJECT" in os.environ and "VERTEXAI_LOCATION" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d10c8f53f664c53d Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:6107
            if "HUGGINGFACE_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f1d4ba914fd25028 Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:6113
            if "AI21_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e492fe977dc7dd70 Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:6119
            if "TOGETHERAI_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #066494aa4196c7bc Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:6125
            if "ALEPH_ALPHA_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cd7ee7cc4093ca0e Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:6131
            if "BASETEN_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ffe1f9a9b2b6159b Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:6137
            if "NLP_CLOUD_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a23e21fcd974c9cd Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:6142
            if "NOVITA_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #78250fca61d03aef Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:6147
            if "NEBIUS_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #92b43a598600edfd Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:6152
            if "WANDB_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #61e3afa68ce12f45 Filesystem access.
pkgs/python/[email protected]/litellm/utils.py:6521
        with open(config_path, "r") as config_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4ff9870f5bbde634 Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:6770
        env_vars = {k: v for k, v in os.environ.items() if k.startswith(("OPENAI", "ANTHROPIC", "AZURE", "AWS"))}

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eda47f35644bfd13 Environment-variable access.
pkgs/python/[email protected]/litellm/utils.py:6832
    environ_keys = os.environ.keys()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0b3260ea90d59711 Filesystem access.
pkgs/python/[email protected]/litellm/utils.py:7449
        return json.loads(model_cost_path.read_text())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

crewai-tools

python dependency
high pii_flow dependency Excluded from app score #d0d56e90506504d1 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/crewai_tools/adapters/zapier_adapter.py:45 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/crewai_tools/adapters/zapier_adapter.py:27 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/crewai_tools/adapters/zapier_adapter.py:45
        response = requests.request(
            "POST",
            execute_url,
            headers=headers,
            json=action_params,
            timeout=30,
        )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #6ca8984e930b4c73 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/crewai_tools/adapters/zapier_adapter.py:71 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/crewai_tools/adapters/zapier_adapter.py:69 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/crewai_tools/adapters/zapier_adapter.py:71
        response = requests.request(
            "GET",
            ACTIONS_URL,
            headers=headers,
            timeout=30,
        )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow tooling reachable #6ab6f2fbea273216 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/crewai_tools/tools/brave_search_tool/brave_search_tool.py:133 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/crewai_tools/tools/brave_search_tool/brave_search_tool.py:129 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/crewai_tools/tools/brave_search_tool/brave_search_tool.py:133
            response = requests.get(
                self.search_url, headers=headers, params=payload, timeout=30
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow tooling reachable #fd972bc424806db1 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/crewai_tools/tools/brightdata_tool/brightdata_serp.py:224 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/crewai_tools/tools/brightdata_tool/brightdata_serp.py:219 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/crewai_tools/tools/brightdata_tool/brightdata_serp.py:224
            response = requests.post(
                self.base_url, json=request_params, headers=headers, timeout=30
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow tooling reachable #16e5bbce0b5d1cd7 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/crewai_tools/tools/brightdata_tool/brightdata_unlocker.py:141 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/crewai_tools/tools/brightdata_tool/brightdata_unlocker.py:135 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/crewai_tools/tools/brightdata_tool/brightdata_unlocker.py:141
            response = requests.post(
                self.base_url, json=payload, headers=headers, timeout=30
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow tooling reachable #13a596144485d7f8 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:80 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:64 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:80
                result = requests.post(
                    url, headers=headers, data=config, files=file, timeout=30
                )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow tooling reachable #0d2792097eb6e500 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:89 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:64 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:89
                result = requests.get(status_url, headers=headers, timeout=30)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow tooling reachable #397562df4d9b4771 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:100 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:64 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:100
            result = requests.get(
                results_url,
                headers=headers,
                params={"output_types": ",".join(output_types)},
                timeout=30,
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow tooling reachable #173d484299014d8e User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/crewai_tools/tools/contextualai_query_tool/contextual_query_tool.py:49 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/crewai_tools/tools/contextualai_query_tool/contextual_query_tool.py:48 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/crewai_tools/tools/contextualai_query_tool/contextual_query_tool.py:49
        response = requests.get(url, headers=headers, timeout=30)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow tooling reachable #4f663ce0eeded6ff User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/crewai_tools/tools/contextualai_rerank_tool/contextual_rerank_tool.py:69 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/crewai_tools/tools/contextualai_rerank_tool/contextual_rerank_tool.py:53 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/crewai_tools/tools/contextualai_rerank_tool/contextual_rerank_tool.py:69
            result = requests.post(
                rerank_url, json=payload, headers=headers, timeout=30
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow tooling reachable #8175d8644b93fecd User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/crewai_tools/tools/crewai_platform_tools/crewai_platform_action_tool.py:70 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/crewai_tools/tools/crewai_platform_tools/crewai_platform_action_tool.py:75 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/crewai_tools/tools/crewai_platform_tools/crewai_platform_action_tool.py:70
            response = requests.post(
                url=api_url,
                headers=headers,
                json=payload,
                timeout=60,
                verify=os.environ.get("CREWAI_FACTORY", "false").lower() != "true",
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow tooling reachable #e7edc622198e074c User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/crewai_tools/tools/crewai_platform_tools/crewai_platform_tool_builder.py:47 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/crewai_tools/tools/crewai_platform_tools/crewai_platform_tool_builder.py:52 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/crewai_tools/tools/crewai_platform_tools/crewai_platform_tool_builder.py:47
            response = requests.get(
                actions_url,
                headers=headers,
                timeout=30,
                params={"apps": ",".join(self._apps)},
                verify=os.environ.get("CREWAI_FACTORY", "false").lower() != "true",
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow tooling reachable #8a580975f39b7eea User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/crewai_tools/tools/parallel_tools/parallel_search_tool.py:104 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/crewai_tools/tools/parallel_tools/parallel_search_tool.py:78 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/crewai_tools/tools/parallel_tools/parallel_search_tool.py:104
            resp = requests.post(
                self.search_url, json=payload, headers=headers, timeout=request_timeout
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow tooling reachable #cdbe3f515762fa04 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:39 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:43 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:39
            requests.get(
                "https://api.patronus.ai/v1/evaluators",
                headers={
                    "accept": "application/json",
                    "X-API-KEY": os.environ["PATRONUS_API_KEY"],
                },
                timeout=30,
            ).text

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow tooling reachable #535a64539feb167d User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:62 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:66 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:62
            requests.get(
                "https://api.patronus.ai/v1/evaluator-criteria",
                headers={
                    "accept": "application/json",
                    "X-API-KEY": os.environ["PATRONUS_API_KEY"],
                },
                timeout=30,
            ).text

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow tooling reachable #4ecdd7e3f723c650 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:145 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:138 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:145
        response = requests.post(
            self.evaluate_url,
            headers=headers,
            data=json.dumps(data),
            timeout=30,
        )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow tooling reachable #249a6ce1e27c775c User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/crewai_tools/tools/patronus_eval_tool/patronus_predefined_criteria_eval_tool.py:95 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/crewai_tools/tools/patronus_eval_tool/patronus_predefined_criteria_eval_tool.py:60 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/crewai_tools/tools/patronus_eval_tool/patronus_predefined_criteria_eval_tool.py:95
        response = requests.post(
            self.evaluate_url,
            headers=headers,
            data=json.dumps(data),
            timeout=30,
        )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow tooling reachable #d145dedbbf6bc409 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/crewai_tools/tools/serper_dev_tool/serper_dev_tool.py:257 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/crewai_tools/tools/serper_dev_tool/serper_dev_tool.py:251 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/crewai_tools/tools/serper_dev_tool/serper_dev_tool.py:257
            response = requests.post(
                search_url, headers=headers, json=payload, timeout=10
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow tooling reachable #fc91d6ceb10e7a3a User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/crewai_tools/tools/serper_scrape_website_tool/serper_scrape_website_tool.py:59 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/crewai_tools/tools/serper_scrape_website_tool/serper_scrape_website_tool.py:52 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/crewai_tools/tools/serper_scrape_website_tool/serper_scrape_website_tool.py:59
            response = requests.post(
                api_url,
                headers=headers,
                data=payload,
                timeout=30,
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 124 low-confidence finding(s)
low env_fs dependency Excluded from app score #9603443809f895c0 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/adapters/enterprise_adapter.py:14
    base_url = os.getenv("CREWAI_PLUS_URL", "https://app.crewai.com")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a8aa15b59e4b95e8 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/adapters/enterprise_adapter.py:419
        token = enterprise_action_token or os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c612dd0752664afb Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/adapters/enterprise_adapter.py:419
        token = enterprise_action_token or os.environ.get(
            "CREWAI_ENTERPRISE_TOOLS_TOKEN"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8113a8051f4aff84 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/adapters/zapier_adapter.py:62
        self.api_key = api_key or os.getenv("ZAPIER_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #62779ffc35877e5e Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/aws/bedrock/agents/invoke_agent_tool.py:60
        self.agent_id = agent_id or os.getenv("BEDROCK_AGENT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9a4538175bd38fb8 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/aws/bedrock/agents/invoke_agent_tool.py:61
        self.agent_alias_id = agent_alias_id or os.getenv("BEDROCK_AGENT_ALIAS_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8883cc217d2572ca Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/aws/bedrock/agents/invoke_agent_tool.py:105
                region_name=os.getenv(
                    "AWS_REGION", os.getenv("AWS_DEFAULT_REGION", "us-west-2")
                ),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #33d1b995a8a6270c Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/aws/bedrock/agents/invoke_agent_tool.py:106
                    "AWS_REGION", os.getenv("AWS_DEFAULT_REGION", "us-west-2")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c26f5c4a8bc8974e Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/aws/bedrock/knowledge_base/retriever_tool.py:60
        self.knowledge_base_id = knowledge_base_id or os.getenv("BEDROCK_KB_ID")  # type: ignore[assignment]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2a0e75f242890226 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/aws/bedrock/knowledge_base/retriever_tool.py:196
                region_name=os.getenv(
                    "AWS_REGION", os.getenv("AWS_DEFAULT_REGION", "us-east-1")
                ),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e08d291084b7ef87 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/aws/bedrock/knowledge_base/retriever_tool.py:197
                    "AWS_REGION", os.getenv("AWS_DEFAULT_REGION", "us-east-1")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e22e1d03bd500900 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/aws/s3/reader_tool.py:35
                region_name=os.getenv("CREW_AWS_REGION", "us-east-1"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aa8bbd8e86618fde Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/aws/s3/reader_tool.py:36
                aws_access_key_id=os.getenv("CREW_AWS_ACCESS_KEY_ID"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b69ad4cbcc96468f Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/aws/s3/reader_tool.py:37
                aws_secret_access_key=os.getenv("CREW_AWS_SEC_ACCESS_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d59fccfea4e1b419 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/aws/s3/writer_tool.py:36
                region_name=os.getenv("CREW_AWS_REGION", "us-east-1"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5a6b4ab90e1099fa Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/aws/s3/writer_tool.py:37
                aws_access_key_id=os.getenv("CREW_AWS_ACCESS_KEY_ID"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1f817e7419f51398 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/aws/s3/writer_tool.py:38
                aws_secret_access_key=os.getenv("CREW_AWS_SEC_ACCESS_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #af3c0c557105f3e4 Filesystem access.
pkgs/python/[email protected]/src/crewai_tools/generate_tool_specs.py:190
        with open(output_path, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0236d401ec3d259e Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/rag/embedding_service.py:108
            return os.getenv(env_key)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b96c68074492e572 Filesystem access.
pkgs/python/[email protected]/src/crewai_tools/rag/loaders/csv_loader.py:29
        with open(path, encoding="utf-8") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #44b18cbbcf8e9404 Filesystem access.
pkgs/python/[email protected]/src/crewai_tools/rag/loaders/json_loader.py:28
        with open(path, encoding="utf-8") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #14731385bd8d793a Filesystem access.
pkgs/python/[email protected]/src/crewai_tools/rag/loaders/mdx_loader.py:36
        with open(path, encoding="utf-8") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #651fca759b163dc6 Filesystem access.
pkgs/python/[email protected]/src/crewai_tools/rag/loaders/text_loader.py:15
        with open(source_content.source, encoding="utf-8") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2a8917241eca7d7d Filesystem access.
pkgs/python/[email protected]/src/crewai_tools/rag/loaders/xml_loader.py:37
        with open(path, encoding="utf-8") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0490004915cd69c6 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/security/safe_path.py:52
    return os.environ.get(_UNSAFE_PATHS_ENV, "").lower() in ("true", "1", "yes")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #f2182a0c35463d72 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/ai_mind_tool/ai_mind_tool.py:47
        self.api_key = api_key or os.getenv("MINDS_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #faca3a60264857c1 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/apify_actors_tool/apify_actors_tool.py:58
        if not os.environ.get("APIFY_API_TOKEN"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #80ab0a84607b5cdf Filesystem access.
pkgs/python/[email protected]/src/crewai_tools/tools/brave_search_tool/base.py:26
    with open(filename, "w") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #f0950dadc88e5b10 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/brave_search_tool/base.py:126
        self._api_key = api_key or os.environ.get("BRAVE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #83399916d7fcde7f Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/brave_search_tool/brave_search_tool.py:55
        if "BRAVE_API_KEY" not in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #09cfa62825d5ac15 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/brave_search_tool/brave_search_tool.py:129
                "X-Subscription-Token": os.environ["BRAVE_API_KEY"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #32b2d2bd3baccc27 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/brightdata_tool/brightdata_dataset.py:20
            API_URL=os.environ.get("BRIGHTDATA_API_URL", "https://api.brightdata.com"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #f7c4c6b76bdcb48e Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/brightdata_tool/brightdata_dataset.py:21
            DEFAULT_TIMEOUT=int(os.environ.get("BRIGHTDATA_DEFAULT_TIMEOUT", "600")),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #74a8cb8b4c5369db Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/brightdata_tool/brightdata_dataset.py:23
                os.environ.get("BRIGHTDATA_DEFAULT_POLLING_INTERVAL", "1")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #7a71228728fe280c Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/brightdata_tool/brightdata_dataset.py:481
        api_key = os.getenv("BRIGHT_DATA_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #04a29ab64eba4437 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/brightdata_tool/brightdata_dataset.py:578
        api_key = os.getenv("BRIGHT_DATA_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #57e571a06926db3e Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/brightdata_tool/brightdata_serp.py:18
            API_URL=os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #33be5b94a021d8fb Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/brightdata_tool/brightdata_serp.py:18
            API_URL=os.environ.get(
                "BRIGHTDATA_API_URL", "https://api.brightdata.com/request"
            )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #e51b7501679fa537 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/brightdata_tool/brightdata_serp.py:125
        self.api_key = os.getenv("BRIGHT_DATA_API_KEY") or ""

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #cf8f920f4e118632 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/brightdata_tool/brightdata_serp.py:126
        self.zone = os.getenv("BRIGHT_DATA_ZONE") or ""

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #a6d34181a85523ae Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/brightdata_tool/brightdata_unlocker.py:19
            API_URL=os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #4c5b4de641bc1f01 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/brightdata_tool/brightdata_unlocker.py:19
            API_URL=os.environ.get(
                "BRIGHTDATA_API_URL", "https://api.brightdata.com/request"
            )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #58494aa2b9566cce Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/brightdata_tool/brightdata_unlocker.py:99
        self.api_key = os.getenv("BRIGHT_DATA_API_KEY") or ""

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #a85f8f54096ccfd0 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/brightdata_tool/brightdata_unlocker.py:100
        self.zone = os.getenv("BRIGHT_DATA_ZONE") or ""

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #03938abc82057e98 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/browserbase_load_tool/browserbase_load_tool.py:16
    api_key: str | None = os.getenv("BROWSERBASE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #ef0843bf58381064 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/browserbase_load_tool/browserbase_load_tool.py:17
    project_id: str | None = os.getenv("BROWSERBASE_PROJECT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #7f52b85883966edb Filesystem access.
pkgs/python/[email protected]/src/crewai_tools/tools/contextualai_create_agent_tool/contextual_create_agent_tool.py:65
                with open(doc_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #245c086ce57d007b Filesystem access.
pkgs/python/[email protected]/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:78
            with open(file_path, "rb") as fp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress tooling reachable #cfc6fd876f6848f1 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/python/[email protected]/src/crewai_tools/tools/contextualai_parse_tool/contextual_parse_tool.py:80
                result = requests.post(
                    url, headers=headers, data=config, files=file, timeout=30
                )

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress tooling reachable #bad558e134c6fdf1 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/python/[email protected]/src/crewai_tools/tools/contextualai_rerank_tool/contextual_rerank_tool.py:69
            result = requests.post(
                rerank_url, json=payload, headers=headers, timeout=30
            )

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs tooling reachable #51a0fab9922e27ae Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/crewai_platform_tools/crewai_platform_action_tool.py:75
                verify=os.environ.get("CREWAI_FACTORY", "false").lower() != "true",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #9b24c575eb973645 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/crewai_platform_tools/crewai_platform_tool_builder.py:52
                verify=os.environ.get("CREWAI_FACTORY", "false").lower() != "true",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #c49496fc033adfb7 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/crewai_platform_tools/misc.py:6
    base_url = os.getenv("CREWAI_PLUS_URL", "https://app.crewai.com")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #76191f388a9ef4e2 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/crewai_platform_tools/misc.py:12
    token = os.getenv("CREWAI_PLATFORM_INTEGRATION_TOKEN") or ""

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #1d4dd9da3f2b4703 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/databricks_query_tool/databricks_query_tool.py:145
        has_profile = "DATABRICKS_CONFIG_PROFILE" in os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #4aa38524dcb6af48 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/databricks_query_tool/databricks_query_tool.py:147
            "DATABRICKS_HOST" in os.environ and "DATABRICKS_TOKEN" in os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #40d0dfc55c6edaa1 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/daytona_sandbox_tool/daytona_base_tool.py:35
        default_factory=lambda: os.getenv("DAYTONA_API_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #bc5a616e9844d86a Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/daytona_sandbox_tool/daytona_base_tool.py:40
        default_factory=lambda: os.getenv("DAYTONA_API_URL"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #6a110c385ceca831 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/daytona_sandbox_tool/daytona_base_tool.py:45
        default_factory=lambda: os.getenv("DAYTONA_TARGET"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #b39e5e9bf9e6d552 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/e2b_sandbox_tool/e2b_base_tool.py:36
            SecretStr(val) if (val := os.getenv("E2B_API_KEY")) else None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #52865de418c4210e Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/e2b_sandbox_tool/e2b_base_tool.py:43
        default_factory=lambda: os.getenv("E2B_DOMAIN"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #2076488365e46edc Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/exa_tools/exa_search_tool.py:58
        default_factory=lambda: os.getenv("EXA_API_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #b11661899bf2080f Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/exa_tools/exa_search_tool.py:63
        default_factory=lambda: os.getenv("EXA_BASE_URL"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #a58bab36018836ba Filesystem access.
pkgs/python/[email protected]/src/crewai_tools/tools/file_read_tool/file_read_tool.py:93
            with open(file_path, "r") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #34e1d0392a28fd38 Filesystem access.
pkgs/python/[email protected]/src/crewai_tools/tools/file_writer_tool/file_writer_tool.py:70
            with open(real_filepath, mode) as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #272a3ff15bb9bee3 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/generate_crewai_automation_tool/generate_crewai_automation_tool.py:28
        default_factory=lambda: os.getenv("CREWAI_PLUS_URL", "https://app.crewai.com"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #c9bf795f07afd2da Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/generate_crewai_automation_tool/generate_crewai_automation_tool.py:32
        default_factory=lambda: os.getenv("CREWAI_PERSONAL_ACCESS_TOKEN"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #21812377df5eb679 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/hyperbrowser_load_tool/hyperbrowser_load_tool.py:49
        self.api_key = api_key or os.getenv("HYPERBROWSER_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #0372317d49fa0338 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/linkup/linkup_search_tool.py:54
        self._client = LinkupClient(api_key=api_key or os.getenv("LINKUP_API_KEY"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #c609fca3c1e9906e Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/merge_agent_handler_tool/merge_agent_handler_tool.py:65
        api_key = os.environ.get("AGENT_HANDLER_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #494eb6bca3f47c47 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/mongodb_vector_search_tool/vector_search.py:124
        if "AZURE_OPENAI_ENDPOINT" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #f5f13788950fc38b Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/mongodb_vector_search_tool/vector_search.py:126
        elif "OPENAI_API_KEY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #28dc1901a585e17f Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/multion_tool/example.py:7
os.environ["OPENAI_API_KEY"] = "Your Key"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #62b414d68577e0cf Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/multion_tool/multion_tool.py:52
        self.multion = MultiOn(api_key=api_key or os.getenv("MULTION_API_KEY"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #17887e277e0011b1 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/nl2sql/nl2sql_tool.py:256
        if os.environ.get("CREWAI_NL2SQL_ALLOW_DML", "").strip().lower() == "true":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #3550b82970e47cb9 Filesystem access.
pkgs/python/[email protected]/src/crewai_tools/tools/ocr_tool/ocr_tool.py:104
        with open(image_path, "rb") as image_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #4932695e6562052b Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/oxylabs_amazon_product_scraper_tool/oxylabs_amazon_product_scraper_tool.py:146
        username = os.environ.get("OXYLABS_USERNAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #e9536784847cf5e6 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/oxylabs_amazon_product_scraper_tool/oxylabs_amazon_product_scraper_tool.py:147
        password = os.environ.get("OXYLABS_PASSWORD")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #e075f727a76214e3 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/oxylabs_amazon_search_scraper_tool/oxylabs_amazon_search_scraper_tool.py:148
        username = os.environ.get("OXYLABS_USERNAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #944f727aeaba849c Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/oxylabs_amazon_search_scraper_tool/oxylabs_amazon_search_scraper_tool.py:149
        password = os.environ.get("OXYLABS_PASSWORD")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #1c5febc23a9432a7 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/oxylabs_google_search_scraper_tool/oxylabs_google_search_scraper_tool.py:151
        username = os.environ.get("OXYLABS_USERNAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #6ed95285d89e2d6a Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/oxylabs_google_search_scraper_tool/oxylabs_google_search_scraper_tool.py:152
        password = os.environ.get("OXYLABS_PASSWORD")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #ecca0e99c6e8efc5 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/oxylabs_universal_scraper_tool/oxylabs_universal_scraper_tool.py:142
        username = os.environ.get("OXYLABS_USERNAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #c49e10c1640765aa Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/oxylabs_universal_scraper_tool/oxylabs_universal_scraper_tool.py:143
        password = os.environ.get("OXYLABS_PASSWORD")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #a42954af2e5da1b9 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/parallel_tools/parallel_search_tool.py:78
        api_key = os.environ.get("PARALLEL_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress tooling reachable #409a8ea5319cf965 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/python/[email protected]/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:39
            requests.get(
                "https://api.patronus.ai/v1/evaluators",
                headers={
                    "accept": "application/json",
                    "X-API-KEY": os.environ["PATRONUS_API_KEY"],
                },
                timeout=30,
            ).text

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs tooling reachable #fe56524cb884ffb1 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:43
                    "X-API-KEY": os.environ["PATRONUS_API_KEY"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress tooling reachable #a36910b7f9a35d8b Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/python/[email protected]/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:62
            requests.get(
                "https://api.patronus.ai/v1/evaluator-criteria",
                headers={
                    "accept": "application/json",
                    "X-API-KEY": os.environ["PATRONUS_API_KEY"],
                },
                timeout=30,
            ).text

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs tooling reachable #64c71b0b8f5a436c Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:66
                    "X-API-KEY": os.environ["PATRONUS_API_KEY"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #d1de742dd60f2e3a Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/patronus_eval_tool/patronus_eval_tool.py:138
        api_key = os.getenv("PATRONUS_API_KEY", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #f822739707bb694d Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/patronus_eval_tool/patronus_predefined_criteria_eval_tool.py:60
        api_key = os.getenv("PATRONUS_API_KEY", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #901f13a87618d5e8 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/qdrant_vector_search_tool/qdrant_search_tool.py:113
                    .Client(api_key=os.getenv("OPENAI_API_KEY"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #30b1771b57ebb984 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/scrape_element_from_website/scrape_element_from_website.py:68
                self.cookies = {cookies["name"]: os.getenv(cookies["value"]) or ""}

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #20e8c2e413894c7e Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/scrape_website_tool/scrape_website_tool.py:67
                self.cookies = {cookies["name"]: os.getenv(cookies["value"]) or ""}

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #03fab28b542e8e33 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/scrapegraph_scrape_tool/scrapegraph_scrape_tool.py:113
        self.api_key = api_key or os.getenv("SCRAPEGRAPH_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #98bb570e07ed26f7 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/scrapfly_scrape_website_tool/scrapfly_scrape_website_tool.py:66
        self.scrapfly = ScrapflyClient(key=api_key or os.getenv("SCRAPFLY_API_KEY"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #c163abdadc7f0615 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/serpapi_tool/serpapi_base_tool.py:44
        api_key = os.getenv("SERPAPI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #f140ca56ee162cd5 Filesystem access.
pkgs/python/[email protected]/src/crewai_tools/tools/serper_dev_tool/serper_dev_tool.py:94
        with open(filename, "w") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #2fd596bc80dababb Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/serper_dev_tool/serper_dev_tool.py:251
            "X-API-KEY": os.environ["SERPER_API_KEY"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #8f21ce3fe5ea771f Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/serper_scrape_website_tool/serper_scrape_website_tool.py:52
            api_key = os.getenv("SERPER_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress tooling reachable #8800e4c062991393 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/python/[email protected]/src/crewai_tools/tools/serper_scrape_website_tool/serper_scrape_website_tool.py:59
            response = requests.post(
                api_url,
                headers=headers,
                data=payload,
                timeout=30,
            )

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs tooling reachable #5ae085e5d249d38c Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/serply_api_tool/serply_job_search_tool.py:47
            "X-API-KEY": os.environ["SERPLY_API_KEY"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #c184bcee27951e62 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/serply_api_tool/serply_news_search_tool.py:47
            "X-API-KEY": os.environ["SERPLY_API_KEY"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #81f3f932b9b2f2d7 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/serply_api_tool/serply_scholar_search_tool.py:51
            "X-API-KEY": os.environ["SERPLY_API_KEY"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #eefafef8c92d66ec Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/serply_api_tool/serply_web_search_tool.py:67
            "X-API-KEY": os.environ["SERPLY_API_KEY"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #087308451f8c7176 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/serply_api_tool/serply_webpage_to_markdown_tool.py:31
            "X-API-KEY": os.environ["SERPLY_API_KEY"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #9db6bfd4fa0409ba Filesystem access.
pkgs/python/[email protected]/src/crewai_tools/tools/snowflake_search_tool/snowflake_search_tool.py:188
            with open(self.config.private_key_path, "rb") as key_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #0e3a50fdbfa523f7 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/stagehand_tool/example.py:34
browserbase_api_key = os.environ.get("BROWSERBASE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #fbec0ff96049cf19 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/stagehand_tool/example.py:35
browserbase_project_id = os.environ.get("BROWSERBASE_PROJECT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #b34afefd43694aaa Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/stagehand_tool/example.py:36
model_api_key = os.environ.get("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #d88f4669aac5bf0f Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/stagehand_tool/stagehand_tool.py:208
        self.api_key = api_key or os.getenv("BROWSERBASE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #f527881fd269a10b Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/stagehand_tool/stagehand_tool.py:209
        self.project_id = project_id or os.getenv("BROWSERBASE_PROJECT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #63a2dad6215c4338 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/stagehand_tool/stagehand_tool.py:263
            return self.model_api_key or os.getenv("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #eef818a83e2c2505 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/stagehand_tool/stagehand_tool.py:265
            return self.model_api_key or os.getenv("ANTHROPIC_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #2aff433b6613b89f Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/stagehand_tool/stagehand_tool.py:267
            return self.model_api_key or os.getenv("GOOGLE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #5c06c512bea73113 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/stagehand_tool/stagehand_tool.py:271
            or os.getenv("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #13b8ecb39b4d9d06 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/stagehand_tool/stagehand_tool.py:272
            or os.getenv("ANTHROPIC_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #48bc99c90670ffb1 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/tavily_extractor_tool/tavily_extractor_tool.py:62
        default_factory=lambda: os.getenv("TAVILY_API_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #4d8ef9727c528d76 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/tavily_get_research_tool/tavily_get_research_tool.py:56
            api_key = os.getenv("TAVILY_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #7fe45cc2b58805a8 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/tavily_research_tool/tavily_research_tool.py:92
            api_key = os.getenv("TAVILY_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #d6ccbacf02cdee7d Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/tavily_search_tool/tavily_search_tool.py:61
        default_factory=lambda: os.getenv("TAVILY_API_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #b1c4eb5c26780a3d Filesystem access.
pkgs/python/[email protected]/src/crewai_tools/tools/vision_tool/vision_tool.py:140
        with open(image_path, "rb") as image_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #65cd2ffea7f31fee Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/weaviate_tool/vector_search.py:89
            openai_api_key = os.environ.get("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #473dbf8df31ee219 Environment-variable access.
pkgs/python/[email protected]/src/crewai_tools/tools/zapier_action_tool/zapier_action_tool.py:23
        zapier_api_key = os.getenv("ZAPIER_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

composio-core

python dependency
high pii_flow tooling reachable #4bb254efd0965919 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/composio/tools/local/greptile/actions/codequery.py:107 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/composio/tools/local/greptile/actions/codequery.py:71 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/composio/tools/local/greptile/actions/codequery.py:107
        response = requests.post(
            "https://api.greptile.com/v2/query",
            headers=headers,
            data=json.dumps(data),
            timeout=request.timeout,
        )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium telemetry dependency Excluded from app score #95d84d2086fed7b5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/composio/core/cls/catch_all_exceptions.py:3
import sentry_sdk

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #6b38c92d4a8a5f2d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/composio/core/cls/catch_all_exceptions.py:53
    if (isinstance(exc, (SystemExit, ValueError))) and sentry_sdk.is_initialized():

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #65dc35e9bf2e49a1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/composio/core/cls/catch_all_exceptions.py:54
        sentry_sdk.capture_exception(exc)

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #e11b310d2b40a316 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/composio/core/cls/catch_all_exceptions.py:55
        sentry_sdk.flush()

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #c3e47192afcbc5a7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/composio/utils/sentry.py:12
import sentry_sdk

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #f57ec9110cfbfaee Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/composio/utils/sentry.py:13
import sentry_sdk.integrations.argv

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #3ae8130ba2dfdbcf Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/composio/utils/sentry.py:14
import sentry_sdk.integrations.atexit

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #a1cdd00c81a764c3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/composio/utils/sentry.py:15
import sentry_sdk.integrations.dedupe

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #a4ae36fcec2b2ccd Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/composio/utils/sentry.py:16
import sentry_sdk.integrations.excepthook

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #b11b9c79ed3ce294 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/composio/utils/sentry.py:17
import sentry_sdk.integrations.fastapi

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #efd9b537c76f4ba1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/composio/utils/sentry.py:18
import sentry_sdk.integrations.logging

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #5b9e4aab7962a136 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/composio/utils/sentry.py:19
import sentry_sdk.integrations.modules

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #9fb5a47f8508a0c8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/composio/utils/sentry.py:20
import sentry_sdk.integrations.stdlib

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #c32b63b2f1b80810 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/composio/utils/sentry.py:21
import sentry_sdk.integrations.threading

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #94ce732c0bfa9204 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/composio/utils/sentry.py:22
import sentry_sdk.types

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #f139e17a2739835e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/composio/utils/sentry.py:89
    sentry_sdk.init(
        dsn=sentry_config["dsn"],
        traces_sample_rate=sentry_config.get("traces_sample_rate", 1.0),
        profiles_sample_rate=sentry_config.get("profiles_sample_rate", 1.0),
        debug=False,
        before_send=filter_sentry_errors,
        default_integrations=False,
        integrations=[
            sentry_sdk.integrations.argv.ArgvIntegration(),
            sentry_sdk.integrations.atexit.AtexitIntegration(
                callback=lambda x, y: None,
            ),  # suppress atexit message
            sentry_sdk.integrations.dedupe.DedupeIntegration(),
            sentry_sdk.integrations.excepthook.ExcepthookIntegration(),
            sentry_sdk.integrations.fastapi.FastApiIntegration(),
            sentry_sdk.integrations.logging.LoggingIntegration(),
            sentry_sdk.integrations.modules.ModulesIntegration(),
            sentry_sdk.integrations.stdlib.StdlibIntegration(),
            sentry_sdk.integrations.threading.ThreadingIntegration(),
        ],
    )

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 80 low-confidence finding(s)
low env_fs dependency Excluded from app score #12da3bbc141789db Filesystem access.
pkgs/python/[email protected]/composio/cli/apps.py:99
    with open(enum_file, encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c1a1d29037726c47 Filesystem access.
pkgs/python/[email protected]/composio/cli/apps.py:133
    with open(enum_file + "i", "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #54429a51a582449b Environment-variable access.
pkgs/python/[email protected]/composio/cli/context.py:82
        api_key_from_env = os.environ.get(ENV_COMPOSIO_API_KEY)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #70ba6b58c63a8ce0 Filesystem access.
pkgs/python/[email protected]/composio/cli/utils/helpfulcmd.py:31
            formatter.write_text(click.style(text, fg="white"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dda70ea65afb35f3 Environment-variable access.
pkgs/python/[email protected]/composio/client/__init__.py:108
                else os.environ.get(ENV_COMPOSIO_API_KEY)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d661021e88573ebf Environment-variable access.
pkgs/python/[email protected]/composio/client/enums/enum.py:18
    os.environ.get("COMPOSIO_NO_REMOTE_ENUM_FETCHING", "false") != "false"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ae8542a9d659e54c Environment-variable access.
pkgs/python/[email protected]/composio/client/utils.py:18
NO_CACHE_REFRESH = os.getenv("COMPOSIO_NO_CACHE_REFRESH", "false") == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #926741844ce3b00a Filesystem access.
pkgs/python/[email protected]/composio/client/utils.py:227
            first_action = json.loads(first_file.read_text())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #909ff02fc79f0647 Environment-variable access.
pkgs/python/[email protected]/composio/constants.py:39
_cache_dir = os.environ.get(ENV_LOCAL_CACHE_DIRECTORY)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ba6a04d887a6bc5a Environment-variable access.
pkgs/python/[email protected]/composio/constants.py:147
COMPOSIO_VERSIONING_POLICY = os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8b2828f4600fc808 Environment-variable access.
pkgs/python/[email protected]/composio/constants.py:147
COMPOSIO_VERSIONING_POLICY = os.environ.get(
    ENV_COMPOSIO_VERSIONING_POLICY,
    VERSION_LATEST_BASE,
)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #45a5fd8513935738 Environment-variable access.
pkgs/python/[email protected]/composio/server/api.py:116
    access_token = os.environ.get(ENV_ACCESS_TOKEN)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fff3526de52a64c7 Filesystem access.
pkgs/python/[email protected]/composio/server/api.py:273
        tempfile.write_text(request.content)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8eeee78e6ea53572 Filesystem access.
pkgs/python/[email protected]/composio/storage/base.py:67
        self.path.write_text(
            json.dumps(
                data,
                indent=2,
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #db3acb13810b4d43 Filesystem access.
pkgs/python/[email protected]/composio/storage/base.py:80
                path.read_text(
                    encoding="utf-8",
                )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #31e4047c7739d971 Filesystem access.
pkgs/python/[email protected]/composio/tools/base/local.py:124
                _content = Path(value).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #98d91d5efe4e9947 Filesystem access.
pkgs/python/[email protected]/composio/tools/base/local.py:137
                _content = Path(value).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #8840886beb19f9fd Filesystem access.
pkgs/python/[email protected]/composio/tools/local/anthropic_computer_use/actions/computer.py:327
            base64_image = base64.b64encode(path.read_bytes()).decode()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #3cecb6019d2a9927 Filesystem access.
pkgs/python/[email protected]/composio/tools/local/base/action.py:183
                    with open(value, "rb") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #1351dd9e896403e3 Filesystem access.
pkgs/python/[email protected]/composio/tools/local/base/action.py:202
                    with open(value, "rb") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #3dffa618cbdeab2b Filesystem access.
pkgs/python/[email protected]/composio/tools/local/base/utils/queries/__init__.py:11
with open(c_tags_query_path, "r", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #09b017e815b37368 Filesystem access.
pkgs/python/[email protected]/composio/tools/local/clipboardtool/actions/image.py:81
            with open(temp_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #d988411b2f7967af Filesystem access.
pkgs/python/[email protected]/composio/tools/local/clipboardtool/actions/image.py:119
            with open(request.save_path, "wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #215e74fe75641623 Filesystem access.
pkgs/python/[email protected]/composio/tools/local/codeanalysis/actions/base_action.py:26
        with open(self.fqdn_cache_file, "r", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #affb21400cd80530 Filesystem access.
pkgs/python/[email protected]/composio/tools/local/codeanalysis/actions/create_codemap.py:154
            with open(file, "r", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #c78f65a4d52a4c14 Filesystem access.
pkgs/python/[email protected]/composio/tools/local/codeanalysis/actions/create_codemap.py:204
        with open(self.fqdn_cache_file, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #2bffd67a252a80c0 Filesystem access.
pkgs/python/[email protected]/composio/tools/local/codeanalysis/actions/create_codemap.py:299
        with open(status_file, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #8a1139510dc9a7e0 Filesystem access.
pkgs/python/[email protected]/composio/tools/local/codeanalysis/actions/create_codemap.py:307
        with open(status_file, "r", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #b58339a415405221 Filesystem access.
pkgs/python/[email protected]/composio/tools/local/codeanalysis/lsp_helper.py:478
        with open(file_path, "r", encoding="utf-8") as fp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #637c71c666e5b0ae Filesystem access.
pkgs/python/[email protected]/composio/tools/local/codeanalysis/lsp_helper.py:486
        with open(file_path, "w", encoding="utf-8") as fd:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #c7ee61c856549d52 Filesystem access.
pkgs/python/[email protected]/composio/tools/local/codeanalysis/lsp_helper.py:637
        with open(global_path, "r") as fd:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #6affc317a8bd2c53 Filesystem access.
pkgs/python/[email protected]/composio/tools/local/codeanalysis/lsp_helper.py:680
        with open(_class_obj.global_path, "r", encoding="utf-8") as fp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #56d0e91bebec686e Filesystem access.
pkgs/python/[email protected]/composio/tools/local/codeanalysis/lsp_helper.py:691
            with open(file_path, "w") as fd:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #0c26ddf935d905ad Filesystem access.
pkgs/python/[email protected]/composio/tools/local/codeanalysis/lsp_helper.py:981
        with open(self.global_path, "r") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #2480d516784e3b35 Filesystem access.
pkgs/python/[email protected]/composio/tools/local/codeanalysis/lsp_helper.py:1146
        with open(file_path, "r") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #8a0d8003f8ebc4be Filesystem access.
pkgs/python/[email protected]/composio/tools/local/codeanalysis/tool_utils.py:74
                with open(file, "r", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #6880b479d5fea60c Filesystem access.
pkgs/python/[email protected]/composio/tools/local/codeanalysis/tree_sitter_related.py:132
    with open(file_path, "r", encoding="utf-8") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #ccc22ff666ce4b43 Filesystem access.
pkgs/python/[email protected]/composio/tools/local/codeanalysis/tree_sitter_related.py:198
    with open(file_path, "r", encoding="utf-8") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #2133a431d5ba3d87 Filesystem access.
pkgs/python/[email protected]/composio/tools/local/codeanalysis/tree_sitter_related.py:233
    with open(file_path, "r", encoding="utf-8") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #897476d2428594a8 Filesystem access.
pkgs/python/[email protected]/composio/tools/local/filetool/actions/apply_patch.py:62
        with open(git_root / "patch.patch", "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #1cec2e7ad2001ba0 Filesystem access.
pkgs/python/[email protected]/composio/tools/local/filetool/actions/apply_patch.py:96
                file.path.write_text(before_file_contents[key], encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #5e3a011629e34eef Filesystem access.
pkgs/python/[email protected]/composio/tools/local/filetool/actions/apply_patch.py:153
                file_contents[file_path] = file.path.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #5a33e7e612afac77 Environment-variable access.
pkgs/python/[email protected]/composio/tools/local/filetool/actions/git_clone.py:35
        github_access_token or os.environ.get("GITHUB_ACCESS_TOKEN", "").strip()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #111e8fb9cb8d0814 Environment-variable access.
pkgs/python/[email protected]/composio/tools/local/filetool/actions/git_clone.py:38
    if not github_access_token and os.environ.get("ALLOW_CLONE_WITHOUT_REPO") != "true":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #3ce7b1f0bda832e1 Filesystem access.
pkgs/python/[email protected]/composio/tools/local/filetool/actions/git_repo_tree.py:77
            with open(tree_file_path, "r", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #a69cc4ee7ff2f4b1 Environment-variable access.
pkgs/python/[email protected]/composio/tools/local/greptile/actions/codequery.py:71
        token = metadata.get("greptile_token", os.getenv("GREPTILE_TOKEN"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #1439a523757034c6 Environment-variable access.
pkgs/python/[email protected]/composio/tools/local/greptile/actions/codequery.py:76
        github_token = metadata.get("github_token", os.getenv("GITHUB_TOKEN"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress tooling reachable #10d083a353738c40 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/python/[email protected]/composio/tools/local/greptile/actions/codequery.py:107
        response = requests.post(
            "https://api.greptile.com/v2/query",
            headers=headers,
            data=json.dumps(data),
            timeout=request.timeout,
        )

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs tooling reachable #86831ddf46ed22c2 Filesystem access.
pkgs/python/[email protected]/composio/tools/local/imageanalyser/actions/image_analyser.py:89
        with open(file_path, "rb") as image_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #e87e641bbaa0a078 Filesystem access.
pkgs/python/[email protected]/composio/tools/local/imageanalyser/actions/image_analyser.py:132
            with open(media_path, "rb") as image_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #295428dc4edd8fdf Environment-variable access.
pkgs/python/[email protected]/composio/tools/local/imageanalyser/actions/image_analyser.py:179
        media_model_choice = os.environ.get("MEDIA_MODEL_CHOICE", "gpt-4o")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #da80d3fa84eb46b8 Environment-variable access.
pkgs/python/[email protected]/composio/tools/local/imageanalyser/actions/image_analyser.py:216
            key = os.environ.get("OPENAI_API_KEY") or metadata.get("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #b93394addd8d8627 Environment-variable access.
pkgs/python/[email protected]/composio/tools/local/imageanalyser/actions/image_analyser.py:220
            key = os.environ.get("ANTHROPIC_API_KEY") or metadata.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #22feff05a5c04517 Filesystem access.
pkgs/python/[email protected]/composio/tools/local/shelltool/shell_exec/actions/spawn.py:89
        pid.write_text(str(process.pid))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #aea59bd98a7fa935 Environment-variable access.
pkgs/python/[email protected]/composio/tools/local/shelltool/utils.py:23
    github_access_token = os.environ.get("GITHUB_ACCESS_TOKEN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #7440e40000056c05 Environment-variable access.
pkgs/python/[email protected]/composio/tools/local/shelltool/utils.py:25
        if os.environ.get("ALLOW_CLONE_WITHOUT_REPO") != "true":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #c8bf1d1a986b76bb Environment-variable access.
pkgs/python/[email protected]/composio/tools/local/zep/actions/add_memory.py:39
        client = Zep(api_key=os.environ.get("ZEP_API_KEY", metadata.get("api_key")))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #934cdb1aa12652a6 Environment-variable access.
pkgs/python/[email protected]/composio/tools/local/zep/actions/create_session.py:39
        client = Zep(api_key=os.environ.get("ZEP_API_KEY", metadata.get("api_key")))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #425fd1a05cb56623 Environment-variable access.
pkgs/python/[email protected]/composio/tools/local/zep/actions/get_memory.py:44
        client = Zep(api_key=os.environ.get("ZEP_API_KEY", metadata.get("api_key")))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #ad728ee0ad9dae8d Environment-variable access.
pkgs/python/[email protected]/composio/tools/local/zep/actions/search_memory.py:51
        client = Zep(api_key=os.environ.get("ZEP_API_KEY", metadata.get("api_key")))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #4af0bc55faed1465 Environment-variable access.
pkgs/python/[email protected]/composio/tools/toolset.py:125
        _IS_CI = os.environ.get("CI") == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #2f91d64144e27225 Filesystem access.
pkgs/python/[email protected]/composio/tools/toolset.py:161
        with open(self._path, encoding="utf-8") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #e800de38354a2729 Filesystem access.
pkgs/python/[email protected]/composio/tools/toolset.py:179
        with open(self._path, "w", encoding="utf-8") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #75c1c6c780743ef4 Filesystem access.
pkgs/python/[email protected]/composio/tools/toolset.py:377
            with open(path, "w", encoding="utf-8") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #e721a49deb30b4a9 Filesystem access.
pkgs/python/[email protected]/composio/tools/toolset.py:381
        with open(path, "wb") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #03afbaeb1c259fa2 Environment-variable access.
pkgs/python/[email protected]/composio/tools/toolset.py:1549
                or os.environ.get(ENV_COMPOSIO_API_KEY)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #c0b9137a461155aa Environment-variable access.
pkgs/python/[email protected]/composio/tools/toolset.py:1699
        from_env = os.environ.get(f"_COMPOSIO_{ENV_GITHUB_ACCESS_TOKEN}")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2a139ca8d83ed3ad Environment-variable access.
pkgs/python/[email protected]/composio/utils/descope.py:55
        self.project_id = project_id or os.environ.get("DESCOPE_PROJECT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1f0a99ba266c3ce0 Environment-variable access.
pkgs/python/[email protected]/composio/utils/descope.py:56
        self.management_key = management_key or os.environ.get("DESCOPE_MANAGEMENT_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1d88dfff917d2a49 Environment-variable access.
pkgs/python/[email protected]/composio/utils/descope.py:58
            base_url or os.environ.get("DESCOPE_BASE_URL") or "https://api.descope.com"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #53e0617ef1964d85 Environment-variable access.
pkgs/python/[email protected]/composio/utils/logging.py:20
_LOG_VERBOSITY = int(os.environ.get("COMPOSIO_LOG_VERBOSITY", 0))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #97ff4192c989307f Environment-variable access.
pkgs/python/[email protected]/composio/utils/logging.py:103
    level = os.environ.get(ENV_COMPOSIO_LOGGING_LEVEL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a899996749180357 Filesystem access.
pkgs/python/[email protected]/composio/utils/sentry.py:47
        data = json.loads(user_file.read_text(encoding="utf-8"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #af434494010d9ea2 Environment-variable access.
pkgs/python/[email protected]/composio/utils/sentry.py:79
    if os.environ.get("COMPOSIO_DISABLE_SENTRY", "false").lower() in ("true", "t"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9a8b0e5cd0ecdfb7 Filesystem access.
pkgs/python/[email protected]/composio/utils/sentry.py:117
            data = json.loads(user_file.read_text(encoding="utf-8"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #faf18c67edd7ff0b Filesystem access.
pkgs/python/[email protected]/composio/utils/sentry.py:136
    user_file.write_text(json.dumps(data), encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3d79bb04c525e573 Environment-variable access.
pkgs/python/[email protected]/composio/utils/url.py:19
    return os.environ.get(ENV_COMPOSIO_BASE_URL) or DEFAULT_BASE_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress dependency Excluded from app score #97ee6ce769f2735d Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/python/[email protected]/composio/utils/warnings.py:19
        request = requests.get(COMPOSIO_PYPI_METADATA, timeout=10.0)

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs dependency Excluded from app score #81307f28ad842143 Environment-variable access.
pkgs/python/[email protected]/composio/utils/warnings.py:30
    if os.environ.get("COMPOSIO_DISABLE_VERSION_CHECK", "false").lower() != "false":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1110e1b2630687ff Filesystem access.
pkgs/python/[email protected]/setup.py:97
    long_description=(Path(__file__).parent / "README.md").read_text(encoding="utf-8"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

crewai

python dependency
high pii_flow dependency Excluded from app score #ab8a45f73b358149 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/crewai/a2a/auth/client_schemes.py:256 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/crewai/a2a/auth/client_schemes.py:256 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/crewai/a2a/auth/client_schemes.py:256
        client.auth = DigestAuth(self.username, self.password)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium telemetry dependency Excluded from app score #99543388a9f4cc74 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/crewai/crew.py:21
from opentelemetry import baggage

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #ed40022d5dd62dcd Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/crewai/crew.py:22
from opentelemetry.context import attach, detach

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #1f5c35cb93d138cd Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/crewai/crew.py:42
    from opentelemetry.trace import Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #127ff68f8bf258b7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/crewai/crews/utils.py:9
from opentelemetry import baggage

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #91921c6ca8f332d0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/crewai/flow/runtime/__init__.py:35
from opentelemetry import baggage

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #277b3dbac5e67245 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/crewai/flow/runtime/__init__.py:36
from opentelemetry.context import attach, detach

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #5df4651b2073f5ea Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/crewai/telemetry/telemetry.py:23
from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #a1714500f5cb60be Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/crewai/telemetry/telemetry.py:24
from opentelemetry.exporter.otlp.proto.http.trace_exporter import (
    OTLPSpanExporter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #1a0bb1e00779a453 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/crewai/telemetry/telemetry.py:27
from opentelemetry.sdk.resources import SERVICE_NAME, Resource

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #55b84cdd116e7fa0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/crewai/telemetry/telemetry.py:28
from opentelemetry.sdk.trace import TracerProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #983bc098814060f7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/crewai/telemetry/telemetry.py:29
from opentelemetry.sdk.trace.export import (
    BatchSpanProcessor,
    SpanExportResult,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #9c07d70d309ca9c2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/crewai/telemetry/telemetry.py:33
from opentelemetry.trace import ProxyTracerProvider, Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #3d741f558c748cc4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/crewai/telemetry/utils.py:11
from opentelemetry.trace import Span, Status, StatusCode

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #cd81be101c54d7c3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/crewai/utilities/crew/crew_context.py:5
from opentelemetry import baggage

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 108 low-confidence finding(s)
low env_fs dependency Excluded from app score #18302710ed9b707e Filesystem access.
pkgs/python/[email protected]/src/crewai/a2a/auth/client_schemes.py:112
            root_certs = Path(self.ca_cert_path).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9fab974881fa153d Filesystem access.
pkgs/python/[email protected]/src/crewai/a2a/auth/client_schemes.py:115
            private_key = Path(self.client_key_path).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #45109703e95ed194 Filesystem access.
pkgs/python/[email protected]/src/crewai/a2a/auth/client_schemes.py:116
            certificate_chain = Path(self.client_cert_path).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d7ef7ea55366dd44 Environment-variable access.
pkgs/python/[email protected]/src/crewai/a2a/auth/server_schemes.py:151
        return os.environ.get("AUTH_TOKEN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e58ba7a8895b0b3f Filesystem access.
pkgs/python/[email protected]/src/crewai/a2a/config.py:130
            return Path(self.private_key_path).read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3f64612af6afbe3d Environment-variable access.
pkgs/python/[email protected]/src/crewai/a2a/utils/task.py:102
_redis_url = os.environ.get("REDIS_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #74d1bc543aa0546f Environment-variable access.
pkgs/python/[email protected]/src/crewai/agent/core.py:1209
            else os.getenv(CREWAI_TRAINED_AGENTS_FILE_ENV, TRAINED_AGENTS_DATA_FILE)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3ba084a4b4540908 Environment-variable access.
pkgs/python/[email protected]/src/crewai/context.py:47
        token = os.getenv("CREWAI_PLATFORM_INTEGRATION_TOKEN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #520454da39b22896 Environment-variable access.
pkgs/python/[email protected]/src/crewai/events/listeners/tracing/trace_listener.py:194
            "user_id": os.getenv("CREWAI_USER_ID", "anonymous"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #83e28f03154ce2bb Environment-variable access.
pkgs/python/[email protected]/src/crewai/events/listeners/tracing/trace_listener.py:195
            "organization_id": os.getenv("CREWAI_ORG_ID", ""),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c563d9b2728577af Environment-variable access.
pkgs/python/[email protected]/src/crewai/events/listeners/tracing/utils.py:128
    env_value = os.getenv("CREWAI_TRACING_ENABLED", "").lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7d47e0e65fc26eb2 Environment-variable access.
pkgs/python/[email protected]/src/crewai/events/listeners/tracing/utils.py:188
    return os.environ.get("CREWAI_TESTING", "").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f8e8e6a760bc770c Filesystem access.
pkgs/python/[email protected]/src/crewai/events/listeners/tracing/utils.py:297
                content = path.read_text().strip()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #96fef504b3891762 Environment-variable access.
pkgs/python/[email protected]/src/crewai/events/listeners/tracing/utils.py:341
            container_id = os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3160c34b7ab6b0ab Environment-variable access.
pkgs/python/[email protected]/src/crewai/events/listeners/tracing/utils.py:341
            container_id = os.environ.get(
                "HOSTNAME", os.environ.get("CONTAINER_ID", "")
            )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1fc33e52efb63900 Environment-variable access.
pkgs/python/[email protected]/src/crewai/events/listeners/tracing/utils.py:342
                "HOSTNAME", os.environ.get("CONTAINER_ID", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #80c0915af921fc25 Filesystem access.
pkgs/python/[email protected]/src/crewai/events/listeners/tracing/utils.py:380
        p.write_text(json.dumps(data, indent=2))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fdd4e2e14ff5e870 Filesystem access.
pkgs/python/[email protected]/src/crewai/events/listeners/tracing/utils.py:412
        p.write_text(json.dumps(data, indent=2))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #71c1502df0417124 Environment-variable access.
pkgs/python/[email protected]/src/crewai/events/utils/console_formatter.py:70
        if os.getenv("CI", "").lower() in ("true", "1"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5297f81b3790e2eb Environment-variable access.
pkgs/python/[email protected]/src/crewai/events/utils/console_formatter.py:73
        if os.getenv("CREWAI_DISABLE_VERSION_CHECK", "").lower() in ("true", "1"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #65d0766ffde9ef61 Filesystem access.
pkgs/python/[email protected]/src/crewai/experimental/evaluation/experiment/result.py:42
            with open(filepath, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #462ca55426d3d75b Filesystem access.
pkgs/python/[email protected]/src/crewai/experimental/evaluation/experiment/result.py:58
                with open(baseline_filepath, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #546b8283e9acab99 Filesystem access.
pkgs/python/[email protected]/src/crewai/experimental/evaluation/experiment/result.py:73
                with open(baseline_filepath, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c6dbe012be517daf Filesystem access.
pkgs/python/[email protected]/src/crewai/experimental/evaluation/experiment/result.py:91
            with open(baseline_filepath, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6e0c121b636b8b01 Environment-variable access.
pkgs/python/[email protected]/src/crewai/experimental/skills/_flag.py:16
    return os.environ.get(ENV_VAR) == "1"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #99267e78c29656f7 Filesystem access.
pkgs/python/[email protected]/src/crewai/experimental/skills/cache.py:91
        (skill_dir / _META_FILENAME).write_text(json.dumps(meta, indent=2))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d1573f3e0c8c2536 Filesystem access.
pkgs/python/[email protected]/src/crewai/experimental/skills/cache.py:106
                        results.append(json.loads(meta_file.read_text()))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c7edad1f4cd1cfb2 Environment-variable access.
pkgs/python/[email protected]/src/crewai/experimental/skills/registry.py:76
        os.environ.get("CI") == "1"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2b0269a161dc28e7 Environment-variable access.
pkgs/python/[email protected]/src/crewai/experimental/skills/registry.py:77
        or os.environ.get("CREWAI_NONINTERACTIVE") == "1"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7172aa3152ce67d0 Filesystem access.
pkgs/python/[email protected]/src/crewai/flow/flow_definition.py:824
            contents = source_path.expanduser().read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1adfb6361fc31bdc Environment-variable access.
pkgs/python/[email protected]/src/crewai/flow/runtime/_actions.py:238
        raw = os.environ.get(_ALLOW_SCRIPT_EXECUTION_ENV_VAR, "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8b4503adb5174df0 Filesystem access.
pkgs/python/[email protected]/src/crewai/flow/skill.py:90
    example_yaml = (_TEMPLATES_DIR / "flow_definition_example.yaml").read_text(
        encoding="utf-8"
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2f80d1145f175528 Filesystem access.
pkgs/python/[email protected]/src/crewai/flow/visualization/renderers/interactive.py:414
    css_content = css_file.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2becfa4f6b6be1d3 Filesystem access.
pkgs/python/[email protected]/src/crewai/flow/visualization/renderers/interactive.py:421
    css_output_path.write_text(css_content, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dc851909b8900133 Filesystem access.
pkgs/python/[email protected]/src/crewai/flow/visualization/renderers/interactive.py:424
    js_content = js_file.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8ff269c86d8aade9 Filesystem access.
pkgs/python/[email protected]/src/crewai/flow/visualization/renderers/interactive.py:438
    js_output_path.write_text(js_content, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fb5ffff10a83641d Filesystem access.
pkgs/python/[email protected]/src/crewai/flow/visualization/renderers/interactive.py:461
    output_path.write_text(html_content, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #80f8413d0a492a92 Environment-variable access.
pkgs/python/[email protected]/src/crewai/knowledge/knowledge.py:66
os.environ["TOKENIZERS_PARALLELISM"] = "false"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0ecef139330896b8 Filesystem access.
pkgs/python/[email protected]/src/crewai/knowledge/source/csv_knowledge_source.py:17
            with open(file_path, "r", encoding="utf-8") as csvfile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #935d7a06118e7893 Filesystem access.
pkgs/python/[email protected]/src/crewai/knowledge/source/json_knowledge_source.py:18
            with open(path, "r", encoding="utf-8") as json_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cca1d4a7866ad099 Filesystem access.
pkgs/python/[email protected]/src/crewai/knowledge/source/text_file_knowledge_source.py:17
            with open(path, "r", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f0726ff1b23deb06 Environment-variable access.
pkgs/python/[email protected]/src/crewai/llm.py:2484
            success_callbacks_str = os.environ.get("LITELLM_SUCCESS_CALLBACKS", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #22dfa3d85581e37e Environment-variable access.
pkgs/python/[email protected]/src/crewai/llm.py:2491
            failure_callbacks_str = os.environ.get("LITELLM_FAILURE_CALLBACKS", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9e7cd4d6a6201d53 Environment-variable access.
pkgs/python/[email protected]/src/crewai/llms/providers/anthropic/completion.py:256
            self.api_key = os.getenv("ANTHROPIC_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #df6645a1c7fbd11e Environment-variable access.
pkgs/python/[email protected]/src/crewai/llms/providers/azure/completion.py:122
        data["api_key"] = data.get("api_key") or os.getenv("AZURE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #de880d1b460d5aee Environment-variable access.
pkgs/python/[email protected]/src/crewai/llms/providers/azure/completion.py:125
            or os.getenv("AZURE_ENDPOINT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d588f47f8f2d319c Environment-variable access.
pkgs/python/[email protected]/src/crewai/llms/providers/azure/completion.py:126
            or os.getenv("AZURE_OPENAI_ENDPOINT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ee0d7de11e526fcf Environment-variable access.
pkgs/python/[email protected]/src/crewai/llms/providers/azure/completion.py:127
            or os.getenv("AZURE_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #81a57917bb72438f Environment-variable access.
pkgs/python/[email protected]/src/crewai/llms/providers/azure/completion.py:130
            data.get("api_version") or os.getenv("AZURE_API_VERSION") or "2024-06-01"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b78a7eb2ca9683a8 Environment-variable access.
pkgs/python/[email protected]/src/crewai/llms/providers/azure/completion.py:164
        raw = os.getenv("AZURE_CREDENTIAL_SCOPES")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dfca2c86f7220430 Environment-variable access.
pkgs/python/[email protected]/src/crewai/llms/providers/azure/completion.py:271
            self.api_key = os.getenv("AZURE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #314279338c556705 Environment-variable access.
pkgs/python/[email protected]/src/crewai/llms/providers/azure/completion.py:274
                os.getenv("AZURE_ENDPOINT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #49bfafffd9ec6b46 Environment-variable access.
pkgs/python/[email protected]/src/crewai/llms/providers/azure/completion.py:275
                or os.getenv("AZURE_OPENAI_ENDPOINT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8cf8ae5ff2090c49 Environment-variable access.
pkgs/python/[email protected]/src/crewai/llms/providers/azure/completion.py:276
                or os.getenv("AZURE_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a9cc68f7e439c454 Environment-variable access.
pkgs/python/[email protected]/src/crewai/llms/providers/bedrock/completion.py:275
        data["aws_access_key_id"] = data.get("aws_access_key_id") or os.getenv(
            "AWS_ACCESS_KEY_ID"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #80ae67b1941ad40d Environment-variable access.
pkgs/python/[email protected]/src/crewai/llms/providers/bedrock/completion.py:278
        data["aws_secret_access_key"] = data.get("aws_secret_access_key") or os.getenv(
            "AWS_SECRET_ACCESS_KEY"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6b72b6addb99f7dc Environment-variable access.
pkgs/python/[email protected]/src/crewai/llms/providers/bedrock/completion.py:281
        data["aws_session_token"] = data.get("aws_session_token") or os.getenv(
            "AWS_SESSION_TOKEN"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d5c6d7b870f8f641 Environment-variable access.
pkgs/python/[email protected]/src/crewai/llms/providers/bedrock/completion.py:286
            or os.getenv("AWS_DEFAULT_REGION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #338d162075553ae7 Environment-variable access.
pkgs/python/[email protected]/src/crewai/llms/providers/bedrock/completion.py:287
            or os.getenv("AWS_REGION_NAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b2c15d6aa9c30bda Environment-variable access.
pkgs/python/[email protected]/src/crewai/llms/providers/gemini/completion.py:84
            or os.getenv("GOOGLE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #51bbc89745f7b1f8 Environment-variable access.
pkgs/python/[email protected]/src/crewai/llms/providers/gemini/completion.py:85
            or os.getenv("GEMINI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #07e3a544d87402a9 Environment-variable access.
pkgs/python/[email protected]/src/crewai/llms/providers/gemini/completion.py:87
        data["project"] = data.get("project") or os.getenv("GOOGLE_CLOUD_PROJECT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #594723dca3024bf9 Environment-variable access.
pkgs/python/[email protected]/src/crewai/llms/providers/gemini/completion.py:89
            data.get("location") or os.getenv("GOOGLE_CLOUD_LOCATION") or "us-central1"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a110674bbd6d6f64 Environment-variable access.
pkgs/python/[email protected]/src/crewai/llms/providers/gemini/completion.py:94
            use_vx = os.getenv("GOOGLE_GENAI_USE_VERTEXAI", "").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #41b50c41f29c5f7f Environment-variable access.
pkgs/python/[email protected]/src/crewai/llms/providers/gemini/completion.py:133
                self.api_key = os.getenv("GOOGLE_API_KEY") or os.getenv(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4668730ea1671007 Environment-variable access.
pkgs/python/[email protected]/src/crewai/llms/providers/gemini/completion.py:133
                self.api_key = os.getenv("GOOGLE_API_KEY") or os.getenv(
                    "GEMINI_API_KEY"
                )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3b5c0d284c570c52 Environment-variable access.
pkgs/python/[email protected]/src/crewai/llms/providers/gemini/completion.py:137
                self.project = os.getenv("GOOGLE_CLOUD_PROJECT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #10fea26ce30f78c1 Environment-variable access.
pkgs/python/[email protected]/src/crewai/llms/providers/openai/completion.py:250
        data["api_key"] = data.get("api_key") or os.getenv("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fd2b78178527da18 Environment-variable access.
pkgs/python/[email protected]/src/crewai/llms/providers/openai/completion.py:364
            self.api_key = os.getenv("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #21225d974ae1ad35 Environment-variable access.
pkgs/python/[email protected]/src/crewai/llms/providers/openai/completion.py:374
            or os.getenv("OPENAI_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e9d4faf1da6d38bc Environment-variable access.
pkgs/python/[email protected]/src/crewai/llms/providers/openai_compatible/completion.py:189
        env_key = os.getenv(config.api_key_env)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7ad4dc919daab034 Environment-variable access.
pkgs/python/[email protected]/src/crewai/llms/providers/openai_compatible/completion.py:220
            env_value = os.getenv(config.base_url_env)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f88c9272c4776647 Environment-variable access.
pkgs/python/[email protected]/src/crewai/llms/providers/snowflake/completion.py:93
                token = os.getenv(env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #249a811da71f323f Environment-variable access.
pkgs/python/[email protected]/src/crewai/llms/providers/snowflake/completion.py:114
        account_url = data.get("account_url") or os.getenv("SNOWFLAKE_ACCOUNT_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #53b754ca8ce1893a Environment-variable access.
pkgs/python/[email protected]/src/crewai/llms/providers/snowflake/completion.py:122
            or os.getenv("SNOWFLAKE_ACCOUNT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a6b4fc104f8c53fa Environment-variable access.
pkgs/python/[email protected]/src/crewai/llms/providers/snowflake/completion.py:123
            or os.getenv("SNOWFLAKE_ACCOUNT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ba70dddb8f7634f5 Environment-variable access.
pkgs/python/[email protected]/src/crewai/llms/providers/snowflake/completion.py:124
            or os.getenv("SNOWFLAKE_ACCOUNT_IDENTIFIER")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7f798eb41d886b05 Environment-variable access.
pkgs/python/[email protected]/src/crewai/memory/storage/lancedb_storage.py:68
            storage_dir = os.environ.get("CREWAI_STORAGE_DIR")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #42a2e9250be896eb Environment-variable access.
pkgs/python/[email protected]/src/crewai/memory/storage/qdrant_edge_storage.py:104
            storage_dir = os.environ.get("CREWAI_STORAGE_DIR")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3b7ad3c62497a784 Filesystem access.
pkgs/python/[email protected]/src/crewai/project/crew_base.py:391
        with open(config_path, encoding="utf-8") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7d05b2c6de63686a Filesystem access.
pkgs/python/[email protected]/src/crewai/project/json_loader.py:209
    return parse_jsonc(path.read_text(encoding="utf-8"), source=path)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bcc1a764f105aba0 Environment-variable access.
pkgs/python/[email protected]/src/crewai/rag/chromadb/config.py:61
            api_key=os.getenv("OPENAI_API_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #46492839128e21e5 Filesystem access.
pkgs/python/[email protected]/src/crewai/skills/parser.py:89
    content = path.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6a8d69139d9ce4be Filesystem access.
pkgs/python/[email protected]/src/crewai/state/provider/json_provider.py:66
        with open(file_path, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8fb99c8596d089ee Filesystem access.
pkgs/python/[email protected]/src/crewai/state/provider/json_provider.py:132
        return Path(location).read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #951fc41a98ee8b3b Filesystem access.
pkgs/python/[email protected]/src/crewai/state/provider/utils.py:29
        with open(file_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #61173f70147f6c23 Environment-variable access.
pkgs/python/[email protected]/src/crewai/telemetry/telemetry.py:151
            os.getenv("OTEL_SDK_DISABLED", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #865bc2efe2f97aa5 Environment-variable access.
pkgs/python/[email protected]/src/crewai/telemetry/telemetry.py:152
            or os.getenv("CREWAI_DISABLE_TELEMETRY", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a6a708d097a210b5 Environment-variable access.
pkgs/python/[email protected]/src/crewai/telemetry/telemetry.py:153
            or os.getenv("CREWAI_DISABLE_TRACKING", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0166777359d7fa68 Environment-variable access.
pkgs/python/[email protected]/src/crewai/types/callback.py:27
    raw = os.environ.get("CREWAI_DESERIALIZE_CALLBACKS", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b43e39728f9e36df Environment-variable access.
pkgs/python/[email protected]/src/crewai/utilities/env.py:20
    return any(os.environ.get(var) for var in CODEX_ENV_VARS)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4ca315976b02366c Environment-variable access.
pkgs/python/[email protected]/src/crewai/utilities/env.py:24
    return any(os.environ.get(var) for var in CURSOR_ENV_VARS)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6331e9ef428f691d Environment-variable access.
pkgs/python/[email protected]/src/crewai/utilities/env.py:32
    if os.environ.get(CC_ENV_VAR):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0c3bad477d04ce57 Filesystem access.
pkgs/python/[email protected]/src/crewai/utilities/file_handler.py:94
                        with open(self._path, encoding="utf-8") as read_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #955e114c59d21638 Filesystem access.
pkgs/python/[email protected]/src/crewai/utilities/file_handler.py:100
                    with open(self._path, "w", encoding="utf-8") as write_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9342049ad0f73366 Filesystem access.
pkgs/python/[email protected]/src/crewai/utilities/file_handler.py:112
                    with open(self._path, "a", encoding="utf-8") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e1a0de6556b84393 Filesystem access.
pkgs/python/[email protected]/src/crewai/utilities/file_handler.py:151
            with open(self.file_path, "wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b5008febd942ba8b Filesystem access.
pkgs/python/[email protected]/src/crewai/utilities/file_handler.py:165
                with open(self.file_path, "rb") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #776770438cc886e0 Filesystem access.
pkgs/python/[email protected]/src/crewai/utilities/i18n.py:38
                with open(self.prompt_file, encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #94c5fd0f4494d2f5 Filesystem access.
pkgs/python/[email protected]/src/crewai/utilities/i18n.py:44
                with open(prompts_path, encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #498832081462aac5 Environment-variable access.
pkgs/python/[email protected]/src/crewai/utilities/llm_utils.py:104
        os.environ.get("MODEL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e097daad46610e6e Environment-variable access.
pkgs/python/[email protected]/src/crewai/utilities/llm_utils.py:105
        or os.environ.get("MODEL_NAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cad9bddf23f3a57c Environment-variable access.
pkgs/python/[email protected]/src/crewai/utilities/llm_utils.py:106
        or os.environ.get("OPENAI_MODEL_NAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d4a56fc5762bb9ef Environment-variable access.
pkgs/python/[email protected]/src/crewai/utilities/llm_utils.py:130
        os.environ.get("BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #133a90be6c0946d7 Environment-variable access.
pkgs/python/[email protected]/src/crewai/utilities/llm_utils.py:131
        or os.environ.get("OPENAI_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fd022a575192a89d Environment-variable access.
pkgs/python/[email protected]/src/crewai/utilities/llm_utils.py:132
        or os.environ.get("OPENAI_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1c01111819e22d7e Environment-variable access.
pkgs/python/[email protected]/src/crewai/utilities/llm_utils.py:135
    api_base = os.environ.get("API_BASE") or os.environ.get("AZURE_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #864fd54188788544 Environment-variable access.
pkgs/python/[email protected]/src/crewai/utilities/llm_utils.py:178
                    env_value = os.environ.get(key_name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

e2b

python dependency
high pii_flow dependency Excluded from app score #ec7a4408de5401d2 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/e2b/api/__init__.py:65 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/e2b/api/__init__.py:66 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/e2b/api/__init__.py:65
limits = Limits(
    max_keepalive_connections=int(os.getenv("E2B_MAX_KEEPALIVE_CONNECTIONS", "20")),
    max_connections=int(os.getenv("E2B_MAX_CONNECTIONS", "2000")),
    keepalive_expiry=int(os.getenv("E2B_KEEPALIVE_EXPIRY", "300")),
)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #297dcb04ef723282 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/e2b/api/client/client.py:232 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/e2b/api/client/client.py:230 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/e2b/api/client/client.py:232
            self._client = httpx.Client(
                base_url=self._base_url,
                cookies=self._cookies,
                headers=self._headers,
                timeout=self._timeout,
                verify=self._verify_ssl,
                follow_redirects=self._follow_redirects,
                **self._httpx_args,
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #d27a410760327f96 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/e2b/api/client/client.py:268 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/e2b/api/client/client.py:266 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/e2b/api/client/client.py:268
            self._async_client = httpx.AsyncClient(
                base_url=self._base_url,
                cookies=self._cookies,
                headers=self._headers,
                timeout=self._timeout,
                verify=self._verify_ssl,
                follow_redirects=self._follow_redirects,
                **self._httpx_args,
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #6c32ec3e62786229 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/e2b/volume/client/client.py:232 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/e2b/volume/client/client.py:230 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/e2b/volume/client/client.py:232
            self._client = httpx.Client(
                base_url=self._base_url,
                cookies=self._cookies,
                headers=self._headers,
                timeout=self._timeout,
                verify=self._verify_ssl,
                follow_redirects=self._follow_redirects,
                **self._httpx_args,
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #f5d21f91e7afc039 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/e2b/volume/client/client.py:268 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/e2b/volume/client/client.py:266 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/e2b/volume/client/client.py:268
            self._async_client = httpx.AsyncClient(
                base_url=self._base_url,
                cookies=self._cookies,
                headers=self._headers,
                timeout=self._timeout,
                verify=self._verify_ssl,
                follow_redirects=self._follow_redirects,
                **self._httpx_args,
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #5e830b6b3edfd251 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/e2b/volume/client_async/__init__.py:16 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/e2b/volume/client_async/__init__.py:17 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/e2b/volume/client_async/__init__.py:16
limits = Limits(
    max_keepalive_connections=int(os.getenv("E2B_MAX_KEEPALIVE_CONNECTIONS", "20")),
    max_connections=int(os.getenv("E2B_MAX_CONNECTIONS", "2000")),
    keepalive_expiry=int(os.getenv("E2B_KEEPALIVE_EXPIRY", "300")),
)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #0d21b965489a2386 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/e2b/volume/client_sync/__init__.py:15 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/e2b/volume/client_sync/__init__.py:16 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/e2b/volume/client_sync/__init__.py:15
limits = Limits(
    max_keepalive_connections=int(os.getenv("E2B_MAX_KEEPALIVE_CONNECTIONS", "20")),
    max_connections=int(os.getenv("E2B_MAX_CONNECTIONS", "2000")),
    keepalive_expiry=int(os.getenv("E2B_KEEPALIVE_EXPIRY", "300")),
)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 25 low-confidence finding(s)
low env_fs dependency Excluded from app score #1ccb08c12cc16832 Environment-variable access.
pkgs/python/[email protected]/e2b/api/__init__.py:66
    max_keepalive_connections=int(os.getenv("E2B_MAX_KEEPALIVE_CONNECTIONS", "20")),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9d14fb89ae293c41 Environment-variable access.
pkgs/python/[email protected]/e2b/api/__init__.py:67
    max_connections=int(os.getenv("E2B_MAX_CONNECTIONS", "2000")),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d96095048f70711f Environment-variable access.
pkgs/python/[email protected]/e2b/api/__init__.py:68
    keepalive_expiry=int(os.getenv("E2B_KEEPALIVE_EXPIRY", "300")),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2c6fd17166bde0da Environment-variable access.
pkgs/python/[email protected]/e2b/api/__init__.py:71
connection_retries = int(os.getenv("E2B_CONNECTION_RETRIES", "3"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ec4922f29bb2ce12 Environment-variable access.
pkgs/python/[email protected]/e2b/connection_config.py:80
        return os.getenv("E2B_DOMAIN") or "e2b.app"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #24defe9d98c79ba4 Environment-variable access.
pkgs/python/[email protected]/e2b/connection_config.py:84
        return os.getenv("E2B_DEBUG", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3ae7a1a39d8d862c Environment-variable access.
pkgs/python/[email protected]/e2b/connection_config.py:88
        return os.getenv("E2B_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b9612c1451a117a2 Environment-variable access.
pkgs/python/[email protected]/e2b/connection_config.py:92
        return os.getenv("E2B_VALIDATE_API_KEY", "true").lower() != "false"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fe86ef2bc1d7ac36 Environment-variable access.
pkgs/python/[email protected]/e2b/connection_config.py:96
        return os.getenv("E2B_API_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5ec8eaee71705936 Environment-variable access.
pkgs/python/[email protected]/e2b/connection_config.py:100
        return os.getenv("E2B_SANDBOX_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e92564dc9e58bbd9 Environment-variable access.
pkgs/python/[email protected]/e2b/connection_config.py:104
        return os.getenv("E2B_ACCESS_TOKEN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #09213ac7bc8156b5 Filesystem access.
pkgs/python/[email protected]/e2b/template/dockerfile_parser.py:71
        with open(dockerfile_content_or_path, "r", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7559073b012b4e4a Filesystem access.
pkgs/python/[email protected]/e2b/template/dockerfile_parser.py:81
        with open(dockerfile_path, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c0683600126ecc9c Filesystem access.
pkgs/python/[email protected]/e2b/template/utils.py:117
    with open(dockerignore_path, "r", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #55030b184ca8617f Filesystem access.
pkgs/python/[email protected]/e2b/template/utils.py:251
            with open(file, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f2cef7f28dfb8fc6 Filesystem access.
pkgs/python/[email protected]/e2b/template/utils.py:421
        with open(
            os.path.join(context_path, path_or_content), "r", encoding="utf-8"
        ) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a26bd7ad1e1fb176 Environment-variable access.
pkgs/python/[email protected]/e2b/volume/client_async/__init__.py:17
    max_keepalive_connections=int(os.getenv("E2B_MAX_KEEPALIVE_CONNECTIONS", "20")),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d644a7731aa17ceb Environment-variable access.
pkgs/python/[email protected]/e2b/volume/client_async/__init__.py:18
    max_connections=int(os.getenv("E2B_MAX_CONNECTIONS", "2000")),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fdcecfab2dcd67d1 Environment-variable access.
pkgs/python/[email protected]/e2b/volume/client_async/__init__.py:19
    keepalive_expiry=int(os.getenv("E2B_KEEPALIVE_EXPIRY", "300")),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e6fc66f8772dca35 Environment-variable access.
pkgs/python/[email protected]/e2b/volume/client_sync/__init__.py:16
    max_keepalive_connections=int(os.getenv("E2B_MAX_KEEPALIVE_CONNECTIONS", "20")),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3cde3dc41aa94566 Environment-variable access.
pkgs/python/[email protected]/e2b/volume/client_sync/__init__.py:17
    max_connections=int(os.getenv("E2B_MAX_CONNECTIONS", "2000")),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f5a6c695f8171c90 Environment-variable access.
pkgs/python/[email protected]/e2b/volume/client_sync/__init__.py:18
    keepalive_expiry=int(os.getenv("E2B_KEEPALIVE_EXPIRY", "300")),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #12c26d7137e3c604 Environment-variable access.
pkgs/python/[email protected]/e2b/volume/connection_config.py:58
        return os.getenv("E2B_DOMAIN") or "e2b.app"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #56333417127fd825 Environment-variable access.
pkgs/python/[email protected]/e2b/volume/connection_config.py:62
        return os.getenv("E2B_DEBUG", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #297fc2d2bb5681f9 Environment-variable access.
pkgs/python/[email protected]/e2b/volume/connection_config.py:66
        return os.getenv("E2B_VOLUME_API_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

firecrawl-py

python dependency
high pii_flow tooling reachable #fbf01c2a31477d33 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/conftest.py:20 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/conftest.py:10 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/conftest.py:20
    resp = requests.post(idmux_url + "/", json=payload)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #bac55c4e682d2d89 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/firecrawl/firecrawl.backup.py:687 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/firecrawl/firecrawl.backup.py:689 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/firecrawl/firecrawl.backup.py:687
        response = requests.post(
            f"{self.api_url}/v1/search",
            headers={"Authorization": f"Bearer {self.api_key}"},
            json=params_dict
        )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #279a80ff1c82dead User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/firecrawl/firecrawl.backup.py:1253 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/firecrawl/firecrawl.backup.py:1255 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/firecrawl/firecrawl.backup.py:1253
        response = requests.post(
            f"{self.api_url}/v1/map",
            headers={"Authorization": f"Bearer {self.api_key}"},
            json=params_dict
        )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #f07fdd87108b7bc6 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/firecrawl/v1/client.py:765 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/firecrawl/v1/client.py:767 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/firecrawl/v1/client.py:765
        response = requests.post(
            f"{self.api_url}/v1/search",
            headers={"Authorization": f"Bearer {self.api_key}"},
            json=params_dict
        )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #1b84e996b8b91707 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/firecrawl/v1/client.py:1418 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/firecrawl/v1/client.py:1420 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/firecrawl/v1/client.py:1418
        response = requests.post(
            f"{self.api_url}/v1/map",
            headers={"Authorization": f"Bearer {self.api_key}"},
            json=params_dict
        )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 115 low-confidence finding(s)
low env_fs dependency Excluded from app score #99eaf92a95b85030 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__init__.py:52
    if not (env := os.getenv("FIRECRAWL_LOGGING_LEVEL", "").upper()):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #cc9ed86fb59a38e8 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/conftest.py:38
    missing_vars = [var for var in required_vars if not os.getenv(var)]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #cf7239e0d3e02fd0 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/conftest.py:49
    key = os.getenv("API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #124223a8154f9671 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/conftest.py:58
    url = os.getenv("API_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #ba6e607e7d597274 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/test_aio_crawl.py:11
if not os.getenv("API_KEY"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #5040bcde480a361d Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/test_aio_crawl.py:14
if not os.getenv("API_URL"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #9a6453abbcfc4282 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/test_aio_crawl.py:20
    client = AsyncFirecrawl(api_key=os.getenv("API_KEY"), api_url=os.getenv("API_URL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #84eb0843b2f69a40 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/test_aio_crawl.py:35
    client = AsyncFirecrawl(api_key=os.getenv("API_KEY"), api_url=os.getenv("API_URL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #bda6b6b911c92347 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/test_aio_crawl.py:80
    client = AsyncFirecrawl(api_key=os.getenv("API_KEY"), api_url=os.getenv("API_URL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #7531729a5975e0f5 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/test_aio_crawl.py:87
    client = AsyncFirecrawl(api_key=os.getenv("API_KEY"), api_url=os.getenv("API_URL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #4784ac984d3b1cff Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/test_aio_crawl.py:94
    client = AsyncFirecrawl(api_key=os.getenv("API_KEY"), api_url=os.getenv("API_URL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #25e2151eb7f6b0f1 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/test_aio_crawl.py:105
    client = AsyncFirecrawl(api_key=os.getenv("API_KEY"), api_url=os.getenv("API_URL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #22614733ec927edd Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/test_aio_crawl.py:113
    client = AsyncFirecrawl(api_key=os.getenv("API_KEY"), api_url=os.getenv("API_URL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #6e4e0936f9a659c9 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/test_aio_crawl.py:121
    client = AsyncFirecrawl(api_key=os.getenv("API_KEY"), api_url=os.getenv("API_URL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #741ec0b29626013d Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/test_aio_crawl.py:129
    client = AsyncFirecrawl(api_key=os.getenv("API_KEY"), api_url=os.getenv("API_URL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #f028e223325d940c Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/test_aio_crawl.py:138
    client = AsyncFirecrawl(api_key=os.getenv("API_KEY"), api_url=os.getenv("API_URL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #9dc1bccc39ff4c4f Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/test_aio_crawl.py:146
    client = AsyncFirecrawl(api_key=os.getenv("API_KEY"), api_url=os.getenv("API_URL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #37977e259734ca2f Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/test_aio_crawl.py:156
    client = AsyncFirecrawl(api_key=os.getenv("API_KEY"), api_url=os.getenv("API_URL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #ac47e866343f69c4 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/test_aio_crawl.py:163
    client = AsyncFirecrawl(api_key=os.getenv("API_KEY"), api_url=os.getenv("API_URL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #febe45d22e8b1c70 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/test_aio_crawl.py:175
    client = AsyncFirecrawl(api_key=os.getenv("API_KEY"), api_url=os.getenv("API_URL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #9dbd8b2fc64f1d2c Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/test_aio_extract.py:9
if not os.getenv("API_KEY"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #151eb53fe5022ce6 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/test_aio_extract.py:12
if not os.getenv("API_URL"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #a74b42ad15448d39 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/test_aio_extract.py:18
    client = AsyncFirecrawl(api_key=os.getenv("API_KEY"), api_url=os.getenv("API_URL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #9dfd46cc3178733f Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/test_aio_extract.py:25
    client = AsyncFirecrawl(api_key=os.getenv("API_KEY"), api_url=os.getenv("API_URL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #8467b02dd5a238c2 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/test_aio_map.py:9
if not os.getenv("API_KEY"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #b8b84e507f519938 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/test_aio_map.py:12
if not os.getenv("API_URL"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #4bbb5bbe13370afe Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/test_aio_map.py:18
    client = AsyncFirecrawl(api_key=os.getenv("API_KEY"), api_url=os.getenv("API_URL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #e1580799a2e3a007 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/test_aio_map.py:29
    client = AsyncFirecrawl(api_key=os.getenv("API_KEY"), api_url=os.getenv("API_URL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #1d6705a6217dd427 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/test_aio_parse.py:8
API_KEY = (os.getenv("API_KEY") or "").strip()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #2a9c61668f3af5a7 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/test_aio_parse.py:9
API_URL = (os.getenv("API_URL") or "").strip()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #3158f30160696b7d Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/test_aio_scrape.py:10
if not os.getenv("API_KEY"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #61c7d600a13cd6a3 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/test_aio_scrape.py:13
if not os.getenv("API_URL"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #b16f21d94e2ba295 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/test_aio_scrape.py:19
    client = AsyncFirecrawl(api_key=os.getenv("API_KEY"), api_url=os.getenv("API_URL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #5f49f311376dd5c3 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/test_aio_scrape.py:35
    client = AsyncFirecrawl(api_key=os.getenv("API_KEY"), api_url=os.getenv("API_URL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #85e466ca556f2d78 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/test_aio_scrape.py:74
    client = AsyncFirecrawl(api_key=os.getenv("API_KEY"), api_url=os.getenv("API_URL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #d874f694fe519618 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/test_aio_scrape.py:86
    client = AsyncFirecrawl(api_key=os.getenv("API_KEY"), api_url=os.getenv("API_URL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #d2dcdb7d08176308 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/test_aio_scrape.py:104
    client = AsyncFirecrawl(api_key=os.getenv("API_KEY"), api_url=os.getenv("API_URL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #87acff08d6866365 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/test_aio_scrape.py:123
    client = AsyncFirecrawl(api_key=os.getenv("API_KEY"), api_url=os.getenv("API_URL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #e294fbbbe601a250 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/test_aio_scrape.py:135
    client = AsyncFirecrawl(api_key=os.getenv("API_KEY"), api_url=os.getenv("API_URL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #3f70292873e30798 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/test_aio_search.py:17
firecrawl = AsyncFirecrawl(api_key=os.getenv("API_KEY"), api_url=os.getenv("API_URL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #5577581d5c896b35 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/test_aio_usage.py:9
if not os.getenv("API_KEY"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #41665a2cfc69f56b Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/test_aio_usage.py:12
if not os.getenv("API_URL"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #7c4a13a23e4eb594 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/test_aio_usage.py:18
    client = AsyncFirecrawl(api_key=os.getenv("API_KEY"), api_url=os.getenv("API_URL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #e384f977c3f224c6 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/test_aio_usage.py:25
    client = AsyncFirecrawl(api_key=os.getenv("API_KEY"), api_url=os.getenv("API_URL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #f3642c08c7214d55 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/test_aio_usage.py:32
    client = AsyncFirecrawl(api_key=os.getenv("API_KEY"), api_url=os.getenv("API_URL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #cb5ff6b317e08881 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/test_aio_usage.py:39
    client = AsyncFirecrawl(api_key=os.getenv("API_KEY"), api_url=os.getenv("API_URL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #1ddcd82ca6001ac8 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/test_aio_watcher.py:11
if not os.getenv("API_KEY"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #0f3cfe3cf3b101d2 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/test_aio_watcher.py:14
if not os.getenv("API_URL"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #09c71ea2ddc3fe27 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/test_aio_watcher.py:20
    client = AsyncFirecrawl(api_key=os.getenv("API_KEY"), api_url=os.getenv("API_URL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #92a436e48adca466 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/aio/test_aio_watcher.py:32
    client = AsyncFirecrawl(api_key=os.getenv("API_KEY"), api_url=os.getenv("API_URL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #5c132cbd6630de8b Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/conftest.py:10
    idmux_url = os.getenv("IDMUX_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #eae827b45692adfa Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/conftest.py:13
    run_number = int(os.getenv("GITHUB_RUN_NUMBER") or 0)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #9983b1e0eb137e7f Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/conftest.py:15
        "refName": os.getenv("GITHUB_REF_NAME") or "local",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #22b805e9118c4516 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/conftest.py:28
        os.getenv("TEST_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #349b86e9f481341d Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/conftest.py:29
        or os.getenv("FIRECRAWL_API_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #d5527a4a42aa5697 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/conftest.py:30
        or os.getenv("API_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #9f754151eacf0500 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/conftest.py:37
    os.getenv("TEST_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #8cbdfe01bf43e316 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/conftest.py:38
    or os.getenv("FIRECRAWL_API_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #0542a6fb06e415f8 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/conftest.py:39
    or os.getenv("API_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #796f507042f61e7d Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/conftest.py:43
_IDMUX_URL = os.getenv("IDMUX_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #038e1cb95c89a5fd Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/conftest.py:45
    run_name = os.getenv("PYTEST_RUN_NAME") or "py-e2e"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #833003c706d42ff4 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/conftest.py:48
    os.environ["API_KEY"] = _IDENTITY.get("apiKey", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #b13843e141e0a236 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/conftest.py:49
    os.environ["API_URL"] = _API_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #260344250cd1d2f8 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/conftest.py:53
    return _IDENTITY or {"apiKey": os.getenv("API_KEY") or "", "teamId": os.getenv("TEST_TEAM_ID") or os.getenv("TEAM_ID") or ""}

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #cc54760f29aa2041 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/test_async.py:12
if not os.getenv("API_KEY"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #787d084285f2eb09 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/test_async.py:15
if not os.getenv("API_URL"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #499b33911f48c935 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/test_async.py:21
    client = AsyncFirecrawl(api_key=os.getenv("API_KEY"), api_url=os.getenv("API_URL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #b71528927dc36dbb Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/test_async.py:30
    client = AsyncFirecrawl(api_key=os.getenv("API_KEY"), api_url=os.getenv("API_URL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #494f87342ad5a97d Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/test_async.py:46
    client = AsyncFirecrawl(api_key=os.getenv("API_KEY"), api_url=os.getenv("API_URL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #1c80f22e1da16044 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/test_async.py:64
    client = AsyncFirecrawl(api_key=os.getenv("API_KEY"), api_url=os.getenv("API_URL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #cdfb300a0f4101a8 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/test_batch_scrape.py:10
if not os.getenv("API_KEY"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #37ece7d49ee83e06 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/test_batch_scrape.py:13
if not os.getenv("API_URL"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #baa7f963d96c372c Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/test_batch_scrape.py:21
        self.client = Firecrawl(api_key=os.getenv("API_KEY"), api_url=os.getenv("API_URL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #3669e94a30e76f3f Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/test_crawl.py:10
if not os.getenv("API_KEY"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #119152237dffd026 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/test_crawl.py:13
if not os.getenv("API_URL"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #1e3f21a8988f8670 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/test_crawl.py:21
        self.client = Firecrawl(api_key=os.getenv("API_KEY"), api_url=os.getenv("API_URL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #67a8041a1fa3f161 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/test_extract.py:7
if not os.getenv("API_KEY"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #4fce4bf7eb146ea6 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/test_extract.py:10
if not os.getenv("API_URL"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #16009832c89064a1 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/test_extract.py:18
        self.client = Firecrawl(api_key=os.getenv("API_KEY"), api_url=os.getenv("API_URL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #cfcab968a6dc47b5 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/test_map.py:8
if not os.getenv("API_KEY"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #98fd22f41a8f1704 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/test_map.py:11
if not os.getenv("API_URL"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #81b1003d46d523d7 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/test_map.py:22
        self.client = Firecrawl(api_key=os.getenv("API_KEY"), api_url=os.getenv("API_URL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #8e90b23edf36eb02 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/test_parse.py:8
API_KEY = (os.getenv("API_KEY") or "").strip()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #9ac30846e927c334 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/test_parse.py:9
API_URL = (os.getenv("API_URL") or "").strip()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #d80976c7b2a8c03f Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/test_scrape.py:11
if not os.getenv("API_KEY"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #6aa59b72e836e240 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/test_scrape.py:14
if not os.getenv("API_URL"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #7f816d94f25f2c39 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/test_scrape.py:22
        self.client = Firecrawl(api_key=os.getenv("API_KEY"), api_url=os.getenv("API_URL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #f39c7df008cbbceb Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/test_search.py:8
firecrawl = Firecrawl(api_key=os.getenv("API_KEY"), api_url=os.getenv("API_URL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #d1f6f17016e1bf8a Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/test_usage.py:11
        self.client = Firecrawl(api_key=os.getenv("API_KEY"), api_url=os.getenv("API_URL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #ff34edc2a2009aa5 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/test_watcher.py:8
if not os.getenv("API_KEY"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #b9a3b887e4774e62 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/test_watcher.py:11
if not os.getenv("API_URL"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #3d0f3aafd5259cbd Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/e2e/v2/test_watcher.py:18
        self.client = Firecrawl(api_key=os.getenv("API_KEY"), api_url=os.getenv("API_URL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #b6d07cc0a1edc2f8 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/unit/test_recursive_schema_v1.py:14
        self.app = V1FirecrawlApp(api_key=os.environ.get('TEST_API_KEY', 'test-key'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #d791e70ee6b29900 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/unit/test_recursive_schema_v1.py:96
        self.app = V1FirecrawlApp(api_key=os.environ.get('TEST_API_KEY', 'test-key'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #ea134649c7058f11 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/unit/test_recursive_schema_v1.py:169
        self.app = V1FirecrawlApp(api_key=os.environ.get('TEST_API_KEY', 'test-key'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #487e3eacb4e8577e Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/unit/test_recursive_schema_v1.py:306
        self.app = V1FirecrawlApp(api_key=os.environ.get('TEST_API_KEY', 'test-key'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #f5672a7167e3c998 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/unit/test_recursive_schema_v1.py:434
        self.app = V1FirecrawlApp(api_key=os.environ.get('TEST_API_KEY', 'test-key'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #baaf8533f1ed13af Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/unit/test_recursive_schema_v1.py:523
        self.app = V1FirecrawlApp(api_key=os.environ.get('TEST_API_KEY', 'test-key'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #28a62f31c35a8ddc Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/unit/test_recursive_schema_v1.py:594
        self.app = V1FirecrawlApp(api_key=os.environ.get('TEST_API_KEY', 'test-key'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #12704c5fa359acac Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/unit/test_recursive_schema_v1.py:638
        self.app = V1FirecrawlApp(api_key=os.environ.get('TEST_API_KEY', 'test-key'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #50d2a4bb78dbf8aa Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/unit/test_recursive_schema_v1.py:750
        self.app = V1FirecrawlApp(api_key=os.environ.get('TEST_API_KEY', 'test-key'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #ed13fd6e8ec527b0 Environment-variable access.
pkgs/python/[email protected]/firecrawl/__tests__/unit/test_recursive_schema_v1.py:839
        self.app = V1FirecrawlApp(api_key=os.environ.get('TEST_API_KEY', 'test-key'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #480a0ba61f47e95f Filesystem access.
pkgs/python/[email protected]/firecrawl/__tests__/unit/v2/methods/test_parse_request_preparation.py:41
        file_path.write_text("<html><body>Path Upload</body></html>")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9f6094439ae0186f Filesystem access.
pkgs/python/[email protected]/firecrawl/firecrawl.backup.py:32
      version_file = Path(os.path.join(package_path, '__init__.py')).read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0fb4587134068296 Environment-variable access.
pkgs/python/[email protected]/firecrawl/firecrawl.backup.py:447
        self.api_key = api_key or os.getenv('FIRECRAWL_API_KEY')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d4136437d17fef23 Environment-variable access.
pkgs/python/[email protected]/firecrawl/firecrawl.backup.py:448
        self.api_url = api_url or os.getenv('FIRECRAWL_API_URL', 'https://api.firecrawl.dev')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6a59b5c783d0e860 Filesystem access.
pkgs/python/[email protected]/firecrawl/v1/client.py:33
      version_file = Path(os.path.join(package_path, '__init__.py')).read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #66c8f5c664007c85 Environment-variable access.
pkgs/python/[email protected]/firecrawl/v1/client.py:529
        self.api_key = api_key or os.getenv('FIRECRAWL_API_KEY')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9505221fc242371e Environment-variable access.
pkgs/python/[email protected]/firecrawl/v1/client.py:530
        self.api_url = api_url or os.getenv('FIRECRAWL_API_URL', 'https://api.firecrawl.dev')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3747c64bf18800f5 Environment-variable access.
pkgs/python/[email protected]/firecrawl/v2/client.py:115
            api_key = os.getenv("FIRECRAWL_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #37bfcac927007e16 Environment-variable access.
pkgs/python/[email protected]/firecrawl/v2/client_async.py:83
            api_key = os.getenv("FIRECRAWL_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2846943a8aee084e Filesystem access.
pkgs/python/[email protected]/firecrawl/v2/methods/parse.py:91
        file_bytes = file_path.read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dcbba848cc8992cb Filesystem access.
pkgs/python/[email protected]/firecrawl/v2/utils/get_version.py:8
        version_file = (package_path / "__init__.py").read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7f9da056e221210d Filesystem access.
pkgs/python/[email protected]/setup.py:7
long_description_content = (this_directory / "README.md").read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0c373ad351169577 Filesystem access.
pkgs/python/[email protected]/setup.py:12
    version_file = (this_directory / "firecrawl" / "__init__.py").read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

mem0ai

python dependency
high pii_flow dependency Excluded from app score #62ac9dffdc0d5f37 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/mem0/client/main.py:128 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/mem0/client/main.py:105 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/mem0/client/main.py:128
            self.client = httpx.Client(
                base_url=self.host,
                headers={
                    "Authorization": f"Token {self.api_key}",
                    "Mem0-User-ID": self.user_id,
                },
                timeout=300,
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #03b10e9f13f27725 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/mem0/client/main.py:1015 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/mem0/client/main.py:992 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/mem0/client/main.py:1015
            self.async_client = httpx.AsyncClient(
                base_url=self.host,
                headers={
                    "Authorization": f"Token {self.api_key}",
                    "Mem0-User-ID": self.user_id,
                },
                timeout=300,
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #5695a6a4fb7882d5 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/mem0/client/main.py:1041 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/mem0/client/main.py:1044 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/mem0/client/main.py:1041
            response = requests.get(
                f"{self.host}/v1/ping/",
                headers={
                    "Authorization": f"Token {self.api_key}",
                    "Mem0-User-ID": self.user_id,
                },
                params=params,
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #fd6a1a6aaf7b2a01 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/mem0/llms/sarvam.py:81 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/mem0/llms/sarvam.py:47 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/mem0/llms/sarvam.py:81
            response = requests.post(url, headers=headers, json=params, timeout=30)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium telemetry dependency Excluded from app score #cd8af4c3ec9a2ca0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/mem0/memory/telemetry.py:9
from posthog import Posthog

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 78 low-confidence finding(s)
low env_fs dependency Excluded from app score #cec3eb8e239fd68a Environment-variable access.
pkgs/python/[email protected]/mem0/client/main.py:105
        self.api_key = api_key or os.getenv("MEM0_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #785ef9bf100d5bc2 Environment-variable access.
pkgs/python/[email protected]/mem0/client/main.py:992
        self.api_key = api_key or os.getenv("MEM0_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #43de520183c4b03b Environment-variable access.
pkgs/python/[email protected]/mem0/configs/base.py:13
mem0_dir = os.environ.get("MEM0_DIR") or os.path.join(home_dir, ".mem0")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f7f4856e9a07254c Environment-variable access.
pkgs/python/[email protected]/mem0/configs/embeddings/base.py:111
        self.aws_region = aws_region or os.environ.get("AWS_REGION") or "us-west-2"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #83ec623ae239a310 Environment-variable access.
pkgs/python/[email protected]/mem0/configs/llms/aws_bedrock.py:58
        self.aws_region = aws_region or os.getenv("AWS_REGION", "us-west-2")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7fb1ddecc1e66b50 Environment-variable access.
pkgs/python/[email protected]/mem0/configs/llms/aws_bedrock.py:101
            config["aws_access_key_id"] = self.aws_access_key_id or os.getenv("AWS_ACCESS_KEY_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e6c7bf598384660d Environment-variable access.
pkgs/python/[email protected]/mem0/configs/llms/aws_bedrock.py:104
            config["aws_secret_access_key"] = self.aws_secret_access_key or os.getenv("AWS_SECRET_ACCESS_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8f84bab98a3b275c Environment-variable access.
pkgs/python/[email protected]/mem0/configs/llms/aws_bedrock.py:107
            config["aws_session_token"] = self.aws_session_token or os.getenv("AWS_SESSION_TOKEN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ebe79565e65527ab Environment-variable access.
pkgs/python/[email protected]/mem0/configs/llms/aws_bedrock.py:110
            config["profile_name"] = self.aws_profile or os.getenv("AWS_PROFILE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1861be66dd4d439d Environment-variable access.
pkgs/python/[email protected]/mem0/configs/llms/gemini.py:61
            vertexai = os.getenv("GOOGLE_GENAI_USE_VERTEXAI", "").lower() in ("true", "1", "yes")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #14d406b608eb00ec Environment-variable access.
pkgs/python/[email protected]/mem0/configs/llms/gemini.py:63
        self.project = project or os.getenv("GOOGLE_CLOUD_PROJECT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fca89efa6aa3a680 Environment-variable access.
pkgs/python/[email protected]/mem0/configs/llms/gemini.py:64
        self.location = location or os.getenv("GOOGLE_CLOUD_LOCATION", "us-central1")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #db830074b2c27298 Environment-variable access.
pkgs/python/[email protected]/mem0/configs/vector_stores/pinecone.py:27
        if not api_key and not client and "PINECONE_API_KEY" not in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cb549aa5d7474c65 Environment-variable access.
pkgs/python/[email protected]/mem0/configs/vector_stores/turbopuffer.py:26
        if not api_key and "TURBOPUFFER_API_KEY" not in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9301bf29ff5bc6dc Environment-variable access.
pkgs/python/[email protected]/mem0/configs/vector_stores/upstash_vector.py:27
        url = values.get("url") or os.environ.get("UPSTASH_VECTOR_REST_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8aabe0ca0ac3bc8c Environment-variable access.
pkgs/python/[email protected]/mem0/configs/vector_stores/upstash_vector.py:28
        token = values.get("token") or os.environ.get("UPSTASH_VECTOR_REST_TOKEN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #26229944d931fceb Environment-variable access.
pkgs/python/[email protected]/mem0/embeddings/aws_bedrock.py:28
        aws_access_key = os.environ.get("AWS_ACCESS_KEY_ID", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8c7cba742e41698c Environment-variable access.
pkgs/python/[email protected]/mem0/embeddings/aws_bedrock.py:29
        aws_secret_key = os.environ.get("AWS_SECRET_ACCESS_KEY", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #596f467bd2edc7c5 Environment-variable access.
pkgs/python/[email protected]/mem0/embeddings/aws_bedrock.py:30
        aws_session_token = os.environ.get("AWS_SESSION_TOKEN", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a294e25bdfc360fb Environment-variable access.
pkgs/python/[email protected]/mem0/embeddings/azure_openai.py:17
        api_key = self.config.azure_kwargs.api_key or os.getenv("EMBEDDING_AZURE_OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0e61dd5a21a92fad Environment-variable access.
pkgs/python/[email protected]/mem0/embeddings/azure_openai.py:18
        azure_deployment = self.config.azure_kwargs.azure_deployment or os.getenv("EMBEDDING_AZURE_DEPLOYMENT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0f9771506fc8178b Environment-variable access.
pkgs/python/[email protected]/mem0/embeddings/azure_openai.py:19
        azure_endpoint = self.config.azure_kwargs.azure_endpoint or os.getenv("EMBEDDING_AZURE_ENDPOINT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #86e56e14237d3f21 Environment-variable access.
pkgs/python/[email protected]/mem0/embeddings/azure_openai.py:20
        api_version = self.config.azure_kwargs.api_version or os.getenv("EMBEDDING_AZURE_API_VERSION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fda0e583b799febe Environment-variable access.
pkgs/python/[email protected]/mem0/embeddings/gemini.py:18
        api_key = self.config.api_key or os.getenv("GOOGLE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #28142ff0d8041976 Environment-variable access.
pkgs/python/[email protected]/mem0/embeddings/openai.py:21
        api_key = self.config.api_key or os.getenv("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #216e8a283879e472 Environment-variable access.
pkgs/python/[email protected]/mem0/embeddings/openai.py:24
            or os.getenv("OPENAI_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0130dde9e0ba1e90 Environment-variable access.
pkgs/python/[email protected]/mem0/embeddings/openai.py:25
            or os.getenv("OPENAI_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d3de5d014aacbcd3 Environment-variable access.
pkgs/python/[email protected]/mem0/embeddings/openai.py:28
        if os.environ.get("OPENAI_API_BASE"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #265aa1037be6d8d2 Environment-variable access.
pkgs/python/[email protected]/mem0/embeddings/together.py:15
        api_key = self.config.api_key or os.getenv("TOGETHER_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9d56345b1f75b921 Environment-variable access.
pkgs/python/[email protected]/mem0/embeddings/vertexai.py:36
                os.environ["GOOGLE_APPLICATION_CREDENTIALS"] = credentials_path

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #37dc2badefae2a1b Environment-variable access.
pkgs/python/[email protected]/mem0/embeddings/vertexai.py:37
            elif not os.getenv("GOOGLE_APPLICATION_CREDENTIALS"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #defd8a50d5be2d1e Environment-variable access.
pkgs/python/[email protected]/mem0/llms/anthropic.py:40
        api_key = self.config.api_key or os.getenv("ANTHROPIC_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #59daf778002679cb Environment-variable access.
pkgs/python/[email protected]/mem0/llms/anthropic.py:41
        base_url = self.config.anthropic_base_url or os.getenv("ANTHROPIC_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b2d9c6bfd480655e Environment-variable access.
pkgs/python/[email protected]/mem0/llms/azure_openai.py:46
        api_key = self.config.azure_kwargs.api_key or os.getenv("LLM_AZURE_OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d3e31a1f982a7b07 Environment-variable access.
pkgs/python/[email protected]/mem0/llms/azure_openai.py:47
        azure_deployment = self.config.azure_kwargs.azure_deployment or os.getenv("LLM_AZURE_DEPLOYMENT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e76fd7fa1d9a4b7b Environment-variable access.
pkgs/python/[email protected]/mem0/llms/azure_openai.py:48
        azure_endpoint = self.config.azure_kwargs.azure_endpoint or os.getenv("LLM_AZURE_ENDPOINT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d6fac2ccc1db65d7 Environment-variable access.
pkgs/python/[email protected]/mem0/llms/azure_openai.py:49
        api_version = self.config.azure_kwargs.api_version or os.getenv("LLM_AZURE_API_VERSION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #480f2c0c9b8c62b7 Environment-variable access.
pkgs/python/[email protected]/mem0/llms/azure_openai_structured.py:24
        api_key = self.config.azure_kwargs.api_key or os.getenv("LLM_AZURE_OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ee641c46479d58ec Environment-variable access.
pkgs/python/[email protected]/mem0/llms/azure_openai_structured.py:25
        azure_deployment = self.config.azure_kwargs.azure_deployment or os.getenv("LLM_AZURE_DEPLOYMENT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #37e7538a1df2f10f Environment-variable access.
pkgs/python/[email protected]/mem0/llms/azure_openai_structured.py:26
        azure_endpoint = self.config.azure_kwargs.azure_endpoint or os.getenv("LLM_AZURE_ENDPOINT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #af6ef5d50dbfca10 Environment-variable access.
pkgs/python/[email protected]/mem0/llms/azure_openai_structured.py:27
        api_version = self.config.azure_kwargs.api_version or os.getenv("LLM_AZURE_API_VERSION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #27e4f09bf18e8d23 Environment-variable access.
pkgs/python/[email protected]/mem0/llms/deepseek.py:39
        api_key = self.config.api_key or os.getenv("DEEPSEEK_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0f9d1a57e953e2b0 Environment-variable access.
pkgs/python/[email protected]/mem0/llms/deepseek.py:40
        base_url = self.config.deepseek_base_url or os.getenv("DEEPSEEK_API_BASE") or "https://api.deepseek.com"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #be27a14f4c2a8ef8 Environment-variable access.
pkgs/python/[email protected]/mem0/llms/gemini.py:42
            api_key = self.config.api_key or os.getenv("GOOGLE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0dd754bd3ff56e25 Environment-variable access.
pkgs/python/[email protected]/mem0/llms/groq.py:25
        api_key = self.config.api_key or os.getenv("GROQ_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #974dd0391bb2eb15 Environment-variable access.
pkgs/python/[email protected]/mem0/llms/minimax.py:39
        api_key = self.config.api_key or os.getenv("MINIMAX_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #569d17ae01fd7f4c Environment-variable access.
pkgs/python/[email protected]/mem0/llms/minimax.py:42
            or os.getenv("MINIMAX_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4c947f72505ca32f Environment-variable access.
pkgs/python/[email protected]/mem0/llms/openai.py:42
        if os.environ.get("OPENROUTER_API_KEY"):  # Use OpenRouter

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ba7ac7fa1082152a Environment-variable access.
pkgs/python/[email protected]/mem0/llms/openai.py:44
                api_key=os.environ.get("OPENROUTER_API_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3a5f2565cc7aba96 Environment-variable access.
pkgs/python/[email protected]/mem0/llms/openai.py:46
                or os.getenv("OPENROUTER_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #262258589aa83e08 Environment-variable access.
pkgs/python/[email protected]/mem0/llms/openai.py:50
            api_key = self.config.api_key or os.getenv("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a4e011f8024476d1 Environment-variable access.
pkgs/python/[email protected]/mem0/llms/openai.py:51
            base_url = self.config.openai_base_url or os.getenv("OPENAI_BASE_URL") or "https://api.openai.com/v1"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d2bc482f9d53f8da Environment-variable access.
pkgs/python/[email protected]/mem0/llms/openai.py:113
        if os.getenv("OPENROUTER_API_KEY"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8541bb428e107d6b Environment-variable access.
pkgs/python/[email protected]/mem0/llms/openai_structured.py:17
        api_key = self.config.api_key or os.getenv("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #83de8fdf76b5b4eb Environment-variable access.
pkgs/python/[email protected]/mem0/llms/openai_structured.py:18
        base_url = self.config.openai_base_url or os.getenv("OPENAI_API_BASE") or "https://api.openai.com/v1"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b4dbdfcde4072334 Environment-variable access.
pkgs/python/[email protected]/mem0/llms/sarvam.py:19
        self.api_key = self.config.api_key or os.getenv("SARVAM_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2f0fe219958f2027 Environment-variable access.
pkgs/python/[email protected]/mem0/llms/sarvam.py:28
            getattr(self.config, "sarvam_base_url", None) or os.getenv("SARVAM_API_BASE") or "https://api.sarvam.ai/v1"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bc05021a6c91affa Environment-variable access.
pkgs/python/[email protected]/mem0/llms/together.py:22
        api_key = self.config.api_key or os.getenv("TOGETHER_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #879e736da756d79f Environment-variable access.
pkgs/python/[email protected]/mem0/llms/vllm.py:39
        self.config.api_key = self.config.api_key or os.getenv("VLLM_API_KEY") or "vllm-api-key"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #858848784f214017 Environment-variable access.
pkgs/python/[email protected]/mem0/llms/vllm.py:40
        base_url = self.config.vllm_base_url or os.getenv("VLLM_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9ab7c94179db5c72 Environment-variable access.
pkgs/python/[email protected]/mem0/llms/xai.py:39
        api_key = self.config.api_key or os.getenv("XAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0b6868acab74173c Environment-variable access.
pkgs/python/[email protected]/mem0/llms/xai.py:40
        base_url = self.config.xai_base_url or os.getenv("XAI_API_BASE") or "https://api.x.ai/v1"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #83a45a74143a7438 Environment-variable access.
pkgs/python/[email protected]/mem0/memory/setup.py:11
mem0_dir = os.environ.get("MEM0_DIR") or os.path.join(home_dir, ".mem0")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8a8b784df834c5ba Filesystem access.
pkgs/python/[email protected]/mem0/memory/setup.py:27
        with open(path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dbee23e544fc008b Environment-variable access.
pkgs/python/[email protected]/mem0/memory/telemetry.py:14
MEM0_TELEMETRY = os.environ.get("MEM0_TELEMETRY", "True")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8c684491dc7e4f04 Environment-variable access.
pkgs/python/[email protected]/mem0/memory/telemetry.py:48
MEM0_TELEMETRY_SAMPLE_RATE = _parse_sample_rate(os.environ.get("MEM0_TELEMETRY_SAMPLE_RATE", str(_DEFAULT_SAMPLE_RATE)))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0171fdf8649bee3a Environment-variable access.
pkgs/python/[email protected]/mem0/reranker/cohere_reranker.py:30
        self.api_key = config.api_key or os.getenv("COHERE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f914d6b5794b8f36 Environment-variable access.
pkgs/python/[email protected]/mem0/reranker/zero_entropy_reranker.py:30
        self.api_key = config.api_key or os.getenv("ZERO_ENTROPY_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b04e786d6780e15d Filesystem access.
pkgs/python/[email protected]/mem0/utils/gcp_auth.py:60
            with open(credentials_path, 'r') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d35e9c7ff3f17ab1 Environment-variable access.
pkgs/python/[email protected]/mem0/utils/gcp_auth.py:65
        elif os.getenv("GOOGLE_APPLICATION_CREDENTIALS"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b461c3b2b3e15c6a Environment-variable access.
pkgs/python/[email protected]/mem0/utils/gcp_auth.py:66
            env_path = os.getenv("GOOGLE_APPLICATION_CREDENTIALS")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dfc7d7a58e0d6331 Filesystem access.
pkgs/python/[email protected]/mem0/utils/gcp_auth.py:72
                with open(env_path, 'r') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2d9b0c774f7bee72 Environment-variable access.
pkgs/python/[email protected]/mem0/utils/gcp_auth.py:126
        final_project_id = project_id or detected_project_id or os.getenv("GOOGLE_CLOUD_PROJECT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #77c1d0a344f1fc22 Filesystem access.
pkgs/python/[email protected]/mem0/vector_stores/faiss.py:76
    with open(file_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #09f719a4cba64531 Filesystem access.
pkgs/python/[email protected]/mem0/vector_stores/faiss.py:194
                with open(json_docstore_path, "r", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2d61ba5d44ef9175 Filesystem access.
pkgs/python/[email protected]/mem0/vector_stores/faiss.py:245
            with open(json_docstore_path, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b0fc77b4178bf6e8 Environment-variable access.
pkgs/python/[email protected]/mem0/vector_stores/pinecone.py:61
            api_key = api_key or os.environ.get("PINECONE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a70f066455bc99d2 Environment-variable access.
pkgs/python/[email protected]/mem0/vector_stores/turbopuffer.py:49
        api_key = api_key or os.environ.get("TURBOPUFFER_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

databricks-sdk

python dependency
high pii_flow dependency Excluded from app score #f3d21392d430da93 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/databricks/sdk/config.py:602 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/databricks/sdk/config.py:600 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/databricks/sdk/config.py:602
            response = requests.get(f"{self.host}/api/2.0/preview/scim/v2/Me", headers=headers)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #81d23a7dc5c75d96 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/databricks/sdk/credentials_provider.py:341 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/databricks/sdk/credentials_provider.py:340 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/databricks/sdk/credentials_provider.py:341
    resp = requests.get(
        f"{arm}{cfg.azure_workspace_resource_id}?api-version=2018-04-01",
        headers={"Authorization": f"Bearer {token.access_token}"},
    )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #61785365d67cd14e User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/databricks/sdk/oidc_token_supplier.py:23 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/databricks/sdk/oidc_token_supplier.py:21 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/databricks/sdk/oidc_token_supplier.py:23
        response = requests.get(endpoint, headers=headers)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 42 low-confidence finding(s)
low env_fs dependency Excluded from app score #9f2929a247790d28 Environment-variable access.
pkgs/python/[email protected]/databricks/sdk/config.py:565
            if attr.env and os.environ.get(attr.env):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5220406c8107342c Environment-variable access.
pkgs/python/[email protected]/databricks/sdk/config.py:569
                    if os.environ.get(alias):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #249bdbe25dfad9bd Environment-variable access.
pkgs/python/[email protected]/databricks/sdk/config.py:731
            value = os.environ.get(attr.env)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #234632b16aad8e43 Environment-variable access.
pkgs/python/[email protected]/databricks/sdk/config.py:734
                    value = os.environ.get(alias)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3c398794f0f50a4b Environment-variable access.
pkgs/python/[email protected]/databricks/sdk/credentials_provider.py:159
    if "DATABRICKS_RUNTIME_VERSION" not in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b8c16bd0926988e4 Environment-variable access.
pkgs/python/[email protected]/databricks/sdk/credentials_provider.py:203
    if "DATABRICKS_RUNTIME_VERSION" not in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e84e5b8c29446885 Environment-variable access.
pkgs/python/[email protected]/databricks/sdk/credentials_provider.py:538
    if "ACTIONS_ID_TOKEN_REQUEST_TOKEN" not in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3774c040f3caf8c9 Filesystem access.
pkgs/python/[email protected]/databricks/sdk/credentials_provider.py:593
        with io.open(cfg.google_credentials, "r", encoding="utf-8") as json_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fe7c93861997b868 Environment-variable access.
pkgs/python/[email protected]/databricks/sdk/credentials_provider.py:1195
        for dir in os.getenv("PATH", default="").split(os.path.pathsep):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ef5f33d1d34aa1b5 Environment-variable access.
pkgs/python/[email protected]/databricks/sdk/credentials_provider.py:1329
            os.environ.get("IS_IN_DB_MODEL_SERVING_ENV")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6738b8b24c69a78a Environment-variable access.
pkgs/python/[email protected]/databricks/sdk/credentials_provider.py:1330
            or os.environ.get("IS_IN_DATABRICKS_MODEL_SERVING_ENV")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dc4c53729004b5df Filesystem access.
pkgs/python/[email protected]/databricks/sdk/credentials_provider.py:1343
            with open(ModelServingAuthProvider._MODEL_DEPENDENCY_OAUTH_TOKEN_FILE_PATH) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #02e7d370fd8ad1c6 Environment-variable access.
pkgs/python/[email protected]/databricks/sdk/credentials_provider.py:1379
        host = os.environ.get("DATABRICKS_MODEL_SERVING_HOST_URL") or os.environ.get("DB_MODEL_SERVING_HOST_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6ced2f87196f2023 Environment-variable access.
pkgs/python/[email protected]/databricks/sdk/dbutils.py:275
    value = os.getenv("DATABRICKS_SOURCE_FILE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #57fb530e94c12516 Filesystem access.
pkgs/python/[email protected]/databricks/sdk/mixins/files.py:1165
        with open(destination, "wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #67a499a576a0b695 Filesystem access.
pkgs/python/[email protected]/databricks/sdk/mixins/files.py:1204
                    with open(temp_file, "r+b") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e8f7f3c311e38cd8 Filesystem access.
pkgs/python/[email protected]/databricks/sdk/mixins/files.py:1505
            with open(source_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1ba39708ad7cc260 Filesystem access.
pkgs/python/[email protected]/databricks/sdk/mixins/files.py:1654
                with open(ctx.source_file_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #140dcc86b90d4b60 Filesystem access.
pkgs/python/[email protected]/databricks/sdk/mixins/files.py:1669
            with open(ctx.source_file_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bcdffd615b8915ba Filesystem access.
pkgs/python/[email protected]/databricks/sdk/mixins/files.py:1694
        with open(ctx.source_file_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #12283d49eae96835 Filesystem access.
pkgs/python/[email protected]/databricks/sdk/mixins/files.py:1883
                with open(part.ctx.source_file_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fe6088c9456dc896 Filesystem access.
pkgs/python/[email protected]/databricks/sdk/oauth.py:980
            with open(self.filename, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #69b5e7248bcc4fea Filesystem access.
pkgs/python/[email protected]/databricks/sdk/oauth.py:997
        with open(self.filename, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b4adea772831c539 Environment-variable access.
pkgs/python/[email protected]/databricks/sdk/oidc.py:78
        token = os.getenv(self.env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5e742003adfd98da Filesystem access.
pkgs/python/[email protected]/databricks/sdk/oidc.py:114
            with open(self.path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ce4c33066313bf96 Environment-variable access.
pkgs/python/[email protected]/databricks/sdk/oidc_token_supplier.py:17
        if "ACTIONS_ID_TOKEN_REQUEST_TOKEN" not in os.environ or "ACTIONS_ID_TOKEN_REQUEST_URL" not in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #785e6fbc2a63aacf Environment-variable access.
pkgs/python/[email protected]/databricks/sdk/oidc_token_supplier.py:21
        headers = {"Authorization": f"Bearer {os.environ['ACTIONS_ID_TOKEN_REQUEST_TOKEN']}"}

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #318e281d8fb74f42 Environment-variable access.
pkgs/python/[email protected]/databricks/sdk/oidc_token_supplier.py:22
        endpoint = f"{os.environ['ACTIONS_ID_TOKEN_REQUEST_URL']}&audience={audience}"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a87eb0dad11950e9 Environment-variable access.
pkgs/python/[email protected]/databricks/sdk/oidc_token_supplier.py:46
        self.access_token = os.environ.get("SYSTEM_ACCESSTOKEN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #daed4e1d9d9a63e7 Environment-variable access.
pkgs/python/[email protected]/databricks/sdk/oidc_token_supplier.py:47
        self.collection_uri = os.environ.get("SYSTEM_TEAMFOUNDATIONCOLLECTIONURI")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #57f769b313d2aa80 Environment-variable access.
pkgs/python/[email protected]/databricks/sdk/oidc_token_supplier.py:48
        self.project_id = os.environ.get("SYSTEM_TEAMPROJECTID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #212ebd00904ba4ad Environment-variable access.
pkgs/python/[email protected]/databricks/sdk/oidc_token_supplier.py:49
        self.plan_id = os.environ.get("SYSTEM_PLANID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #93b9e3606bdf537f Environment-variable access.
pkgs/python/[email protected]/databricks/sdk/oidc_token_supplier.py:50
        self.job_id = os.environ.get("SYSTEM_JOBID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #35329d70f7172a28 Environment-variable access.
pkgs/python/[email protected]/databricks/sdk/oidc_token_supplier.py:51
        self.hub_name = os.environ.get("SYSTEM_HOSTTYPE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #45674d8b04f5d604 Environment-variable access.
pkgs/python/[email protected]/databricks/sdk/useragent.py:119
    product = os.getenv("DATABRICKS_SDK_UPSTREAM")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6f5cc9ca23e756e7 Environment-variable access.
pkgs/python/[email protected]/databricks/sdk/useragent.py:120
    version = os.getenv("DATABRICKS_SDK_UPSTREAM_VERSION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5ba385f929cfbe52 Environment-variable access.
pkgs/python/[email protected]/databricks/sdk/useragent.py:128
    if "DATABRICKS_RUNTIME_VERSION" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #47e98631a6d4394d Environment-variable access.
pkgs/python/[email protected]/databricks/sdk/useragent.py:129
        runtime_version = os.environ["DATABRICKS_RUNTIME_VERSION"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2034e847550b08bf Environment-variable access.
pkgs/python/[email protected]/databricks/sdk/useragent.py:222
            v = os.getenv(envvar)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9cdc4a9ffeeffde7 Environment-variable access.
pkgs/python/[email protected]/databricks/sdk/useragent.py:312
    matches = [a.product for a in _KNOWN_AGENTS if a.env_var in os.environ]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f4fc771e7de93387 Environment-variable access.
pkgs/python/[email protected]/databricks/sdk/useragent.py:332
    v = os.environ.get("AGENT") or os.environ.get("AI_AGENT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0511cecf0992d18f Environment-variable access.
pkgs/python/[email protected]/databricks/sdk/useragent.py:362
    matches = [h.product for h in _KNOWN_META_HARNESSES if h.env_var in os.environ]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

anthropic

python dependency
high pii_flow dependency Excluded from app score #88001aff54f78964 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/anthropic/lib/credentials/_providers.py:384 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/anthropic/lib/credentials/_providers.py:384 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/anthropic/lib/credentials/_providers.py:384
            self._owned_http_client = httpx.Client(timeout=TOKEN_EXCHANGE_TIMEOUT)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #6899a0d6206bedf7 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/anthropic/lib/credentials/_workload.py:179 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/anthropic/lib/credentials/_workload.py:179 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/anthropic/lib/credentials/_workload.py:179
            self._http_client = httpx.Client(timeout=TOKEN_EXCHANGE_TIMEOUT)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 90 low-confidence finding(s)
low env_fs tooling reachable #0d774443f424b8bb Environment-variable access.
pkgs/python/[email protected]/examples/agents.py:9
    anthropic = Anthropic(api_key=os.environ.get("ANTHROPIC_API_KEY"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #4559bc4eec1c3700 Environment-variable access.
pkgs/python/[email protected]/examples/agents_comprehensive.py:18
    anthropic = Anthropic(api_key=os.environ.get("ANTHROPIC_API_KEY"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #681a5a732b8ce376 Environment-variable access.
pkgs/python/[email protected]/examples/agents_comprehensive.py:20
    github_token = os.environ.get("GITHUB_TOKEN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #864cc8c70b52a920 Filesystem access.
pkgs/python/[email protected]/examples/agents_comprehensive.py:47
    with open(skill_md_path, "rb") as skill_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #efe7c43f972ec9f1 Environment-variable access.
pkgs/python/[email protected]/examples/agents_with_files.py:10
    anthropic = Anthropic(api_key=os.environ.get("ANTHROPIC_API_KEY"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #dd93c30227ee4c24 Environment-variable access.
pkgs/python/[email protected]/examples/managed-agents-observe-tool-calls.py:46
    val = os.environ.get(name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #9be18dc82f16c270 Environment-variable access.
pkgs/python/[email protected]/examples/managed-agents-observe-tool-calls.py:64
    workdir = os.environ.get("ANTHROPIC_WORKDIR", ".")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #c018016610b87be4 Environment-variable access.
pkgs/python/[email protected]/examples/managed-agents-self-hosted-sandbox-worker.py:48
    val = os.environ.get(name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #e5958591a0bdc6c8 Environment-variable access.
pkgs/python/[email protected]/examples/managed-agents-self-hosted-sandbox-worker.py:60
    workdir = os.environ.get("ANTHROPIC_WORKDIR", ".")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #2d320dc3dd0718f7 Environment-variable access.
pkgs/python/[email protected]/examples/workload_identity.py:70
        identity_token_provider=lambda: os.environ["ANTHROPIC_IDENTITY_TOKEN"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #48cc4f77fd146c0c Environment-variable access.
pkgs/python/[email protected]/src/anthropic/_client.py:107
    if api_key is not None and os.environ.get("ANTHROPIC_API_KEY"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #67f5818d6d0d0031 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/_client.py:109
    if auth_token is not None and os.environ.get("ANTHROPIC_AUTH_TOKEN"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3fb7814dad3d7ddb Environment-variable access.
pkgs/python/[email protected]/src/anthropic/_client.py:214
            api_key = os.environ.get("ANTHROPIC_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #42dddd2a2beace1d Environment-variable access.
pkgs/python/[email protected]/src/anthropic/_client.py:215
            auth_token = os.environ.get("ANTHROPIC_AUTH_TOKEN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fb3a5ff38f02453f Environment-variable access.
pkgs/python/[email protected]/src/anthropic/_client.py:221
            webhook_key = os.environ.get("ANTHROPIC_WEBHOOK_SIGNING_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #59198cd0b754fbe5 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/_client.py:225
            base_url = os.environ.get("ANTHROPIC_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8ec6dc4515930367 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/_client.py:234
        custom_headers_env = os.environ.get("ANTHROPIC_CUSTOM_HEADERS")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #17056cf53bbdd41f Environment-variable access.
pkgs/python/[email protected]/src/anthropic/_client.py:631
            api_key = os.environ.get("ANTHROPIC_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6b736da076dd50d5 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/_client.py:632
            auth_token = os.environ.get("ANTHROPIC_AUTH_TOKEN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0ae537b0b7ab8854 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/_client.py:638
            webhook_key = os.environ.get("ANTHROPIC_WEBHOOK_SIGNING_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #18fe20e35d2c3408 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/_client.py:642
            base_url = os.environ.get("ANTHROPIC_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #944e83002fb91927 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/_client.py:651
        custom_headers_env = os.environ.get("ANTHROPIC_CUSTOM_HEADERS")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #17bf512389301947 Filesystem access.
pkgs/python/[email protected]/src/anthropic/_files.py:69
            return (path.name, path.read_bytes())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4a232383715e01f7 Filesystem access.
pkgs/python/[email protected]/src/anthropic/_files.py:81
        return pathlib.Path(file).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #52827da3ea2693e5 Filesystem access.
pkgs/python/[email protected]/src/anthropic/_files.py:111
            return (path.name, await path.read_bytes())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7e015069d8c2b6db Filesystem access.
pkgs/python/[email protected]/src/anthropic/_files.py:123
        return await anyio.Path(file).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d6f5c3b4bf7356ec Filesystem access.
pkgs/python/[email protected]/src/anthropic/_legacy_response.py:464
        with open(file, mode="wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1ca4a287785af060 Filesystem access.
pkgs/python/[email protected]/src/anthropic/_legacy_response.py:477
        with open(file, mode="wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1992496209a27281 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/_models.py:120
            extra="allow", defer_build=coerce_boolean(os.environ.get("DEFER_PYDANTIC_BUILD", "true"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6928e8a1ef557249 Filesystem access.
pkgs/python/[email protected]/src/anthropic/_response.py:537
        with open(file, mode="wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ed49657f3449230f Filesystem access.
pkgs/python/[email protected]/src/anthropic/_response.py:579
        with open(file, mode="wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8d9aedc643dd4e55 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/_utils/_logs.py:17
    env = os.environ.get("ANTHROPIC_LOG")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d6594a5157e0ef2b Filesystem access.
pkgs/python/[email protected]/src/anthropic/_utils/_transform.py:250
            binary = data.read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #24b0dfb0d24b1658 Filesystem access.
pkgs/python/[email protected]/src/anthropic/_utils/_transform.py:418
            binary = await anyio.Path(data).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #53e7d104fd13603f Filesystem access.
pkgs/python/[email protected]/src/anthropic/_utils/_utils.py:379
    contents = Path(path).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6ea23f02f5606821 Filesystem access.
pkgs/python/[email protected]/src/anthropic/lib/_files.py:25
        files.append((path.relative_to(relative_to).as_posix(), path.read_bytes()))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #da45f395fa9e50a7 Filesystem access.
pkgs/python/[email protected]/src/anthropic/lib/_files.py:42
        files.append((path.relative_to(relative_to).as_posix(), await path.read_bytes()))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ee932b144bd12759 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/aws/_credentials.py:25
        value = os.environ.get(var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c1386431253e12db Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/aws/_credentials.py:90
    return os.environ.get("AWS_REGION") or os.environ.get("AWS_DEFAULT_REGION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #41928fa48a2d43fb Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/bedrock/_client.py:77
    aws_region = os.environ.get("AWS_REGION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1e6556f4159c9524 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/bedrock/_client.py:165
            api_key = os.environ.get("AWS_BEARER_TOKEN_BEDROCK")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c8026c12ce9e78e6 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/bedrock/_client.py:190
            base_url = os.environ.get("ANTHROPIC_BEDROCK_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7499b2ea981c1edc Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/bedrock/_client.py:345
            api_key = os.environ.get("AWS_BEARER_TOKEN_BEDROCK")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4de92ac491f46cc8 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/bedrock/_client.py:370
            base_url = os.environ.get("ANTHROPIC_BEDROCK_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3a3a38fbbd68d072 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/bedrock/_mantle.py:144
        base_url = os.environ.get("ANTHROPIC_BEDROCK_MANTLE_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #091ec2f5c4d18a22 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/credentials/_chain.py:33
    federation_rule_id = os.environ.get(ENV_FEDERATION_RULE_ID)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #36e9b901f7a7dcd9 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/credentials/_chain.py:34
    organization_id = os.environ.get(ENV_ORGANIZATION_ID)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aff72f614c5b3297 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/credentials/_chain.py:35
    has_literal_token = ENV_IDENTITY_TOKEN in os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e5f49424a8583662 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/credentials/_chain.py:50
            value = os.environ.get(ENV_IDENTITY_TOKEN)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4ebeb08e02bc3366 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/credentials/_chain.py:65
        service_account_id=os.environ.get(ENV_SERVICE_ACCOUNT_ID),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e892911bafa70ae7 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/credentials/_chain.py:69
        workspace_id=os.environ.get(ENV_WORKSPACE_ID) or None,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bb555a9ea9b6233f Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/credentials/_chain.py:70
        scope=os.environ.get(ENV_SCOPE),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ecf391706c8db26f Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/credentials/_chain.py:108
    if os.environ.get(ENV_API_KEY):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #075a4e33e8a2a81a Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/credentials/_chain.py:112
    auth_token = os.environ.get(ENV_AUTH_TOKEN)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9e54a132d6a84b59 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/credentials/_chain.py:119
    env_explicit = bool(os.environ.get(ENV_PROFILE) or os.environ.get(ENV_CONFIG_DIR))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0b1b23a59ae4e5d8 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/credentials/_constants.py:78
    env = os.environ.get(ENV_CONFIG_DIR)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #424eea122bc538be Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/credentials/_constants.py:82
        appdata = os.environ.get("APPDATA")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #99b6e0e3ef0191e5 Filesystem access.
pkgs/python/[email protected]/src/anthropic/lib/credentials/_constants.py:92
        name = (_config_dir() / "active_config").read_text(encoding="utf-8").strip()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9f268674c142781e Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/credentials/_constants.py:105
    env = os.environ.get(ENV_PROFILE)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5a72df7b131a769b Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/credentials/_constants.py:224
    env = os.environ.get(ENV_IDENTITY_TOKEN_FILE)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #688d2306ecac6a9e Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/credentials/_constants.py:240
    if os.environ.get(ENV_PROFILE) or os.environ.get(ENV_CONFIG_DIR):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #967bf63fd1662658 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/credentials/_constants.py:244
    if os.environ.get(ENV_FEDERATION_RULE_ID) and os.environ.get(ENV_ORGANIZATION_ID):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #66f567c3ca3be146 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/credentials/_constants.py:245
        if os.environ.get(ENV_IDENTITY_TOKEN_FILE) or os.environ.get(ENV_IDENTITY_TOKEN):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5faec8ad25bbc233 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/credentials/_providers.py:88
            v = os.environ.get(env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1023fbb25b18c98d Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/credentials/_providers.py:102
            v = os.environ.get(ENV_IDENTITY_TOKEN_FILE)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c7782e1d074c18e6 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/credentials/_providers.py:128
        value = os.environ.get(self._env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a4f18cc9d0754265 Filesystem access.
pkgs/python/[email protected]/src/anthropic/lib/credentials/_providers.py:276
            raw = self._config_path.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3fb70665100f7063 Filesystem access.
pkgs/python/[email protected]/src/anthropic/lib/credentials/_providers.py:357
            raw = path.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #043f01f1bae94688 Filesystem access.
pkgs/python/[email protected]/src/anthropic/lib/credentials/_providers.py:692
            content = self._path.read_text(encoding="utf-8").strip()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #010f7ea2542901c1 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/environments/_worker.py:160
    resolved = value or os.environ.get(env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #24e2d0bd784a4d71 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/foundry.py:157
        api_key = api_key if api_key is not None else os.environ.get("ANTHROPIC_FOUNDRY_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2798da8a5e820321 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/foundry.py:158
        resource = resource if resource is not None else os.environ.get("ANTHROPIC_FOUNDRY_RESOURCE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f85595545f155917 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/foundry.py:159
        base_url = base_url if base_url is not None else os.environ.get("ANTHROPIC_FOUNDRY_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4fcfd5701e884bf2 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/foundry.py:382
        api_key = api_key if api_key is not None else os.environ.get("ANTHROPIC_FOUNDRY_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3358fd00b4cb2162 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/foundry.py:383
        resource = resource if resource is not None else os.environ.get("ANTHROPIC_FOUNDRY_RESOURCE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4ca681c546186204 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/foundry.py:384
        base_url = base_url if base_url is not None else os.environ.get("ANTHROPIC_FOUNDRY_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #fae7b9bab9710f2f Filesystem access.
pkgs/python/[email protected]/src/anthropic/lib/tools/_beta_builtin_memory_tool.py:356
        return full_path.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #e9378a8a839fa360 Filesystem access.
pkgs/python/[email protected]/src/anthropic/lib/tools/_beta_builtin_memory_tool.py:653
        return await full_path.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #6024b4c632e64ae2 Filesystem access.
pkgs/python/[email protected]/src/anthropic/lib/tools/_skills.py:138
                with zf.open(info) as src, open(target, "wb") as out:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #29a5ab9b16762b00 Filesystem access.
pkgs/python/[email protected]/src/anthropic/lib/tools/_skills.py:164
            with extracted as src, open(target, "wb") as out:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #2a0878c8a03fda6d Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/tools/agent_toolset.py:123
    return {k: v for k, v in os.environ.items() if not k.startswith("ANTHROPIC_")}

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #f9fc125280a69bd8 Filesystem access.
pkgs/python/[email protected]/src/anthropic/lib/tools/agent_toolset.py:512
            text = target.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #3aee1444ce21277a Filesystem access.
pkgs/python/[email protected]/src/anthropic/lib/tools/agent_toolset.py:540
            target.write_text(content)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #c9fa5b309ddb64a2 Filesystem access.
pkgs/python/[email protected]/src/anthropic/lib/tools/agent_toolset.py:570
            text = target.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #44dc6591063f45e5 Filesystem access.
pkgs/python/[email protected]/src/anthropic/lib/tools/agent_toolset.py:582
            target.write_text(updated)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #27eecd794d62f114 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/vertex/_client.py:46
        project_id = os.environ.get("ANTHROPIC_VERTEX_PROJECT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ac1a4ddd0cc4bb7f Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/vertex/_client.py:114
            region = os.environ.get("CLOUD_ML_REGION", NOT_GIVEN)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #13f2255779384247 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/vertex/_client.py:121
            base_url = os.environ.get("ANTHROPIC_VERTEX_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d7541c31ce3c9367 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/vertex/_client.py:278
            region = os.environ.get("CLOUD_ML_REGION", NOT_GIVEN)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b2b36df9ba71a566 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/vertex/_client.py:285
            base_url = os.environ.get("ANTHROPIC_VERTEX_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

openai

python dependency
high pii_flow dependency Excluded from app score #fe5ce4058eebb1ca User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/openai/lib/azure.py:278 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/openai/lib/azure.py:239 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/openai/lib/azure.py:278
        self._azure_endpoint = httpx.URL(azure_endpoint) if azure_endpoint else None

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #cc610e14d07acb29 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/openai/lib/azure.py:602 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/openai/lib/azure.py:563 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/openai/lib/azure.py:602
        self._azure_endpoint = httpx.URL(azure_endpoint) if azure_endpoint else None

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 63 low-confidence finding(s)
low env_fs tooling reachable #495c56abab47beeb Filesystem access.
pkgs/python/[email protected]/examples/image_stream.py:30
            with open(filename, "wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #02e7e3d0c140bca3 Filesystem access.
pkgs/python/[email protected]/examples/image_stream.py:41
            with open(filename, "wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #6809c4a7dd176d73 Environment-variable access.
pkgs/python/[email protected]/examples/realtime/azure_realtime.py:31
    endpoint = os.environ["AZURE_OPENAI_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #ffbf9e0a2cf7848b Environment-variable access.
pkgs/python/[email protected]/examples/realtime/azure_realtime.py:37
    deployment_name = os.environ["AZURE_OPENAI_DEPLOYMENT_NAME"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #a22b012eac92b6b5 Filesystem access.
pkgs/python/[email protected]/examples/uploads.py:30
    data = file.read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f6391ac807a7a2cb Environment-variable access.
pkgs/python/[email protected]/src/openai/__init__.py:158
api_type: _ApiType | None = _t.cast(_ApiType, _os.environ.get("OPENAI_API_TYPE"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3ac483c47024b0c6 Environment-variable access.
pkgs/python/[email protected]/src/openai/__init__.py:160
api_version: str | None = _os.environ.get("OPENAI_API_VERSION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #376e658ae6b2737f Environment-variable access.
pkgs/python/[email protected]/src/openai/__init__.py:162
azure_endpoint: str | None = _os.environ.get("AZURE_OPENAI_ENDPOINT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3947f95252b0d1cf Environment-variable access.
pkgs/python/[email protected]/src/openai/__init__.py:164
azure_ad_token: str | None = _os.environ.get("AZURE_OPENAI_AD_TOKEN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9bc29e0e818fef9b Environment-variable access.
pkgs/python/[email protected]/src/openai/__init__.py:338
    return _os.environ.get("OPENAI_API_KEY") is not None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4f456204d957dd1d Environment-variable access.
pkgs/python/[email protected]/src/openai/__init__.py:342
    return azure_endpoint is not None or _os.environ.get("AZURE_OPENAI_API_KEY") is not None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a811c21c645675ca Environment-variable access.
pkgs/python/[email protected]/src/openai/__init__.py:347
        _os.environ.get("AZURE_OPENAI_AD_TOKEN") is not None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d7351563e6246966 Environment-variable access.
pkgs/python/[email protected]/src/openai/__init__.py:363
            azure_endpoint = _os.environ.get("AZURE_OPENAI_ENDPOINT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #82c7aae9103496c0 Environment-variable access.
pkgs/python/[email protected]/src/openai/__init__.py:366
            azure_ad_token = _os.environ.get("AZURE_OPENAI_AD_TOKEN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dca7d806c7695fe1 Environment-variable access.
pkgs/python/[email protected]/src/openai/__init__.py:369
            api_version = _os.environ.get("OPENAI_API_VERSION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b4eabbb0bac5afa8 Environment-variable access.
pkgs/python/[email protected]/src/openai/__init__.py:379
            if (azure_ad_token is not None or azure_ad_token_provider is not None) and _os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5bedf6672917d014 Environment-variable access.
pkgs/python/[email protected]/src/openai/__init__.py:379
            if (azure_ad_token is not None or azure_ad_token_provider is not None) and _os.environ.get(
                "AZURE_OPENAI_API_KEY"
            ) is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2e7cbda3bd01090b Environment-variable access.
pkgs/python/[email protected]/src/openai/_client.py:209
                api_key = os.environ.get("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2fe83dbab2ad4d54 Environment-variable access.
pkgs/python/[email protected]/src/openai/_client.py:219
            admin_api_key = os.environ.get("OPENAI_ADMIN_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e6e2d202f6f71e3d Environment-variable access.
pkgs/python/[email protected]/src/openai/_client.py:235
            organization = os.environ.get("OPENAI_ORG_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f265d1da5f64a6db Environment-variable access.
pkgs/python/[email protected]/src/openai/_client.py:239
            project = os.environ.get("OPENAI_PROJECT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0a60b595b8a48ac9 Environment-variable access.
pkgs/python/[email protected]/src/openai/_client.py:243
            webhook_secret = os.environ.get("OPENAI_WEBHOOK_SECRET")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #58010ca135947b87 Environment-variable access.
pkgs/python/[email protected]/src/openai/_client.py:251
            base_url = os.environ.get("OPENAI_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dc82b0574c7ff9f7 Environment-variable access.
pkgs/python/[email protected]/src/openai/_client.py:255
        custom_headers_env = os.environ.get("OPENAI_CUSTOM_HEADERS") if provider_runtime is None else None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dea4109844bd9847 Environment-variable access.
pkgs/python/[email protected]/src/openai/_client.py:805
                api_key = os.environ.get("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f875c8194f3e7a21 Environment-variable access.
pkgs/python/[email protected]/src/openai/_client.py:815
            admin_api_key = os.environ.get("OPENAI_ADMIN_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #980470b56d51a905 Environment-variable access.
pkgs/python/[email protected]/src/openai/_client.py:831
            organization = os.environ.get("OPENAI_ORG_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0790214862690ccc Environment-variable access.
pkgs/python/[email protected]/src/openai/_client.py:835
            project = os.environ.get("OPENAI_PROJECT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #11fd4a679c3f1bb0 Environment-variable access.
pkgs/python/[email protected]/src/openai/_client.py:839
            webhook_secret = os.environ.get("OPENAI_WEBHOOK_SECRET")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ec7f151d8080013f Environment-variable access.
pkgs/python/[email protected]/src/openai/_client.py:847
            base_url = os.environ.get("OPENAI_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f0608334ea4d8f18 Environment-variable access.
pkgs/python/[email protected]/src/openai/_client.py:851
        custom_headers_env = os.environ.get("OPENAI_CUSTOM_HEADERS") if provider_runtime is None else None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7dc08f98958d8af5 Filesystem access.
pkgs/python/[email protected]/src/openai/_files.py:69
            return (path.name, path.read_bytes())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #edede7f2174d921c Filesystem access.
pkgs/python/[email protected]/src/openai/_files.py:81
        return pathlib.Path(file).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fd2ad5953bd2a32d Filesystem access.
pkgs/python/[email protected]/src/openai/_files.py:111
            return (path.name, await path.read_bytes())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #af8b46fc2b5fa9ae Filesystem access.
pkgs/python/[email protected]/src/openai/_files.py:123
        return await anyio.Path(file).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a8fc21adf1138a8e Filesystem access.
pkgs/python/[email protected]/src/openai/_legacy_response.py:441
        with open(file, mode="wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #db2e470a1a001814 Filesystem access.
pkgs/python/[email protected]/src/openai/_legacy_response.py:454
        with open(file, mode="wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #63ccc62986ad5e7c Environment-variable access.
pkgs/python/[email protected]/src/openai/_models.py:129
            extra="allow", defer_build=coerce_boolean(os.environ.get("DEFER_PYDANTIC_BUILD", "true"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8aee74e2c011dca9 Filesystem access.
pkgs/python/[email protected]/src/openai/_response.py:513
        with open(file, mode="wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #89d46f510793bede Filesystem access.
pkgs/python/[email protected]/src/openai/_response.py:555
        with open(file, mode="wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #06c9a7cb57f96ec9 Environment-variable access.
pkgs/python/[email protected]/src/openai/_utils/_logs.py:23
    env = os.environ.get("OPENAI_LOG")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0f34f778f77092be Filesystem access.
pkgs/python/[email protected]/src/openai/_utils/_transform.py:248
            binary = data.read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ff73aa32359568ed Filesystem access.
pkgs/python/[email protected]/src/openai/_utils/_transform.py:414
            binary = await anyio.Path(data).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #351d89f3f1d78f8e Filesystem access.
pkgs/python/[email protected]/src/openai/_utils/_utils.py:383
    contents = Path(path).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cf480090fe08b3aa Filesystem access.
pkgs/python/[email protected]/src/openai/auth/_workload.py:58
            with open(token_file_path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d6273419d077db53 Environment-variable access.
pkgs/python/[email protected]/src/openai/lib/_bedrock_auth.py:172
        region = os.environ.get("AWS_REGION") or os.environ.get("AWS_DEFAULT_REGION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d80d4b6e923f89e7 Filesystem access.
pkgs/python/[email protected]/src/openai/lib/_validators.py:485
                with open(fname, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #45f30b5b7ccf4db6 Environment-variable access.
pkgs/python/[email protected]/src/openai/lib/azure.py:214
            api_key = os.environ.get("AZURE_OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #747d6ad249ae7eaf Environment-variable access.
pkgs/python/[email protected]/src/openai/lib/azure.py:217
            azure_ad_token = os.environ.get("AZURE_OPENAI_AD_TOKEN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e28b1035332494bd Environment-variable access.
pkgs/python/[email protected]/src/openai/lib/azure.py:225
            api_version = os.environ.get("OPENAI_API_VERSION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bca6dd3ab75adb68 Environment-variable access.
pkgs/python/[email protected]/src/openai/lib/azure.py:239
                azure_endpoint = os.environ.get("AZURE_OPENAI_ENDPOINT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #31ef082728654b6f Environment-variable access.
pkgs/python/[email protected]/src/openai/lib/azure.py:538
            api_key = os.environ.get("AZURE_OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1c45ebdaecc1af2c Environment-variable access.
pkgs/python/[email protected]/src/openai/lib/azure.py:541
            azure_ad_token = os.environ.get("AZURE_OPENAI_AD_TOKEN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a420f07fb3a5ccb2 Environment-variable access.
pkgs/python/[email protected]/src/openai/lib/azure.py:549
            api_version = os.environ.get("OPENAI_API_VERSION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d7b3344d0f50c9d6 Environment-variable access.
pkgs/python/[email protected]/src/openai/lib/azure.py:563
                azure_endpoint = os.environ.get("AZURE_OPENAI_ENDPOINT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #729d6ed401a5230a Environment-variable access.
pkgs/python/[email protected]/src/openai/lib/bedrock.py:70
    configured = region or os.environ.get("AWS_REGION") or os.environ.get("AWS_DEFAULT_REGION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bb5211ed84e8bfb8 Environment-variable access.
pkgs/python/[email protected]/src/openai/lib/bedrock.py:80
    environment_base_url = os.environ.get("AWS_BEDROCK_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0905294083f36381 Environment-variable access.
pkgs/python/[email protected]/src/openai/lib/bedrock.py:105
    token = os.environ.get("AWS_BEARER_TOKEN_BEDROCK")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6586a7885ab2cfd6 Environment-variable access.
pkgs/python/[email protected]/src/openai/lib/bedrock.py:150
    environment_token = os.environ.get("AWS_BEARER_TOKEN_BEDROCK")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3e15fd6149d045bc Environment-variable access.
pkgs/python/[email protected]/src/openai/providers/bedrock.py:248
            token = os.environ.get("AWS_BEARER_TOKEN_BEDROCK")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #404fe804b5f43b5d Environment-variable access.
pkgs/python/[email protected]/src/openai/providers/bedrock.py:331
            os.environ.get("AWS_REGION") or os.environ.get("AWS_DEFAULT_REGION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0de5b82d4821653f Environment-variable access.
pkgs/python/[email protected]/src/openai/providers/bedrock.py:338
        environment_base_url = _normalize_optional_string(os.environ.get("AWS_BEDROCK_BASE_URL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #431c566c40c8d67b Environment-variable access.
pkgs/python/[email protected]/src/openai/providers/bedrock.py:391
        and bool(os.environ.get("AWS_BEARER_TOKEN_BEDROCK"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

tavily-python

python dependency
high pii_flow dependency Excluded from app score #72db86f93ca32a1b User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/tavily/async_tavily.py:113 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/tavily/async_tavily.py:106 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/tavily/async_tavily.py:113
                {scheme: httpx.AsyncHTTPTransport(proxy=proxy) for scheme, proxy in mapped_proxies.items()}

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #87647e3580d2f9d5 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/tavily/async_tavily.py:118 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/tavily/async_tavily.py:59 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/tavily/async_tavily.py:118
            self._client = httpx.AsyncClient(
                headers=default_headers,
                base_url=self._api_base_url,
                mounts=proxy_mounts
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 11 low-confidence finding(s)
low env_fs dependency Excluded from app score #32c76b5f026a9474 Filesystem access.
pkgs/python/[email protected]/setup.py:3
with open('README.md', 'r', encoding='utf-8') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6eb280974e185441 Environment-variable access.
pkgs/python/[email protected]/tavily/async_tavily.py:59
            api_key = os.getenv("TAVILY_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3ad9b77871ffe8a7 Environment-variable access.
pkgs/python/[email protected]/tavily/async_tavily.py:65
        tavily_project = project_id or os.getenv("TAVILY_PROJECT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d02f6c35948fbff1 Environment-variable access.
pkgs/python/[email protected]/tavily/async_tavily.py:66
        tavily_org = org_id or os.getenv("TAVILY_ORG_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a6990b4bc5f72d22 Environment-variable access.
pkgs/python/[email protected]/tavily/async_tavily.py:106
                "http://": proxies.get("http", os.getenv("TAVILY_HTTP_PROXY")),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #26a8f7a28569f157 Environment-variable access.
pkgs/python/[email protected]/tavily/async_tavily.py:107
                "https://": proxies.get("https", os.getenv("TAVILY_HTTPS_PROXY")),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5f16189f72eb935b Environment-variable access.
pkgs/python/[email protected]/tavily/tavily.py:59
            api_key = os.getenv("TAVILY_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eb5d6679ac4af61d Environment-variable access.
pkgs/python/[email protected]/tavily/tavily.py:64
            "http": proxies.get("http") if proxies else os.getenv("TAVILY_HTTP_PROXY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cc2970b132ad863a Environment-variable access.
pkgs/python/[email protected]/tavily/tavily.py:65
            "https": proxies.get("https") if proxies else os.getenv("TAVILY_HTTPS_PROXY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aecfc59218d0324b Environment-variable access.
pkgs/python/[email protected]/tavily/tavily.py:69
        tavily_project = project_id or os.getenv("TAVILY_PROJECT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #26a58ed2b63401a6 Environment-variable access.
pkgs/python/[email protected]/tavily/tavily.py:70
        tavily_org = org_id or os.getenv("TAVILY_ORG_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

crewai-cli

python dependency
high pii_flow dependency Excluded from app score #34a139ecc3d0c18b User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/crewai_cli/model_catalog.py:551 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/crewai_cli/model_catalog.py:550 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/crewai_cli/model_catalog.py:551
    response = httpx.get(
        url,
        headers=headers,
        params=params,
        timeout=_TIMEOUT,
        verify=ssl_config,
        follow_redirects=True,
    )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 73 low-confidence finding(s)
low env_fs dependency Excluded from app score #e86f44683f1d2256 Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/checkpoint_cli.py:85
        with open(path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b9e0ca84249a136c Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/checkpoint_cli.py:233
            with open(path) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #18d6464ebfff50f6 Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/checkpoint_cli.py:254
    with open(path) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c9aa1d8395260919 Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/checkpoint_cli.py:265
    with open(path) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b214b9fa2cd41faa Environment-variable access.
pkgs/python/[email protected]/src/crewai_cli/cli.py:694
    if os.environ.get("CREWAI_EXPERIMENTAL") != "1":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2e3c4d1234d9405f Environment-variable access.
pkgs/python/[email protected]/src/crewai_cli/cli.py:956
    crewai_tracing = os.getenv("CREWAI_TRACING_ENABLED", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5b566a4deb9ac8aa Environment-variable access.
pkgs/python/[email protected]/src/crewai_cli/cli.py:970
    crewai_testing = os.getenv("CREWAI_TESTING", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ebe61532c90fc399 Environment-variable access.
pkgs/python/[email protected]/src/crewai_cli/cli.py:974
    crewai_user_id = os.getenv("CREWAI_USER_ID", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7e5e4ad0b62a6fa1 Environment-variable access.
pkgs/python/[email protected]/src/crewai_cli/cli.py:978
    crewai_org_id = os.getenv("CREWAI_ORG_ID", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #418ad65c31f5341f Environment-variable access.
pkgs/python/[email protected]/src/crewai_cli/cli.py:1072
    env_enabled = os.getenv("CREWAI_TRACING_ENABLED", "false")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f78bf0c2df1e74f7 Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/create_crew.py:32
    with open(template_path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #870569cd8b6d6a49 Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/create_flow.py:47
    with open(project_root / ".env", "w") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #84a0cb440efe37ae Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/create_flow.py:70
            with open(src_file, "r", encoding="utf-8") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f47a4d6e90cf70d2 Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/create_flow.py:83
        with open(dst_file, "w") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6cd82dc6f5eb0bd9 Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/create_flow.py:142
        content = src_file.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6795b4bc0782b9c2 Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/create_flow.py:149
        dst_file.write_text(content, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #00dbf534e8b57f10 Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/create_flow.py:151
    (project_root / ".env").write_text("OPENAI_API_KEY=YOUR_API_KEY", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1bb31cf216a2f46a Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/create_flow.py:152
    (package_root / "__init__.py").write_text("", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #79ccf766ebc7797d Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/create_flow.py:154
        (package_root / folder / ".gitkeep").write_text("", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b2c7dc6f8c835932 Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/create_json_crew.py:830
    path.write_text(content, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ba04b8b4e73f2622 Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/create_json_crew.py:932
    (folder_path / "pyproject.toml").write_text(
        _render_json_crew_template(
            "pyproject.toml",
            {
                "folder_name": folder_name,
                "name": name,
                "crewai_tools_dependency": get_crewai_tools_dependency(),
            },
        ),
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #511ec6e1f349b0a0 Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/create_json_crew.py:945
    (folder_path / ".gitignore").write_text(
        _render_json_crew_template(".gitignore"),
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f9b2a5634b4235ee Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/create_json_crew.py:951
    (folder_path / "README.md").write_text(
        _render_json_crew_template("README.md", {"name": name}),
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bc51d89ea74b3d0d Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/create_json_crew.py:957
    (folder_path / "knowledge" / "user_preference.txt").write_text(
        _render_json_crew_template("knowledge/user_preference.txt"),
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #32e12a8c3d39c593 Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/create_json_crew.py:963
    (folder_path / "skills" / ".gitkeep").write_text("", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e84445919b2185cf Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/crew_run_tui.py:67
            content = env_file.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #608c0f53a79e1402 Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/crew_run_tui.py:71
            env_file.write_text(f"{content}{sep}{key}=true\n")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f668d3d605aca6da Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/crew_run_tui.py:73
            env_file.write_text(f"{key}=true\n")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3efdb9a9a5996bb7 Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/deploy/validate.py:286
            referenced.update(pattern.findall(crew_path.read_text(errors="ignore")))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #278fc951a2e0aee1 Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/deploy/validate.py:296
                    pattern.findall(agent_path.read_text(errors="ignore"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6a9b0b7451f0c8e7 Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/deploy/validate.py:305
                text = py_path.read_text(encoding="utf-8", errors="ignore")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f0e78f170a661233 Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/deploy/validate.py:321
            for line in env_file.read_text(errors="ignore").splitlines():

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #978257525f2de009 Environment-variable access.
pkgs/python/[email protected]/src/crewai_cli/deploy/validate.py:332
            and var not in os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d548e4b6ec435340 Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/deploy/validate.py:873
                text = path.read_text(encoding="utf-8", errors="ignore")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e56d43193d951596 Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/deploy/validate.py:880
                text = path.read_text(encoding="utf-8", errors="ignore")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4ba8ca2f0dd85cae Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/deploy/validate.py:888
            for line in env_file.read_text(errors="ignore").splitlines():

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1c412f5cc09bff89 Environment-variable access.
pkgs/python/[email protected]/src/crewai_cli/deploy/validate.py:899
            and var not in os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a79483df4c64ab3c Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/deploy/validate.py:931
            text = lockfile.read_text(errors="ignore")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9bf264fdf748fdf6 Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/experimental/skills/main.py:66
        skill_md.write_text(_SKILL_MD_TEMPLATE.format(name=name))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #70d3e02d6d59a2f6 Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/experimental/skills/main.py:173
                (cache_dir / ".crewai_meta.json").write_text(json.dumps(meta, indent=2))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #71571f1b1e3bbc75 Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/experimental/skills/main.py:189
            frontmatter = self._parse_frontmatter(skill_md.read_text())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4bea02db418c3158 Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/experimental/skills/main.py:280
                            meta = json.loads(meta_file.read_text())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c4fa81dc3a877496 Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/experimental/skills/main.py:371
            fm = self._parse_frontmatter(skill_md.read_text())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #14b2eadb9b4d9028 Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/git.py:166
        existing = exclude_file.read_text() if exclude_file.exists() else ""

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8d5ace35ce0e4a76 Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/git.py:178
        exclude_file.write_text(
            f"{existing}{prefix}# CrewAI deploy auto-commit excludes\n{patterns}\n"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c6aad1a4baf8eb68 Environment-variable access.
pkgs/python/[email protected]/src/crewai_cli/model_catalog.py:79
        value = os.environ.get(env)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1bbcee7e062b6b1e Environment-variable access.
pkgs/python/[email protected]/src/crewai_cli/model_catalog.py:302
        os.environ.get("OLLAMA_API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c398a128a536fe8b Environment-variable access.
pkgs/python/[email protected]/src/crewai_cli/model_catalog.py:303
        or os.environ.get("API_BASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4826d38df150eb71 Environment-variable access.
pkgs/python/[email protected]/src/crewai_cli/model_catalog.py:304
        or os.environ.get("OLLAMA_HOST")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7d5791d4ffe95633 Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/model_catalog.py:414
        cache_file.write_text(json.dumps(data), encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d321488884291787 Environment-variable access.
pkgs/python/[email protected]/src/crewai_cli/model_catalog.py:550
    ssl_config = os.environ.get("SSL_CERT_FILE") or certifi.where()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #85cc6b90bfb8062e Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/model_catalog.py:585
        data: dict[str, Any] = json.loads(path.read_text(encoding="utf-8"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8e6b434ee988c03d Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/model_catalog.py:673
        cache_file.write_text(json.dumps(payload), encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d6c9e92f1b989858 Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/provider.py:149
        with open(cache_file, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bf5d1133376f880c Environment-variable access.
pkgs/python/[email protected]/src/crewai_cli/provider.py:165
    ssl_config = os.environ["SSL_CERT_FILE"] = certifi.where()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #218631a01e09ced5 Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/provider.py:171
            with open(cache_file, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress dependency Excluded from app score #b27b1633af29a3e6 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/python/[email protected]/src/crewai_cli/remote_template/main.py:166
                response = httpx.get(url, params=params, timeout=15)

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs dependency Excluded from app score #55aecca6006903fe Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/remote_template/main.py:249
                    with zf.open(member) as src, open(target, "wb") as dst:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1aa1f225fc54001a Environment-variable access.
pkgs/python/[email protected]/src/crewai_cli/run_crew.py:321
        os.environ[CREWAI_TRAINED_AGENTS_FILE_ENV] = trained_agents_file

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #74aa96d1ba7a7631 Environment-variable access.
pkgs/python/[email protected]/src/crewai_cli/run_declarative_flow.py:319
    return os.environ.get("UV_RUN_RECURSION_DEPTH") is not None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5454be44a1bbba3b Environment-variable access.
pkgs/python/[email protected]/src/crewai_cli/settings/main.py:45
        env_tracing = os.getenv("CREWAI_TRACING_ENABLED", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e0e5645d90866b80 Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/templates/flow/main.py:49
        with open(output_dir / "post.md", "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #0c6d82156ce4ed5f Environment-variable access.
pkgs/python/[email protected]/src/crewai_cli/tools/main.py:147
        build_env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #05f78592cb1f152b Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/tools/main.py:180
            with open(tarball_path, "rb") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c75f57d95186c885 Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/update_crew.py:96
    with open(output_file, "wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fac1076a20af0326 Environment-variable access.
pkgs/python/[email protected]/src/crewai_cli/utils.py:53
    value = os.environ.get("CREWAI_DMN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #af1510d14e14fde4 Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/utils.py:86
    with open(dst, "w") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #354a8c55bb0fbc6f Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/utils.py:94
    content = src.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cf1f0549042d0352 Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/utils.py:104
        with open(env_file_path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6c2efa2607c60229 Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/utils.py:142
            with open(filepath, "r", encoding="utf-8", errors="ignore") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #69432a921ce54841 Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/utils.py:144
            with open(filepath, "w") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4056141c4d1b5151 Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/utils.py:165
        with open(env_file_path, "r") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a61c03c84de7d8d5 Filesystem access.
pkgs/python/[email protected]/src/crewai_cli/utils.py:176
    with open(env_file_path, "w") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

mcp

python dependency
high pii_flow dependency Excluded from app score #652aca3b78247ca3 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/mcp/client/auth/oauth2.py:452 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/mcp/client/auth/oauth2.py:433 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/src/mcp/client/auth/oauth2.py:452
        return httpx.Request("POST", token_url, data=refresh_data, headers=headers)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 31 low-confidence finding(s)
low env_fs dependency Excluded from app score #9f6c7dd4e7e2488e Environment-variable access.
pkgs/python/[email protected]/.github/actions/conformance/client.py:72
    context_json = os.environ.get("MCP_CONFORMANCE_CONTEXT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5274c535bc381647 Environment-variable access.
pkgs/python/[email protected]/.github/actions/conformance/client.py:281
    context_json = os.environ.get("MCP_CONFORMANCE_CONTEXT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #629665a45ddfca71 Environment-variable access.
pkgs/python/[email protected]/.github/actions/conformance/client.py:349
    scenario = os.environ.get("MCP_CONFORMANCE_SCENARIO")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #f9db4d4fe8a5a678 Environment-variable access.
pkgs/python/[email protected]/examples/clients/conformance-auth-client/mcp_conformance_auth_client/__init__.py:50
    context_json = os.environ.get("MCP_CONFORMANCE_CONTEXT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #bdda421ad0881dfe Environment-variable access.
pkgs/python/[email protected]/examples/clients/simple-auth-client/mcp_simple_auth_client/main.py:343
    server_url = os.getenv("MCP_SERVER_PORT", 8000)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #f1b007ea28d1582a Environment-variable access.
pkgs/python/[email protected]/examples/clients/simple-auth-client/mcp_simple_auth_client/main.py:344
    transport_type = os.getenv("MCP_TRANSPORT_TYPE", "streamable-http")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #17bdf1149ccfb5d2 Environment-variable access.
pkgs/python/[email protected]/examples/clients/simple-auth-client/mcp_simple_auth_client/main.py:345
    client_metadata_url = os.getenv("MCP_CLIENT_METADATA_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #46eadb9b36827615 Environment-variable access.
pkgs/python/[email protected]/examples/clients/simple-chatbot/mcp_simple_chatbot/main.py:24
        self.api_key = os.getenv("LLM_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #7606ba7911228e6f Filesystem access.
pkgs/python/[email protected]/examples/clients/simple-chatbot/mcp_simple_chatbot/main.py:45
        with open(file_path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #e1de23bf9a6e70a0 Environment-variable access.
pkgs/python/[email protected]/examples/clients/simple-chatbot/mcp_simple_chatbot/main.py:83
            env={**os.environ, **self.config["env"]} if self.config.get("env") else None,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #471739f972ca102a Filesystem access.
pkgs/python/[email protected]/examples/fastmcp/icons_demo.py:14
icon_data = base64.standard_b64encode(icon_path.read_bytes()).decode()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #7caf5ad22fd3b102 Environment-variable access.
pkgs/python/[email protected]/examples/fastmcp/memory.py:52
PROFILE_DIR = (Path.home() / ".fastmcp" / os.environ.get("USER", "anon") / "memory").resolve()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #44de580b5955a29f Environment-variable access.
pkgs/python/[email protected]/examples/snippets/clients/completion_client.py:17
    env={"UV_INDEX": os.environ.get("UV_INDEX", "")},

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #2381bdf13716b7cd Environment-variable access.
pkgs/python/[email protected]/examples/snippets/clients/display_utilities.py:17
    env={"UV_INDEX": os.environ.get("UV_INDEX", "")},

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #2214373b0b86f5d7 Environment-variable access.
pkgs/python/[email protected]/examples/snippets/clients/stdio_client.py:19
    env={"UV_INDEX": os.environ.get("UV_INDEX", "")},

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #a2873639fc8013c1 Filesystem access.
pkgs/python/[email protected]/examples/snippets/servers/binary_resources.py:9
    with open("logo.png", "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #ae8660381dd0d717 Filesystem access.
pkgs/python/[email protected]/examples/snippets/servers/embedded_resource_results.py:10
    with open(path) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #08ab26db594995c9 Filesystem access.
pkgs/python/[email protected]/examples/snippets/servers/embedded_resource_results_binary.py:12
    with open(path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #82ee8f1f36407bf0 Filesystem access.
pkgs/python/[email protected]/examples/snippets/servers/prompt_embedded_resources.py:11
    file_content = open(filename).read()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #4500f7e64faa7cd8 Filesystem access.
pkgs/python/[email protected]/examples/snippets/servers/tool_errors.py:27
    with open(path) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #28691291c287534f Filesystem access.
pkgs/python/[email protected]/scripts/update_doc_snippets.py:53
        code = file.read_text().rstrip()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #4c8d5872095a1fd1 Filesystem access.
pkgs/python/[email protected]/scripts/update_doc_snippets.py:109
    content = doc_path.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #0089d56b576dbc5d Filesystem access.
pkgs/python/[email protected]/scripts/update_doc_snippets.py:134
            doc_path.write_text(updated_content)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8476a3341e86fbbc Environment-variable access.
pkgs/python/[email protected]/src/mcp/cli/claude.py:24
        path = Path(os.environ.get("XDG_CONFIG_HOME", Path.home() / ".config"), "Claude")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1a4ca6cfb420c65f Filesystem access.
pkgs/python/[email protected]/src/mcp/cli/claude.py:77
            config_file.write_text("{}")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #452d24043f391359 Filesystem access.
pkgs/python/[email protected]/src/mcp/cli/claude.py:88
        config = json.loads(config_file.read_text())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7041d870a0726684 Filesystem access.
pkgs/python/[email protected]/src/mcp/cli/claude.py:135
        config_file.write_text(json.dumps(config, indent=2))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #567aae7300cccf1d Environment-variable access.
pkgs/python/[email protected]/src/mcp/cli/cli.py:282
            env=dict(os.environ.items()),  # Convert to list of tuples for env update

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e871e5efe93325e6 Environment-variable access.
pkgs/python/[email protected]/src/mcp/client/stdio/__init__.py:59
        value = os.environ.get(key)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #176154df8579e2d1 Filesystem access.
pkgs/python/[email protected]/src/mcp/server/fastmcp/utilities/types.py:47
            with open(self.path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #47813261ba4503dd Filesystem access.
pkgs/python/[email protected]/src/mcp/server/fastmcp/utilities/types.py:94
            with open(self.path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

pymongo

python dependency
high pii_flow tooling reachable #ba5721400cd1a0bc User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:116 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:111 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:116
    with request.urlopen(request.Request(url), timeout=15.0) as response:  # noqa: S310

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 112 low-confidence finding(s)
low env_fs tooling reachable #d7f7fc25866ac29d Filesystem access.
pkgs/python/[email protected]/.evergreen/scripts/generate_config_utils.py:292
    data = target.read_text().splitlines()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #f67030e37ee5cbe1 Filesystem access.
pkgs/python/[email protected]/.evergreen/scripts/generate_config_utils.py:321
    data = target.read_text().splitlines()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #73874a59718c63bc Filesystem access.
pkgs/python/[email protected]/.evergreen/scripts/generate_config_utils.py:354
    data = target.read_text().splitlines()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #1ad13d0de02b273f Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/kms_tester.py:64
    base_env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #c898ae35c2fb9286 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/kms_tester.py:99
            os.environ["AZUREKMS_VMNAME_PREFIX"] = "PYTHON_DRIVER"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #2d2d58fd9a33a743 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/kms_tester.py:102
            os.environ[

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #4819d1ce1b00da63 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/kms_tester.py:102
            os.environ[
                "AZUREKMS_IMAGE"
            ] = "Canonical:0001-com-ubuntu-server-jammy:22_04-lts-gen2:latest"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #1dd58da323c18374 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/kms_tester.py:106
            os.environ["GCPKMS_IMAGEFAMILY"] = "debian-12"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #85113cdced942b9a Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/kms_tester.py:128
        key_name = os.environ["KEY_NAME"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #d563603041a79a79 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/kms_tester.py:129
        key_vault_endpoint = os.environ["KEY_VAULT_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #289cb2536f739efe Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/mod_wsgi_tester.py:26
    env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #948ef17456699e88 Filesystem access.
pkgs/python/[email protected]/.evergreen/scripts/mod_wsgi_tester.py:64
        LOGGER.error(Path("error_log").read_text())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #a76a97eae5308be1 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/mod_wsgi_tester.py:72
    uri1 = os.environ["TEST_URI1"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #06789ba93305947a Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/mod_wsgi_tester.py:73
    uri2 = os.environ["TEST_URI2"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #560c1c984b1937a9 Filesystem access.
pkgs/python/[email protected]/.evergreen/scripts/mod_wsgi_tester.py:81
        LOGGER.error(Path("error_log").read_text())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #832af8fd9fefc780 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/mod_wsgi_tester.py:86
    apache = os.environ["APACHE_BINARY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #67013e13f93f3821 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/mod_wsgi_tester.py:87
    apache_config = os.environ["APACHE_CONFIG"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #71162b57fa7dbb65 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/oidc_tester.py:34
    env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #949d578be727c792 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/oidc_tester.py:36
    if sub_test_name == "eks" and "AWS_ACCESS_KEY_ID" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #57aaef0ff6742d54 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/oidc_tester.py:39
            if key in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #acfc982d414d518a Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/oidc_tester.py:40
                write_env(key, os.environ[key])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #0443f42beb8bce47 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/oidc_tester.py:62
        return os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #e2b09c24dcea37eb Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/oidc_tester.py:84
    env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #11c6d2ff62aec696 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/resync-all-specs.py:63
    spec_dir = pathlib.Path(os.environ["MDB_SPECS"]) / "source"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #123b1311647f19ea Filesystem access.
pkgs/python/[email protected]/.evergreen/scripts/resync-all-specs.py:126
            with open(filename, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #5d0ccdbdf7009f91 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/run_server.py:10
    os.environ[name] = str(value)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #abc4535f0cda8eb7 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/run_server.py:22
    if "VERSION" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #38a237c764a29ce7 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/run_server.py:23
        os.environ["MONGODB_VERSION"] = os.environ["VERSION"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #ebef2d27301ae7fb Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/run_server.py:32
        os.environ["TOPOLOGY"] = "replica_set"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #273de0f4dbfecafd Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/run_server.py:33
        os.environ["MONGODB_VERSION"] = "7.0"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #9d5bf11c356ef33e Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/run_server.py:35
    if not os.environ.get("TEST_CRYPT_SHARED"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #7f578fccbcd014f6 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/run_tests.py:24
AUTH = os.environ.get("AUTH", "noauth")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #249341edef01770d Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/run_tests.py:25
SSL = os.environ.get("SSL", "nossl")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #8702a4b657bbbdc3 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/run_tests.py:26
UV_ARGS = os.environ.get("UV_ARGS", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #930d5992fcfc5959 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/run_tests.py:27
TEST_PERF = os.environ.get("TEST_PERF")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #32a10ed16acf71d0 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/run_tests.py:28
GREEN_FRAMEWORK = os.environ.get("GREEN_FRAMEWORK")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #b23c15fbe2252d70 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/run_tests.py:29
TEST_ARGS = os.environ.get("TEST_ARGS", "").split()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #eb778f8260e2c277 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/run_tests.py:30
TEST_NAME = os.environ.get("TEST_NAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #d0af773875fc299f Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/run_tests.py:31
SUB_TEST_NAME = os.environ.get("SUB_TEST_NAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #d2429c144185b17f Filesystem access.
pkgs/python/[email protected]/.evergreen/scripts/run_tests.py:53
    with open("results.json") as fid:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #1d884a831504e54c Filesystem access.
pkgs/python/[email protected]/.evergreen/scripts/run_tests.py:68
    with open("report.json", "w", newline="\n") as fid:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #7a3ea6cbca7c4bcf Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/run_tests.py:106
    env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #6fecb52375079ab1 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/run_tests.py:150
    if not os.environ.get("NO_EXT"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #659283f226bc980b Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/run_tests.py:153
    if os.environ.get("PYMONGOCRYPT_LIB"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #b814eca196010a27 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/run_tests.py:204
    if os.environ.get("DEBUG_LOG"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #6004c2033fcc48d9 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/run_tests.py:207
    if os.environ.get("COVERAGE"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #6569559d778e1734 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:57
    value = os.environ.get(var, "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #c81c42a7c21565a5 Filesystem access.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:65
    with open("/etc/os-release") as fid:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #60f2b0337e03307b Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:111
        url = os.environ["LIBMONGOCRYPT_URL"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #74906cc3b8a751ee Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:181
            write_env(var, os.environ.get(var, getattr(opts, var.lower(), "")))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #7ead9daff650b1f5 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:200
        env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #89638aba35c89888 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:223
        if "AWS_ACCESS_KEY_ID" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #c1f644db6b924939 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:225
                if key in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #736e812085476daa Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:226
                    write_env(key, os.environ[key])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #5472c8b2003e68cf Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:268
            os.environ["KRB5_CONFIG"] = str(krb_conf)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #28043720de866a09 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:281
        SINGLE_MONGOS_LB_URI = os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #54b561be562052e4 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:281
        SINGLE_MONGOS_LB_URI = os.environ.get(
            "SINGLE_MONGOS_LB_URI", "mongodb://127.0.0.1:8000/?loadBalanced=true"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #bc8ecce52e411f4d Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:284
        MULTI_MONGOS_LB_URI = os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #d85592c15c809332 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:284
        MULTI_MONGOS_LB_URI = os.environ.get(
            "MULTI_MONGOS_LB_URI", "mongodb://127.0.0.1:8001/?loadBalanced=true"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #4ea4a89bfc4eb340 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:304
            os.environ["OCSP_SERVER_TYPE"] = sub_test_name

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #33c2b6d463a93b76 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:306
            if name not in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #8d2e815ce07761cd Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:309
        server_type = os.environ["OCSP_SERVER_TYPE"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #7b527b6248ae756a Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:310
        orch_file = os.environ["ORCHESTRATION_FILE"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #08e65aa40fa846e5 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:321
            env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #7c9e75c428f05a54 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:328
        version = os.environ.get("VERSION", "latest")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #05240f0c9d6546f1 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:349
    compressors = os.environ.get("COMPRESSORS") or opts.compressor

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #48d0e013ebc992fa Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:412
        if "AWS_ROLE_SESSION_NAME" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #0186996cca98cd83 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:472
        framework = opts.green_framework or os.environ["GREEN_FRAMEWORK"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #76f8183400908421 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/teardown_tests.py:10
TEST_NAME = os.environ.get("TEST_NAME", "unconfigured")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #41c4b1b993499d68 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/teardown_tests.py:11
SUB_TEST_NAME = os.environ.get("SUB_TEST_NAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #f4cd4c768f6c6605 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/teardown_tests.py:52
    Path(os.environ["OUTPUT_FILE"]).unlink(missing_ok=True)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #ece1b87ab5dd2372 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/teardown_tests.py:61
if os.environ.get("COVERAGE"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #7efff92d87f7df07 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/utils.py:15
DRIVERS_TOOLS = os.environ.get("DRIVERS_TOOLS", "").replace(os.sep, "/")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #6d2141d766dcdc54 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/utils.py:169
        if env_var in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #79a1ef4f81ca7c83 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/utils.py:173
                opts.auth = os.environ.get("AUTH") == "auth"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #97ff538957c05b83 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/utils.py:175
                ssl_opt = os.environ.get("SSL", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #58b6e5fd9f040cbb Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/utils.py:178
                if os.environ[env_var]:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #09997e62beba488c Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/utils.py:181
                setattr(opts, key, os.environ[env_var])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #76a15e49e13c265e Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/utils.py:211
    env = kwargs.pop("env", os.environ).copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #09ee0146082d8850 Environment-variable access.
pkgs/python/[email protected]/_setup.py:71
            if os.environ.get("PYMONGO_C_EXT_MUST_BUILD"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9764cd1e480e2114 Environment-variable access.
pkgs/python/[email protected]/_setup.py:88
            if "ProgramFiles" in os.environ and "ProgramFiles(x86)" not in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #041398d5cfc030a4 Environment-variable access.
pkgs/python/[email protected]/_setup.py:89
                os.environ["ProgramFiles(x86)"] = os.environ["ProgramFiles"] + " (x86)"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a53d8b442190c907 Environment-variable access.
pkgs/python/[email protected]/_setup.py:94
            if os.environ.get("PYMONGO_C_EXT_MUST_BUILD"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eecd37cd27e865d7 Environment-variable access.
pkgs/python/[email protected]/_setup.py:127
if "--no_ext" in sys.argv or os.environ.get("NO_EXT"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f3a053b30a20e4b3 Environment-variable access.
pkgs/python/[email protected]/pymongo/auth_oidc_shared.py:81
        token_file = os.environ.get("OIDC_TOKEN_FILE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1aeffa6e2211f432 Filesystem access.
pkgs/python/[email protected]/pymongo/auth_oidc_shared.py:86
        with open(token_file) as fid:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f251d64eb2a76b41 Environment-variable access.
pkgs/python/[email protected]/pymongo/auth_oidc_shared.py:92
        token_file = os.environ.get("AWS_WEB_IDENTITY_TOKEN_FILE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4ccf162de4a88448 Filesystem access.
pkgs/python/[email protected]/pymongo/auth_oidc_shared.py:97
        with open(token_file) as fid:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #45c0b3d2fd4bce3f Environment-variable access.
pkgs/python/[email protected]/pymongo/auth_oidc_shared.py:129
        if key in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bfc4a0ac0034078d Environment-variable access.
pkgs/python/[email protected]/pymongo/auth_oidc_shared.py:130
            fname = os.environ[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8c8d378252f4eda4 Filesystem access.
pkgs/python/[email protected]/pymongo/auth_oidc_shared.py:131
    with open(fname) as fid:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b5e2833b971cee37 Filesystem access.
pkgs/python/[email protected]/pymongo/common.py:238
    open(value).close()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1ff84502f5ab76e5 Filesystem access.
pkgs/python/[email protected]/pymongo/daemon.py:64
            with open(os.devnull, "r+b") as devnull:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8475957380805afc Filesystem access.
pkgs/python/[email protected]/pymongo/daemon.py:95
            with open(os.devnull, "r+b") as devnull:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ad27e09bc61b66ad Environment-variable access.
pkgs/python/[email protected]/pymongo/logger.py:165
        document_length = int(os.getenv("MONGOB_LOG_MAX_DOCUMENT_LENGTH", _DEFAULT_DOCUMENT_LENGTH))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #72e3d5380ac0e12b Environment-variable access.
pkgs/python/[email protected]/pymongo/pool_options.py:78
        "architecture": os.environ.get("PROCESSOR_ARCHITECTURE") or platform.machine(),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e41b1c0bd68ccb95 Environment-variable access.
pkgs/python/[email protected]/pymongo/pool_options.py:119
    if os.getenv(ENV_VAR_K8S):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3f8279270577835e Environment-variable access.
pkgs/python/[email protected]/pymongo/pool_options.py:126
    if os.getenv("AWS_LAMBDA_RUNTIME_API"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4a7b12e3407fc96d Environment-variable access.
pkgs/python/[email protected]/pymongo/pool_options.py:128
    env = os.getenv("AWS_EXECUTION_ENV")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f73ccf7cd58bb17e Environment-variable access.
pkgs/python/[email protected]/pymongo/pool_options.py:135
    return bool(os.getenv("FUNCTIONS_WORKER_RUNTIME"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #45e21f923aa831eb Environment-variable access.
pkgs/python/[email protected]/pymongo/pool_options.py:139
    return bool(os.getenv("K_SERVICE") or os.getenv("FUNCTION_NAME"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9d391a0a80e3bc5d Environment-variable access.
pkgs/python/[email protected]/pymongo/pool_options.py:143
    return bool(os.getenv("VERCEL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c2210fc231e163c6 Environment-variable access.
pkgs/python/[email protected]/pymongo/pool_options.py:152
    val = os.getenv(key)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b64887a73ba6a9e1 Environment-variable access.
pkgs/python/[email protected]/pymongo/pool_options.py:171
        region = os.getenv("AWS_REGION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c0e80eb1baa21b36 Environment-variable access.
pkgs/python/[email protected]/pymongo/pool_options.py:181
        region = os.getenv("FUNCTION_REGION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #47d740c1c313f5ab Environment-variable access.
pkgs/python/[email protected]/pymongo/pool_options.py:192
        region = os.getenv("VERCEL_REGION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #66cdd68b577e1775 Filesystem access.
pkgs/python/[email protected]/tools/compare_import_time.py:23
    with open(f"pymongo-{sha}.log") as fid:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #952ec741ab47149c Filesystem access.
pkgs/python/[email protected]/tools/convert_test_to_async.py:123
    with open(input_file, "r+") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #4b5709344743fcc1 Filesystem access.
pkgs/python/[email protected]/tools/convert_test_to_async.py:127
        with open(output_file, "w+") as f2:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #d101e05e6a820e9c Filesystem access.
pkgs/python/[email protected]/tools/ensure_future_annotations_import.py:29
        with open(path) as fid:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #fe29c71e96f11673 Filesystem access.
pkgs/python/[email protected]/tools/synchro.py:290
            with open(file, "r+") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #603a9dbec73b6de9 Environment-variable access.
pkgs/python/[email protected]/tools/synchro.py:442
            and "OVERRIDE_SYNCHRO_CHECK" not in os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

singlestoredb

python dependency
high pii_flow dependency Excluded from app score #b7da19de6ab9fb2c User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/singlestoredb/fusion/graphql.py:173 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/singlestoredb/fusion/graphql.py:172 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/singlestoredb/fusion/graphql.py:173
        res = requests.post(
            self.api_url,
            headers={
                'Content-Type': 'application/json',
                'Authorization': f'Bearer {api_token}',
            },
            json={
                'query': type(self).get_query(),
                'variables': variables or {},
            },
        )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 122 low-confidence finding(s)
low env_fs dependency Excluded from app score #c6bcdb166b610cc6 Environment-variable access.
pkgs/python/[email protected]/setup.py:15
build_extension = bool(int(os.environ.get('SINGLESTOREDB_BUILD_EXTENSION', '1')))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3c7a4303656eaf72 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/ai/chat.py:47
        base_url = os.environ.get('SINGLESTOREDB_INFERENCE_API_BASE_URL')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a562bdb9251ae558 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/ai/chat.py:49
        hosting_platform = os.environ.get('SINGLESTOREDB_INFERENCE_API_HOSTING_PLATFORM')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #15dd96647cd15554 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/ai/chat.py:114
            token_env_val = os.environ.get('SINGLESTOREDB_USER_TOKEN')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c4975c06414660c3 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/ai/chat.py:155
    token_env = os.environ.get('SINGLESTOREDB_USER_TOKEN')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7f908312062a514e Environment-variable access.
pkgs/python/[email protected]/singlestoredb/ai/embeddings.py:46
        base_url = os.environ.get('SINGLESTOREDB_INFERENCE_API_BASE_URL')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #adf1b76fbef50474 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/ai/embeddings.py:48
        hosting_platform = os.environ.get('SINGLESTOREDB_INFERENCE_API_HOSTING_PLATFORM')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #11afd834da4b5216 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/ai/embeddings.py:113
            token_env_val = os.environ.get('SINGLESTOREDB_USER_TOKEN')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e46f2c0fd9c85319 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/ai/embeddings.py:145
    token_env = os.environ.get('SINGLESTOREDB_USER_TOKEN')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f07ba8ca599cfd04 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/apps/_config.py:20
        value = os.environ.get(name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3e6b9e019f4f36af Environment-variable access.
pkgs/python/[email protected]/singlestoredb/apps/_config.py:36
        workload_type = os.environ.get('SINGLESTOREDB_WORKLOAD_TYPE')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9c58f3c14f05ea85 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/apps/_config.py:39
        is_gateway_enabled = 'SINGLESTOREDB_NOVA_GATEWAY_ENDPOINT' in os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #863a468673fbbd22 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/apps/_config.py:41
        app_token = os.environ.get('SINGLESTOREDB_APP_TOKEN')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7ef2804fd8bd430e Environment-variable access.
pkgs/python/[email protected]/singlestoredb/apps/_config.py:42
        user_token = os.environ.get('SINGLESTOREDB_USER_TOKEN')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #01cc47492351f67c Environment-variable access.
pkgs/python/[email protected]/singlestoredb/apps/_python_udfs.py:100
    gateway_url = os.environ.get('SINGLESTOREDB_NOVA_GATEWAY_ENDPOINT')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #75277f4e2e40607f Environment-variable access.
pkgs/python/[email protected]/singlestoredb/apps/_python_udfs.py:102
        gateway_url = os.environ.get('SINGLESTOREDB_NOVA_GATEWAY_DEV_ENDPOINT')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6058999d7f3aac14 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/apps/_python_udfs.py:112
    raw = os.environ.get('SINGLESTOREDB_UDF_KEEPALIVE_TIMEOUT')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2c567c9e16c4853e Environment-variable access.
pkgs/python/[email protected]/singlestoredb/config.py:448
    os.environ.get('SINGLESTOREDB_URL') or None,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9ba415263affc2b1 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/functions/ext/asgi.py:98
num_processes = max(0, int(os.environ.get('SINGLESTOREDB_EXT_NUM_PROCESSES', 0)))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #09bbe99a51d0852c Environment-variable access.
pkgs/python/[email protected]/singlestoredb/functions/ext/asgi.py:1119
                x for x in os.environ.keys()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a26433fc317ed780 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/functions/ext/asgi.py:1123
                specs = [os.environ[x] for x in env_vars]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9eaadfff61337479 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/functions/ext/asgi.py:1998
            elif os.environ.get('SINGLESTOREDB_WORKSPACE_GROUP'):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #87a016a25500b84e Environment-variable access.
pkgs/python/[email protected]/singlestoredb/functions/ext/asgi.py:2000
                    os.environ['SINGLESTOREDB_WORKSPACE_GROUP'],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #71c235d10a38732b Environment-variable access.
pkgs/python/[email protected]/singlestoredb/functions/ext/asgi.py:2211
                elif os.environ.get('SINGLESTOREDB_WORKSPACE_GROUP'):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d5b7c2010e5db6ff Environment-variable access.
pkgs/python/[email protected]/singlestoredb/functions/ext/asgi.py:2213
                        os.environ['SINGLESTOREDB_WORKSPACE_GROUP'],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #192e0e911106cc1c Environment-variable access.
pkgs/python/[email protected]/singlestoredb/functions/ext/mmap.py:230
            default=os.environ.get('SINGLESTOREDB_URL', ''),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #47df8a97b4d9dc25 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/functions/ext/mmap.py:272
                elif os.environ.get('SINGLESTOREDB_WORKSPACE_GROUP'):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cc4aa6e839c32e70 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/functions/ext/mmap.py:274
                        os.environ['SINGLESTOREDB_WORKSPACE_GROUP'],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c7a17c8f6a2b3804 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/functions/ext/plugin/__main__.py:34
        default=os.environ.get('PLUGIN_NAME', ''),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7e2db4135af21819 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/functions/ext/plugin/__main__.py:42
        default=os.environ.get('PLUGIN_SEARCH_PATH', ''),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a6a8640179d99b75 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/functions/ext/plugin/__main__.py:50
        default=os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #92932de48a01dab0 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/functions/ext/plugin/__main__.py:50
        default=os.environ.get(
            'PLUGIN_SOCKET_PATH',
            os.path.join(
                tempfile.gettempdir(),
                f'singlestore-udf-{os.getpid()}-{secrets.token_hex(4)}.sock',
            ),
        ),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #82d59ff0badbc445 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/functions/ext/plugin/__main__.py:65
        default=int(os.environ.get('PLUGIN_N_WORKERS', '0')),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e06c78f2d7e3a0ff Environment-variable access.
pkgs/python/[email protected]/singlestoredb/functions/ext/plugin/__main__.py:74
        default=int(os.environ.get('PLUGIN_MAX_CONNECTIONS', '32')),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ffc2dd11f50bba0b Environment-variable access.
pkgs/python/[email protected]/singlestoredb/functions/ext/plugin/__main__.py:82
        default=os.environ.get('PLUGIN_LOG_LEVEL', 'info'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fdb371a42f16d05c Environment-variable access.
pkgs/python/[email protected]/singlestoredb/functions/ext/plugin/__main__.py:91
        default=os.environ.get('PLUGIN_PROCESS_MODE', 'process'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #32b716ca71e3343e Environment-variable access.
pkgs/python/[email protected]/singlestoredb/functions/ext/plugin/connection.py:48
_PROFILE = os.environ.get('SINGLESTOREDB_UDF_PROFILE', '') == '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #11632f02c2854033 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/functions/signature.py:1567
    host = os.environ.get('SINGLESTOREDB_EXT_HOST', '127.0.0.1')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f163a5e9cda51af9 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/functions/signature.py:1568
    port = os.environ.get('SINGLESTOREDB_EXT_PORT', '8000')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d3a237ea9e0e5a44 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/fusion/graphql.py:172
        api_token = self.api_token or os.environ.get('SINGLESTOREDB_BACKEND_TOKEN')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e0aad3565fc59eb4 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/fusion/handler.py:626
                os.environ.get('SINGLESTOREDB_FUSION_ENABLE_HIDDEN', '0').lower() not in \

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0123c10eb60f7dac Environment-variable access.
pkgs/python/[email protected]/singlestoredb/fusion/handlers/utils.py:92
    if os.environ.get('SINGLESTOREDB_WORKSPACE_GROUP'):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #56ce2e03bfcd3b71 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/fusion/handlers/utils.py:95
                os.environ['SINGLESTOREDB_WORKSPACE_GROUP'],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3b957fa5e9286620 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/fusion/handlers/utils.py:101
                    f'{os.environ["SINGLESTOREDB_WORKSPACE_GROUP"]}',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5dc9ecce1c134841 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/fusion/handlers/utils.py:105
    if os.environ.get('SINGLESTOREDB_CLUSTER'):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #90c7cbada60fbb51 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/fusion/handlers/utils.py:159
    if os.environ.get('SINGLESTOREDB_WORKSPACE'):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6ee4c76243ea8aad Environment-variable access.
pkgs/python/[email protected]/singlestoredb/fusion/handlers/utils.py:162
                os.environ['SINGLESTOREDB_WORKSPACE'],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5d2a2ee1532283fc Environment-variable access.
pkgs/python/[email protected]/singlestoredb/fusion/handlers/utils.py:168
                    f'{os.environ["SINGLESTOREDB_WORKSPACE"]}',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f6768533aaf5a134 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/fusion/handlers/utils.py:172
    if os.environ.get('SINGLESTOREDB_CLUSTER'):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #161919d88eed9a2f Environment-variable access.
pkgs/python/[email protected]/singlestoredb/fusion/handlers/utils.py:272
    if os.environ.get('SINGLESTOREDB_WORKSPACE_GROUP'):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bb0f2fb121473cfa Environment-variable access.
pkgs/python/[email protected]/singlestoredb/fusion/handlers/utils.py:275
                os.environ['SINGLESTOREDB_WORKSPACE_GROUP'],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4098b897d005b87a Environment-variable access.
pkgs/python/[email protected]/singlestoredb/fusion/handlers/utils.py:281
                    f'{os.environ["SINGLESTOREDB_WORKSPACE_GROUP"]}',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9fe43e7a7cba558d Environment-variable access.
pkgs/python/[email protected]/singlestoredb/fusion/handlers/utils.py:286
    if os.environ.get('SINGLESTOREDB_CLUSTER'):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dd7bd84dca2789d1 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/fusion/handlers/utils.py:289
                os.environ['SINGLESTOREDB_CLUSTER'],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #22e2bd92e4b70d1e Environment-variable access.
pkgs/python/[email protected]/singlestoredb/fusion/handlers/utils.py:295
                    f'{os.environ["SINGLESTOREDB_CLUSTER"]}',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d5c1295ba54ff6f9 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/http/connection.py:996
        if 'SINGLESTOREDB_WORKLOAD_TYPE' in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #519054e79962e626 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/http/connection.py:997
            client_version += '+' + os.environ['SINGLESTOREDB_WORKLOAD_TYPE']

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ee4120e239f89a9e Environment-variable access.
pkgs/python/[email protected]/singlestoredb/http/connection.py:1078
        url = os.environ.get('SINGLESTOREDB_URL')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b40d16c5512ec62f Filesystem access.
pkgs/python/[email protected]/singlestoredb/magics/run_personal.py:121
                yield fpath.read_text(encoding='utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aa9e6611a03c03b2 Filesystem access.
pkgs/python/[email protected]/singlestoredb/magics/run_shared.py:118
                yield fpath.read_text(encoding='utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bc3e22881a5e446c Filesystem access.
pkgs/python/[email protected]/singlestoredb/management/files.py:686
        return self._upload(open(local_path, 'rb'), path, overwrite=overwrite)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #414fabda19132c0b Filesystem access.
pkgs/python/[email protected]/singlestoredb/management/files.py:1127
            with open(local_path, 'wb') as outfile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e903853b3986562b Environment-variable access.
pkgs/python/[email protected]/singlestoredb/management/inference_api.py:278
        self.project_id = os.environ.get('SINGLESTOREDB_PROJECT')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a5d6cf6e243a0349 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/management/manager.py:26
    org = os.environ.get('SINGLESTOREDB_ORGANIZATION')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #92c5dfff55e5f58a Environment-variable access.
pkgs/python/[email protected]/singlestoredb/management/manager.py:346
        if not os.environ.get('SINGLESTOREDB_WORKLOAD_TYPE', ''):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9fcec52a71475b50 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/management/utils.py:169
        url = os.environ.get('SINGLESTOREDB_URL') or get_option('host')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dfb57f3cdcaf8974 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/management/utils.py:228
    return os.environ.get('SINGLESTOREDB_CLUSTER') or None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #107f5e4f76404f0d Environment-variable access.
pkgs/python/[email protected]/singlestoredb/management/utils.py:233
    return os.environ.get('SINGLESTOREDB_WORKSPACE') or None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d61dd6da047de09c Environment-variable access.
pkgs/python/[email protected]/singlestoredb/management/utils.py:238
    return os.environ.get('SINGLESTOREDB_VIRTUAL_WORKSPACE') or None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #569ca7e8a3dde043 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/management/utils.py:243
    return os.environ.get('SINGLESTOREDB_DEFAULT_DATABASE') or None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9c71c3c448c4791e Environment-variable access.
pkgs/python/[email protected]/singlestoredb/management/workspace.py:63
    elif 'SINGLESTOREDB_WORKSPACE_GROUP' in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #71816065ad3c1583 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/management/workspace.py:65
            os.environ['SINGLESTOREDB_WORKSPACE_GROUP']

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #134c8fa5e0f395f0 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/management/workspace.py:87
    elif 'SINGLESTOREDB_WORKSPACE' in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fc092dfb071ddd21 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/management/workspace.py:89
            os.environ['SINGLESTOREDB_WORKSPACE']

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #88a8caee476a83ea Filesystem access.
pkgs/python/[email protected]/singlestoredb/management/workspace.py:201
        return self._upload(open(local_path, 'rb'), stage_path, overwrite=overwrite)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dd558e8549285b7f Filesystem access.
pkgs/python/[email protected]/singlestoredb/management/workspace.py:607
            with open(local_path, 'wb') as outfile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #276b79ead9c77ae1 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/mysql/connection.py:638
        if 'SINGLESTOREDB_WORKLOAD_TYPE' in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #68d9683e2bc031dd Environment-variable access.
pkgs/python/[email protected]/singlestoredb/mysql/connection.py:639
            VERSION_STRING += '+' + os.environ['SINGLESTOREDB_WORKLOAD_TYPE']

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #205871ec62c3e103 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/mysql/connection.py:1038
            url = os.environ.get('SINGLESTOREDB_URL')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #efe6fe2b611cd703 Filesystem access.
pkgs/python/[email protected]/singlestoredb/mysql/connection.py:2032
                    with open(self.filename, 'rb') as open_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8860569e32f0f632 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/notebook/__init__.py:12
if 'SINGLESTOREDB_ORGANIZATION' not in _os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9a3758b689eb2c8e Environment-variable access.
pkgs/python/[email protected]/singlestoredb/notebook/_portal.py:119
            return os.environ.get('SINGLESTOREDB_ORGANIZATION')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #84374f70c625f481 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/notebook/_portal.py:142
            return os.environ.get('SINGLESTOREDB_WORKSPACE_GROUP')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6e74d519523ccd93 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/notebook/_portal.py:163
            return os.environ.get('SINGLESTOREDB_WORKSPACE')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bbae5aed57671496 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/notebook/_portal.py:267
            return os.environ.get('SINGLESTOREDB_CLUSTER')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3d9989ddd26105a3 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/notebook/_portal.py:271
            os.environ.get('SINGLESTOREDB_URL', ''),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #97d0f96f41a18660 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/notebook/_portal.py:287
            return os.environ.get('SINGLESTOREDB_URL')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c6a4ed7e1e5da7a8 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/notebook/_portal.py:295
            return os.environ.get('SINGLESTOREDB_URL_KAI')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7f65f6328c8f877d Environment-variable access.
pkgs/python/[email protected]/singlestoredb/pytest.py:51
    worker = os.environ.get('PYTEST_XDIST_WORKER')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ba821d4785f1ed43 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/pytest.py:52
    worker_count = os.environ.get('PYTEST_XDIST_WORKER_COUNT')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a3d9c0d88ba8b8e3 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/pytest.py:78
    worker = os.environ.get('PYTEST_XDIST_WORKER')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e316e8a44409a018 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/pytest.py:99
        self.existing_url = os.environ.get('SINGLESTOREDB_URL')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #51ef4b2f0fa23636 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/pytest.py:111
        worker = os.environ.get('PYTEST_XDIST_WORKER', 'master')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4de5f938cc80a655 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/pytest.py:119
        license = os.environ.get('SINGLESTORE_LICENSE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #56d85588ac975e0a Environment-variable access.
pkgs/python/[email protected]/singlestoredb/pytest.py:205
            license = os.environ.get('SINGLESTORE_LICENSE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e64eec3fb5f028bb Environment-variable access.
pkgs/python/[email protected]/singlestoredb/server/docker.py:139
            license = os.environ.get('SINGLESTORE_LICENSE', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d241802a7dc39b59 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/server/docker.py:215
        self._saved_server_urls['DATABASE_URL'] = os.environ.get('DATABASE_URL')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #12977659f7fd4742 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/server/docker.py:216
        os.environ['DATABASE_URL'] = self.connection_url

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #70e1cb4f91530b4f Environment-variable access.
pkgs/python/[email protected]/singlestoredb/server/docker.py:217
        self._saved_server_urls['SINGLESTOREDB_URL'] = os.environ.get('SINGLESTOREDB_URL')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0e736d0a4d100c5f Environment-variable access.
pkgs/python/[email protected]/singlestoredb/server/docker.py:218
        os.environ['SINGLESTOREDB_URL'] = self.connection_url

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2e3731c826e56857 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/server/docker.py:224
                    del os.environ[k]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0ac10dfd43f3301b Environment-variable access.
pkgs/python/[email protected]/singlestoredb/server/docker.py:226
                    os.environ[k] = v

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress dependency Excluded from app score #a863fffbbcffaa1d Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/python/[email protected]/singlestoredb/server/free_tier.py:51
        r = requests.get('https://shell.singlestore.com/api/session')

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs dependency Excluded from app score #2d827b5e9f078f78 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/server/free_tier.py:89
        self._saved_server_urls['DATABASE_URL'] = os.environ.get('DATABASE_URL')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ebc1780bd3ea9a7d Environment-variable access.
pkgs/python/[email protected]/singlestoredb/server/free_tier.py:90
        os.environ['DATABASE_URL'] = self.connection_url

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #957e22317ea9ef8a Environment-variable access.
pkgs/python/[email protected]/singlestoredb/server/free_tier.py:91
        self._saved_server_urls['SINGLESTOREDB_URL'] = os.environ.get('SINGLESTOREDB_URL')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #57b54b69b91e7c95 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/server/free_tier.py:92
        os.environ['SINGLESTOREDB_URL'] = self.connection_url

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #028c96fefabc342b Environment-variable access.
pkgs/python/[email protected]/singlestoredb/server/free_tier.py:98
                    del os.environ[k]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8867a610afb5d8f0 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/server/free_tier.py:100
                    os.environ[k] = v

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress dependency Excluded from app score #27375aec8be266e5 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/python/[email protected]/singlestoredb/server/free_tier.py:250
                requests.get(
                    'https://shell.singlestore.com/api/terminate',
                    cookies=self._cookies,
                )

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs dependency Excluded from app score #16a18b15fdb04444 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/utils/config.py:74
        if name in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cb9522990dd5857d Environment-variable access.
pkgs/python/[email protected]/singlestoredb/utils/config.py:75
            return os.environ[name]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0c423811a03fc88f Environment-variable access.
pkgs/python/[email protected]/singlestoredb/utils/config.py:77
        if name in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d4761d938a3a6d10 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/utils/config.py:78
            return os.environ[name]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d96bc579723f6488 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/utils/config.py:107
        if name in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3258dcf6f4ed47ae Environment-variable access.
pkgs/python/[email protected]/singlestoredb/utils/config.py:108
            os.environ[name] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4b0726d3350dd740 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/utils/config.py:110
        if name in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #da24a510f9aca863 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/utils/config.py:111
            os.environ[name] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #55e10d8a162287b4 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/utils/config.py:119
        os.environ.pop(name, None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #15ee8e44c71daa45 Environment-variable access.
pkgs/python/[email protected]/singlestoredb/utils/config.py:120
        os.environ.pop(name.replace('_', ''), None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #69865f6917cb8855 Environment-variable access.
pkgs/python/[email protected]/sqlx/magic.py:74
            if 'DATABASE_URL' not in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d8775cd4f724ab53 Environment-variable access.
pkgs/python/[email protected]/sqlx/magic.py:84
                os.environ['DATABASE_URL'],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

uv

python dependency
high pii_flow dependency Excluded from app score #aa3d848da50830c7 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/crates/uv-python/fetch-download-metadata.py:794 · flow /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/crates/uv-python/fetch-download-metadata.py:782 → /tmp/closeopen-2ddpso8x/pkgs/python/[email protected]/crates/uv-python/fetch-download-metadata.py:794
    client = httpx.AsyncClient(follow_redirects=True, headers=headers, timeout=60)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 10 low-confidence finding(s)
low env_fs dependency Excluded from app score #8362e5ec25de09e3 Environment-variable access.
pkgs/python/[email protected]/crates/uv-installer/src/pip_compileall.py:25
    invalidation_mode = os.environ.get("PYC_INVALIDATION_MODE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #77ffb13b13f3261b Filesystem access.
pkgs/python/[email protected]/crates/uv-python/fetch-download-metadata.py:778
    VERSIONS_FILE.write_text(json.dumps(results, indent=2) + "\n", newline="\n")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #13364b21d85f4806 Environment-variable access.
pkgs/python/[email protected]/crates/uv-python/fetch-download-metadata.py:782
    token = os.environ.get("GITHUB_TOKEN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9a4cbc5fb46a0527 Filesystem access.
pkgs/python/[email protected]/crates/uv-python/python/packaging/_manylinux.py:22
        with open(path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cfcc0ff51771bdf6 Filesystem access.
pkgs/python/[email protected]/crates/uv-python/python/packaging/_musllinux.py:44
        with open(executable, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9e380162658b0381 Environment-variable access.
pkgs/python/[email protected]/crates/uv-virtualenv/src/activator/activate_this.py:47
os.environ["PATH"] = os.pathsep.join([bin_dir, *os.environ.get("PATH", "").split(os.pathsep)])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4027fd4d91458429 Environment-variable access.
pkgs/python/[email protected]/crates/uv-virtualenv/src/activator/activate_this.py:48
os.environ["VIRTUAL_ENV"] = base  # virtual env is right above bin directory

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #174d764ee706f10e Environment-variable access.
pkgs/python/[email protected]/crates/uv-virtualenv/src/activator/activate_this.py:49
os.environ["VIRTUAL_ENV_PROMPT"] = "{{ VIRTUAL_PROMPT }}" or os.path.basename(base)  # noqa: SIM222

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1246bf33f83af80a Environment-variable access.
pkgs/python/[email protected]/python/uv/__main__.py:13
    value = os.getenv("VIRTUAL_ENV")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1a8d22085fb00fb7 Environment-variable access.
pkgs/python/[email protected]/python/uv/__main__.py:29
    env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

opentelemetry-sdk

python dependency
medium telemetry dependency Excluded from app score #89f03c81a44ba469 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/__init__.py:20
from opentelemetry._logs import set_logger_provider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #f68cfdd40e914c3f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/__init__.py:21
from opentelemetry.environment_variables import (
    OTEL_LOGS_EXPORTER,
    OTEL_METRICS_EXPORTER,
    OTEL_PYTHON_ID_GENERATOR,
    OTEL_TRACES_EXPORTER,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #497c7ac5aead5f3c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/__init__.py:27
from opentelemetry.metrics import set_meter_provider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #516d432bb41613d8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/__init__.py:28
from opentelemetry.sdk._logs import (
    LoggerProvider,
    LoggingHandler,
    LogRecordProcessor,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #023bd7dee9f6df37 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/__init__.py:33
from opentelemetry.sdk._logs._internal import _LoggerConfiguratorT

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #968821b9778916d0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/__init__.py:34
from opentelemetry.sdk._logs.export import (
    BatchLogRecordProcessor,
    LogRecordExporter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #d4ab19be896be575 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/__init__.py:38
from opentelemetry.sdk.environment_variables import (
    _OTEL_PYTHON_LOGGING_AUTO_INSTRUMENTATION_ENABLED,
    OTEL_CONFIG_FILE,
    OTEL_EXPORTER_OTLP_LOGS_PROTOCOL,
    OTEL_EXPORTER_OTLP_METRICS_PROTOCOL,
    OTEL_EXPORTER_OTLP_PROTOCOL,
    OTEL_EXPORTER_OTLP_TRACES_PROTOCOL,
    OTEL_PYTHON_LOGGER_CONFIGURATOR,
    OTEL_PYTHON_METER_CONFIGURATOR,
    OTEL_PYTHON_TRACER_CONFIGURATOR,
    OTEL_TRACES_SAMPLER,
    OTEL_TRACES_SAMPLER_ARG,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #78ed9066caf2e0f2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/__init__.py:51
from opentelemetry.sdk.metrics import MeterProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #52de527bcea29f70 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/__init__.py:52
from opentelemetry.sdk.metrics._internal import _MeterConfiguratorT

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #866e638bbe9f2945 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/__init__.py:53
from opentelemetry.sdk.metrics.export import (
    MetricExporter,
    MetricReader,
    PeriodicExportingMetricReader,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #434f2ea0cd73250c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/__init__.py:58
from opentelemetry.sdk.resources import Attributes, Resource

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #dbd95d5a77daa264 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/__init__.py:59
from opentelemetry.sdk.trace import (
    SpanProcessor,
    TracerProvider,
    _TracerConfiguratorT,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #c606a84059d66c8b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/__init__.py:64
from opentelemetry.sdk.trace.export import BatchSpanProcessor, SpanExporter

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #ce26c0a7b02aa7ff Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/__init__.py:65
from opentelemetry.sdk.trace.id_generator import IdGenerator

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #ab823f8478c23447 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/__init__.py:66
from opentelemetry.sdk.trace.sampling import Sampler

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #40821c771e83a020 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/__init__.py:67
from opentelemetry.semconv.resource import ResourceAttributes

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #9afef3369fc98f90 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/__init__.py:68
from opentelemetry.trace import set_tracer_provider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #1c6175024ff29041 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/__init__.py:69
from opentelemetry.util._importlib_metadata import entry_points

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #15dff0a13c1acc29 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/__init__.py:324
        from opentelemetry._events import (  # noqa: PLC0415
            set_event_logger_provider,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #892b9565e200f14f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/__init__.py:327
        from opentelemetry.sdk._events import (  # noqa: PLC0415
            EventLoggerProvider,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #196dd3d71cc61e9e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/__init__.py:729
            from opentelemetry.sdk._configuration._sdk import (  # noqa: PLC0415
                configure_sdk,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #ca59b66f77de3aa1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/__init__.py:732
            from opentelemetry.sdk._configuration.file._loader import (  # noqa: PLC0415
                load_config_file,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #26c301d7a7995185 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_common.py:12
from opentelemetry.sdk._configuration._exceptions import ConfigurationError

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #85671ba8eeddfd7b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_common.py:13
from opentelemetry.util._importlib_metadata import entry_points

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #ea4d68e307b8118b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_logger_provider.py:8
from opentelemetry._logs import set_logger_provider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #440eb0914de33ce8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_logger_provider.py:9
from opentelemetry.sdk._configuration._common import (
    _map_compression,
    _parse_headers,
    load_entry_point,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #d2c418b9d1b4b089 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_logger_provider.py:14
from opentelemetry.sdk._configuration._exceptions import ConfigurationError

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #74321d9e36ff6ed3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_logger_provider.py:15
from opentelemetry.sdk._configuration.models import (
    BatchLogRecordProcessor as BatchLogRecordProcessorConfig,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #fa59ca8ad22edda9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_logger_provider.py:18
from opentelemetry.sdk._configuration.models import (
    LoggerProvider as LoggerProviderConfig,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #cfd19bb8beba0271 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_logger_provider.py:21
from opentelemetry.sdk._configuration.models import (
    LogRecordExporter as LogRecordExporterConfig,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #ae56f00524f03f76 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_logger_provider.py:24
from opentelemetry.sdk._configuration.models import (
    LogRecordProcessor as LogRecordProcessorConfig,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #4383b92f2d4170e7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_logger_provider.py:27
from opentelemetry.sdk._configuration.models import (
    OtlpGrpcExporter as OtlpGrpcExporterConfig,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #a43e59c3405207d7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_logger_provider.py:30
from opentelemetry.sdk._configuration.models import (
    OtlpHttpExporter as OtlpHttpExporterConfig,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #d6acc31c817873ae Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_logger_provider.py:33
from opentelemetry.sdk._configuration.models import (
    SimpleLogRecordProcessor as SimpleLogRecordProcessorConfig,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #c88222366273a5d2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_logger_provider.py:36
from opentelemetry.sdk._logs import LoggerProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #c6132a6a30c02011 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_logger_provider.py:37
from opentelemetry.sdk._logs._internal.export import (
    BatchLogRecordProcessor,
    ConsoleLogRecordExporter,
    LogRecordExporter,
    SimpleLogRecordProcessor,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #0c413fee74dc4315 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_logger_provider.py:43
from opentelemetry.sdk.resources import Resource

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #8c6701fb92ecca42 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_logger_provider.py:65
        from opentelemetry.exporter.otlp.proto.http import (  # type: ignore[import-untyped]  # noqa: PLC0415
            Compression,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #905ec7b30e4b1028 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_logger_provider.py:68
        from opentelemetry.exporter.otlp.proto.http._log_exporter import (  # type: ignore[import-untyped]  # noqa: PLC0415
            OTLPLogExporter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #d90f9c9cccf25c75 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_logger_provider.py:99
        from opentelemetry.exporter.otlp.proto.grpc._log_exporter import (  # type: ignore[import-untyped]  # noqa: PLC0415
            OTLPLogExporter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #efb8c9d54a3145c6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_meter_provider.py:8
from opentelemetry import metrics

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #35c993288746bec2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_meter_provider.py:9
from opentelemetry.sdk._configuration._common import (
    _map_compression,
    _parse_headers,
    load_entry_point,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #b6aa47f7d3ea02b1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_meter_provider.py:14
from opentelemetry.sdk._configuration._exceptions import ConfigurationError

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #9260032e38cb6815 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_meter_provider.py:15
from opentelemetry.sdk._configuration.models import (
    Aggregation as AggregationConfig,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #b4812ff01f18a7c7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_meter_provider.py:18
from opentelemetry.sdk._configuration.models import (
    ConsoleMetricExporter as ConsoleMetricExporterConfig,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #2fe7e0889b410093 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_meter_provider.py:21
from opentelemetry.sdk._configuration.models import (
    ExemplarFilter as ExemplarFilterConfig,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #0bbef3ab30c80167 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_meter_provider.py:24
from opentelemetry.sdk._configuration.models import (
    ExperimentalPrometheusMetricExporter as PrometheusMetricExporterConfig,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #c91cd9f50b0dbdd2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_meter_provider.py:27
from opentelemetry.sdk._configuration.models import (
    ExporterDefaultHistogramAggregation,
    ExporterTemporalityPreference,
    InstrumentType,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #1bbf3078e61cf935 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_meter_provider.py:32
from opentelemetry.sdk._configuration.models import (
    MeterProvider as MeterProviderConfig,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #9b96c570551c15c4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_meter_provider.py:35
from opentelemetry.sdk._configuration.models import (
    MetricReader as MetricReaderConfig,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #85ea905daa3b9a95 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_meter_provider.py:38
from opentelemetry.sdk._configuration.models import (
    OtlpGrpcMetricExporter as OtlpGrpcMetricExporterConfig,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #b2fbb68b79f4e0da Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_meter_provider.py:41
from opentelemetry.sdk._configuration.models import (
    OtlpHttpMetricExporter as OtlpHttpMetricExporterConfig,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #91bc16b85eed1a2d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_meter_provider.py:44
from opentelemetry.sdk._configuration.models import (
    PeriodicMetricReader as PeriodicMetricReaderConfig,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #04a3e263d21247d8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_meter_provider.py:47
from opentelemetry.sdk._configuration.models import (
    PullMetricExporter as PullMetricExporterConfig,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #7c0f29a216e8ce49 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_meter_provider.py:50
from opentelemetry.sdk._configuration.models import (
    PullMetricReader as PullMetricReaderConfig,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #0900a70325f8b86f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_meter_provider.py:53
from opentelemetry.sdk._configuration.models import (
    PushMetricExporter as PushMetricExporterConfig,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #f27c607ad84d29d1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_meter_provider.py:56
from opentelemetry.sdk._configuration.models import (
    View as ViewConfig,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #13211d2ef469bdde Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_meter_provider.py:59
from opentelemetry.sdk.metrics import (
    AlwaysOffExemplarFilter,
    AlwaysOnExemplarFilter,
    Counter,
    Histogram,
    MeterProvider,
    ObservableCounter,
    ObservableGauge,
    ObservableUpDownCounter,
    TraceBasedExemplarFilter,
    UpDownCounter,
    _Gauge,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #3a29698d1c1aa501 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_meter_provider.py:72
from opentelemetry.sdk.metrics.export import (
    AggregationTemporality,
    ConsoleMetricExporter,
    MetricExporter,
    MetricReader,
    PeriodicExportingMetricReader,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #9f816b8190060239 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_meter_provider.py:79
from opentelemetry.sdk.metrics.view import (
    Aggregation,
    DefaultAggregation,
    DropAggregation,
    ExplicitBucketHistogramAggregation,
    ExponentialBucketHistogramAggregation,
    LastValueAggregation,
    SumAggregation,
    View,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #cc1961dd99ced92c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_meter_provider.py:89
from opentelemetry.sdk.resources import Resource

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #ebf07834dae90d18 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_meter_provider.py:275
        from opentelemetry.exporter.otlp.proto.http import (  # type: ignore[import-untyped]  # noqa: PLC0415
            Compression,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #7e43c2dd7621189d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_meter_provider.py:278
        from opentelemetry.exporter.otlp.proto.http.metric_exporter import (  # type: ignore[import-untyped]  # noqa: PLC0415
            OTLPMetricExporter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #825c493d99662147 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_meter_provider.py:315
        from opentelemetry.exporter.otlp.proto.grpc.metric_exporter import (  # type: ignore[import-untyped]  # noqa: PLC0415
            OTLPMetricExporter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #3ee684bd9d32ed62 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_meter_provider.py:415
        from opentelemetry.exporter.prometheus import (  # type: ignore[import-untyped]  # noqa: PLC0415
            PrometheusMetricReader,
            start_http_server,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #33926393b4144d5b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_propagator.py:6
from opentelemetry.baggage.propagation import W3CBaggagePropagator

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #fda7f846ec94b6f2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_propagator.py:7
from opentelemetry.propagate import set_global_textmap

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #2632ede9db6fc57d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_propagator.py:8
from opentelemetry.propagators.composite import CompositePropagator

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #b53303a6cfecc815 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_propagator.py:9
from opentelemetry.propagators.textmap import TextMapPropagator

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #03a2737f0d70b605 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_propagator.py:10
from opentelemetry.sdk._configuration._common import load_entry_point

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #dbf6b613d43c2713 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_propagator.py:11
from opentelemetry.sdk._configuration.models import (
    Propagator as PropagatorConfig,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #02c3a329b1ab1c1c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_propagator.py:14
from opentelemetry.sdk._configuration.models import (
    TextMapPropagator as TextMapPropagatorConfig,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #c285ddf823a0adc4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_propagator.py:17
from opentelemetry.trace.propagation.tracecontext import (
    TraceContextTextMapPropagator,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #d72b3683b0f28f9c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_resource.py:14
from opentelemetry.sdk._configuration._common import load_entry_point

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #77160c5c9068f911 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_resource.py:15
from opentelemetry.sdk._configuration.models import (
    AttributeNameValue,
    AttributeType,
    ExperimentalResourceDetector,
    IncludeExclude,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #46ad66d4d27788c8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_resource.py:21
from opentelemetry.sdk._configuration.models import Resource as ResourceConfig

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #acd5e30975f7c7c1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_resource.py:22
from opentelemetry.sdk.resources import (
    _DEFAULT_RESOURCE,
    OTEL_SERVICE_NAME,
    SERVICE_NAME,
    ProcessResourceDetector,
    Resource,
    ServiceInstanceIdResourceDetector,
    _HostResourceDetector,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #f2e8f42bdd4278b1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_resource.py:31
from opentelemetry.util.types import AttributeValue

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #b1395a753de1e3ed Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_sdk.py:15
from opentelemetry.sdk._configuration._logger_provider import (
    configure_logger_provider,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #f82589b575fa877e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_sdk.py:18
from opentelemetry.sdk._configuration._meter_provider import (
    configure_meter_provider,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #91afd53320436eea Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_sdk.py:21
from opentelemetry.sdk._configuration._propagator import configure_propagator

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #8257aa4f1dc9843e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_sdk.py:22
from opentelemetry.sdk._configuration._resource import create_resource

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #ee28489719d9acf3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_sdk.py:23
from opentelemetry.sdk._configuration._tracer_provider import (
    configure_tracer_provider,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #7ad6ac970ddab06c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_sdk.py:26
from opentelemetry.sdk._configuration.models import OpenTelemetryConfiguration

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #79161eac57830ff1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_tracer_provider.py:8
from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #a96444a8aec3e186 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_tracer_provider.py:9
from opentelemetry.sdk._configuration._common import (
    _map_compression,
    _parse_headers,
    load_entry_point,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #2b59bb4fd1e2c587 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_tracer_provider.py:14
from opentelemetry.sdk._configuration._exceptions import ConfigurationError

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #6c161f5a81b93a8b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_tracer_provider.py:15
from opentelemetry.sdk._configuration.models import (
    ExperimentalComposableRuleBasedSampler as RuleBasedSamplerConfig,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #1c5fa59b4d6becc0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_tracer_provider.py:18
from opentelemetry.sdk._configuration.models import (
    ExperimentalComposableRuleBasedSamplerRule as RuleBasedSamplerRuleConfig,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #3d7f119eacba556f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_tracer_provider.py:21
from opentelemetry.sdk._configuration.models import (
    ExperimentalComposableSampler as ComposableSamplerConfig,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #85cfa25fb073080d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_tracer_provider.py:24
from opentelemetry.sdk._configuration.models import (
    OtlpGrpcExporter as OtlpGrpcExporterConfig,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #cdfa9b0c811cf3d6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_tracer_provider.py:27
from opentelemetry.sdk._configuration.models import (
    OtlpHttpExporter as OtlpHttpExporterConfig,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #d296cc2e022ad3a2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_tracer_provider.py:30
from opentelemetry.sdk._configuration.models import (
    ParentBasedSampler as ParentBasedSamplerConfig,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #e24907a918f3f7e2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_tracer_provider.py:33
from opentelemetry.sdk._configuration.models import (
    Sampler as SamplerConfig,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #40d01009eadba569 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_tracer_provider.py:36
from opentelemetry.sdk._configuration.models import (
    SpanExporter as SpanExporterConfig,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #2a724b8007e7f2db Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_tracer_provider.py:39
from opentelemetry.sdk._configuration.models import (
    SpanLimits as SpanLimitsConfig,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #0bb9a34ae8ae67d8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_tracer_provider.py:42
from opentelemetry.sdk._configuration.models import (
    SpanProcessor as SpanProcessorConfig,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #04b32ef2b434833b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_tracer_provider.py:45
from opentelemetry.sdk._configuration.models import (
    TracerProvider as TracerProviderConfig,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #d847780b1cfa6b3e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_tracer_provider.py:48
from opentelemetry.sdk.resources import Resource

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #db62b7224586ccc8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_tracer_provider.py:49
from opentelemetry.sdk.trace import (
    _DEFAULT_OTEL_EVENT_ATTRIBUTE_COUNT_LIMIT,
    _DEFAULT_OTEL_LINK_ATTRIBUTE_COUNT_LIMIT,
    _DEFAULT_OTEL_SPAN_ATTRIBUTE_COUNT_LIMIT,
    _DEFAULT_OTEL_SPAN_EVENT_COUNT_LIMIT,
    _DEFAULT_OTEL_SPAN_LINK_COUNT_LIMIT,
    SpanLimits,
    TracerProvider,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #2ca89b596b36890f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_tracer_provider.py:58
from opentelemetry.sdk.trace._sampling_experimental import (
    ComposableSampler,
    composable_always_off,
    composable_always_on,
    composable_parent_threshold,
    composable_rule_based,
    composable_traceid_ratio_based,
    composite_sampler,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #a2ccac5ad5be9d78 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_tracer_provider.py:67
from opentelemetry.sdk.trace._sampling_experimental._rule_based import (
    AllPredicate,
    AlwaysMatchPredicate,
    AttributePatternsPredicate,
    AttributeValuesPredicate,
    ParentPredicate,
    PredicateT,
    RulesT,
    SpanKindPredicate,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #e3ffc1e92c0effc0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_tracer_provider.py:77
from opentelemetry.sdk.trace.export import (
    BatchSpanProcessor,
    ConsoleSpanExporter,
    SimpleSpanProcessor,
    SpanExporter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #aa41869de0aa586a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_tracer_provider.py:83
from opentelemetry.sdk.trace.sampling import (
    ALWAYS_OFF,
    ALWAYS_ON,
    ParentBased,
    Sampler,
    TraceIdRatioBased,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #33cb8a146848580a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_tracer_provider.py:90
from opentelemetry.trace import SpanKind as TraceSpanKind

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #129f1bc01aedb959 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_tracer_provider.py:104
        from opentelemetry.exporter.otlp.proto.http import (  # type: ignore[import-untyped]  # noqa: PLC0415
            Compression,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #2bd6266cde9861ee Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_tracer_provider.py:107
        from opentelemetry.exporter.otlp.proto.http.trace_exporter import (  # type: ignore[import-untyped]  # noqa: PLC0415
            OTLPSpanExporter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #0425492bb71cf9ad Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_tracer_provider.py:138
        from opentelemetry.exporter.otlp.proto.grpc.trace_exporter import (  # type: ignore[import-untyped]  # noqa: PLC0415
            OTLPSpanExporter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #557a3bce2d4d74c4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/file/__init__.py:16
from opentelemetry.sdk._configuration._exceptions import ConfigurationError

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #f5097f6bff8c316a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/file/__init__.py:17
from opentelemetry.sdk._configuration._logger_provider import (
    configure_logger_provider,
    create_logger_provider,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #2a11d9180d55f9b8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/file/__init__.py:21
from opentelemetry.sdk._configuration._meter_provider import (
    configure_meter_provider,
    create_meter_provider,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #3432fb85a90bcfd1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/file/__init__.py:25
from opentelemetry.sdk._configuration._propagator import (
    configure_propagator,
    create_propagator,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #61d2ffdb92c0192d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/file/__init__.py:29
from opentelemetry.sdk._configuration._resource import create_resource

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #83588200369b4b7b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/file/__init__.py:30
from opentelemetry.sdk._configuration._sdk import configure_sdk

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #fd7868195426cc57 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/file/__init__.py:31
from opentelemetry.sdk._configuration._tracer_provider import (
    configure_tracer_provider,
    create_tracer_provider,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #f5a14fca4bc9157f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/file/__init__.py:35
from opentelemetry.sdk._configuration.file._env_substitution import (
    EnvSubstitutionError,
    substitute_env_vars,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #91ca5dde0751739d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/file/__init__.py:39
from opentelemetry.sdk._configuration.file._loader import load_config_file

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #e2e3dcf44ecfea56 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/file/_loader.py:13
from opentelemetry.sdk._configuration._conversion import _dict_to_dataclass

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #d0eaaf5e60081276 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/file/_loader.py:14
from opentelemetry.sdk._configuration._exceptions import ConfigurationError

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #a837b56d81310cbf Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/file/_loader.py:15
from opentelemetry.sdk._configuration.file._env_substitution import (
    substitute_env_vars,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #775d650bd797486c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/file/_loader.py:18
from opentelemetry.sdk._configuration.models import OpenTelemetryConfiguration

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #1e8edac6971d7c10 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/models.py:11
from opentelemetry.sdk._configuration._common import _additional_properties

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #617f0e0e8f8a1175 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_events/__init__.py:9
from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #b98758714e45e37d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_events/__init__.py:10
from opentelemetry._events import Event

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #0bb62e110a72f9e5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_events/__init__.py:11
from opentelemetry._events import EventLogger as APIEventLogger

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #3127628cfee1fae0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_events/__init__.py:12
from opentelemetry._events import EventLoggerProvider as APIEventLoggerProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #f8413cbe74831fe5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_events/__init__.py:13
from opentelemetry._logs import (
    LogRecord,
    NoOpLogger,
    SeverityNumber,
    get_logger_provider,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #fcef0331965654ad Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_events/__init__.py:19
from opentelemetry.sdk._logs import Logger, LoggerProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #dd7be4f191853ec6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_events/__init__.py:20
from opentelemetry.util.types import _ExtendedAttributes

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #e82032e610e0e08a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/__init__.py:4
from opentelemetry.sdk._logs._internal import (
    LogDroppedAttributesWarning,
    Logger,
    LoggerProvider,
    LoggingHandler,
    LogLimits,
    LogRecordDroppedAttributesWarning,
    LogRecordLimits,
    LogRecordProcessor,
    ReadableLogRecord,
    ReadWriteLogRecord,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #022f5007aacedd83 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/_internal/__init__.py:28
from opentelemetry._logs import Logger as APILogger

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #a38c6ab854335b7d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/_internal/__init__.py:29
from opentelemetry._logs import LoggerProvider as APILoggerProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #9f481bd49d7d6213 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/_internal/__init__.py:30
from opentelemetry._logs import (
    LogRecord,
    NoOpLogger,
    SeverityNumber,
    get_logger,
    get_logger_provider,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #585e664f09bd21d3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/_internal/__init__.py:37
from opentelemetry.attributes import _VALID_ANY_VALUE_TYPES, BoundedAttributes

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #426a60ef6adda381 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/_internal/__init__.py:38
from opentelemetry.context import get_current

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #4160ec2c8ed4870a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/_internal/__init__.py:39
from opentelemetry.context.context import Context

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #5e2304b90830205a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/_internal/__init__.py:40
from opentelemetry.metrics import MeterProvider, get_meter_provider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #959d99f93b871419 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/_internal/__init__.py:41
from opentelemetry.sdk._logs._internal._exceptions import (
    _copy_log_record_with_exception,
    _create_log_record_with_exception,
    _set_log_record_exception_attributes,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #c05c83bc20c3e15d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/_internal/__init__.py:46
from opentelemetry.sdk._logs._internal._logger_metrics import (
    LoggerMetricsT,
    create_logger_metrics,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #2c493327473f0ab8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/_internal/__init__.py:50
from opentelemetry.sdk.environment_variables import (
    OTEL_ATTRIBUTE_COUNT_LIMIT,
    OTEL_ATTRIBUTE_VALUE_LENGTH_LIMIT,
    OTEL_PYTHON_SDK_INTERNAL_METRICS_ENABLED,
    OTEL_SDK_DISABLED,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #2d28afff1bbae2cc Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/_internal/__init__.py:56
from opentelemetry.sdk.environment_variables._internal import (
    parse_boolean_environment_variable,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #20ee581f197d9165 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/_internal/__init__.py:59
from opentelemetry.sdk.resources import Resource

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #7cfe35b5affb4107 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/_internal/__init__.py:60
from opentelemetry.sdk.util import ns_to_iso_str

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #8263a0ba87f8e06c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/_internal/__init__.py:61
from opentelemetry.sdk.util._configurator import RuleBasedConfigurator

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #2ee7f5dd7243354a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/_internal/__init__.py:62
from opentelemetry.sdk.util.instrumentation import (
    InstrumentationScope,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #d4ef4cd1a32266eb Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/_internal/__init__.py:65
from opentelemetry.semconv._incubating.attributes import code_attributes

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #3349d4bcd77ef3cd Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/_internal/__init__.py:66
from opentelemetry.semconv.attributes import exception_attributes

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #9aace7a00c8ffdbd Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/_internal/__init__.py:67
from opentelemetry.trace import (
    format_span_id,
    format_trace_id,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #d516cd856a3a6325 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/_internal/__init__.py:71
from opentelemetry.util.types import AnyValue, _ExtendedAttributes

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #ecb2fb43fc18bd83 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/_internal/_exceptions.py:7
from opentelemetry._logs import LogRecord

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #38e1e8b8fabe8ba4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/_internal/_exceptions.py:8
from opentelemetry.attributes import BoundedAttributes

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #2f3e2daa7d552ec5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/_internal/_exceptions.py:9
from opentelemetry.semconv.attributes import exception_attributes

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #70dc7e1253fab1d1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/_internal/_exceptions.py:10
from opentelemetry.util.types import AnyValue, _ExtendedAttributes

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #20c4143f3886c99d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/_internal/_logger_metrics.py:6
from opentelemetry import metrics as metrics_api

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #8e12019f3c59d510 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/_internal/_logger_metrics.py:7
from opentelemetry.semconv._incubating.metrics.otel_metrics import (
    create_otel_sdk_log_created,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #ec11d272c49d5fe3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/_internal/export/__init__.py:15
from opentelemetry.context import (
    _ON_EMIT_RECURSION_COUNT_KEY,
    _SUPPRESS_INSTRUMENTATION_KEY,
    attach,
    detach,
    get_value,
    set_value,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #635f2868e02c96b8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/_internal/export/__init__.py:23
from opentelemetry.metrics import MeterProvider, get_meter_provider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #12ec27ec599842e4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/_internal/export/__init__.py:24
from opentelemetry.sdk._logs import (
    LogRecordProcessor,
    ReadableLogRecord,
    ReadWriteLogRecord,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #3d83a2ca0ae16e90 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/_internal/export/__init__.py:29
from opentelemetry.sdk._shared_internal import (
    BatchProcessor,
    DuplicateFilter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #87ba71fded533f9b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/_internal/export/__init__.py:33
from opentelemetry.sdk._shared_internal._processor_metrics import (
    create_processor_metrics,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #95835ba112e9f448 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/_internal/export/__init__.py:36
from opentelemetry.sdk.environment_variables import (
    OTEL_BLRP_EXPORT_TIMEOUT,
    OTEL_BLRP_MAX_EXPORT_BATCH_SIZE,
    OTEL_BLRP_MAX_QUEUE_SIZE,
    OTEL_BLRP_SCHEDULE_DELAY,
    OTEL_PYTHON_SDK_INTERNAL_METRICS_ENABLED,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #885056e263ea5a35 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/_internal/export/__init__.py:43
from opentelemetry.sdk.environment_variables._internal import (
    parse_boolean_environment_variable,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #e1ff71f072aebed1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/_internal/export/__init__.py:46
from opentelemetry.sdk.resources import Resource

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #3fc385d33e8cf437 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/_internal/export/__init__.py:47
from opentelemetry.semconv._incubating.attributes.otel_attributes import (
    OtelComponentTypeValues,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #bb4a2fd3697050b9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/_internal/export/in_memory_log_exporter.py:9
from opentelemetry.sdk._logs import ReadableLogRecord

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #2871ca67c425fa77 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/_internal/export/in_memory_log_exporter.py:10
from opentelemetry.sdk._logs.export import (
    LogRecordExporter,
    LogRecordExportResult,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #f1c38a261f6a3abc Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/export/__init__.py:4
from opentelemetry.sdk._logs._internal.export import (
    BatchLogRecordProcessor,
    ConsoleLogExporter,
    ConsoleLogRecordExporter,
    LogExporter,
    LogExportResult,
    LogRecordExporter,
    LogRecordExportResult,
    SimpleLogRecordProcessor,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #763107b47676dfa5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/export/__init__.py:16
from opentelemetry.sdk._logs._internal.export.in_memory_log_exporter import (
    InMemoryLogExporter,
    InMemoryLogRecordExporter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #6c02a231a5252fad Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_shared_internal/__init__.py:21
from opentelemetry.context import (
    _SUPPRESS_INSTRUMENTATION_KEY,
    attach,
    detach,
    set_value,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #12881f3dfbf85e1c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_shared_internal/__init__.py:27
from opentelemetry.sdk._shared_internal._processor_metrics import (
    ProcessorMetricsT,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #3804e612353aefc6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_shared_internal/__init__.py:30
from opentelemetry.util._once import Once

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #831796cb33a4eb45 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_shared_internal/_processor_metrics.py:10
from opentelemetry.metrics import CallbackOptions, MeterProvider, Observation

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #47283f8bc0b08f29 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_shared_internal/_processor_metrics.py:11
from opentelemetry.semconv._incubating.attributes.otel_attributes import (
    OTEL_COMPONENT_NAME,
    OTEL_COMPONENT_TYPE,
    OtelComponentTypeValues,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #e248d5a7143bbccc Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_shared_internal/_processor_metrics.py:16
from opentelemetry.semconv._incubating.metrics.otel_metrics import (
    OTEL_SDK_PROCESSOR_LOG_QUEUE_SIZE,
    OTEL_SDK_PROCESSOR_SPAN_QUEUE_SIZE,
    create_otel_sdk_processor_log_processed,
    create_otel_sdk_processor_log_queue_capacity,
    create_otel_sdk_processor_span_processed,
    create_otel_sdk_processor_span_queue_capacity,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #9f187e7d4f88c8c1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/_shared_internal/_processor_metrics.py:24
from opentelemetry.semconv.attributes.error_attributes import ERROR_TYPE

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #dc0a3c24cdf1df8e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/error_handler/__init__.py:54
from opentelemetry.util._importlib_metadata import entry_points

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #2268900eb3d0e8b7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/__init__.py:5
from opentelemetry.sdk.metrics import export, view

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #56a714560d7d1a33 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/__init__.py:6
from opentelemetry.sdk.metrics._internal import Meter, MeterProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #e0687678979c4791 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/__init__.py:7
from opentelemetry.sdk.metrics._internal.exceptions import MetricsTimeoutError

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #e2c61acb83fa76b7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/__init__.py:8
from opentelemetry.sdk.metrics._internal.exemplar import (
    AlignedHistogramBucketExemplarReservoir,
    AlwaysOffExemplarFilter,
    AlwaysOnExemplarFilter,
    Exemplar,
    ExemplarFilter,
    ExemplarReservoir,
    SimpleFixedSizeExemplarReservoir,
    TraceBasedExemplarFilter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #6ce0a9f4ce92d23e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/__init__.py:18
from opentelemetry.sdk.metrics._internal.instrument import (
    Counter,
    Histogram,
    ObservableCounter,
    ObservableGauge,
    ObservableUpDownCounter,
    UpDownCounter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #f8c06a6e94bf418f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/__init__.py:26
from opentelemetry.sdk.metrics._internal.instrument import Gauge as _Gauge

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #58078800c9f45fcd Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/__init__.py:14
import opentelemetry.sdk.metrics

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #2c0c32d339613f18 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/__init__.py:15
from opentelemetry.metrics import Counter as APICounter

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #34533cb460aba32c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/__init__.py:16
from opentelemetry.metrics import Histogram as APIHistogram

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #8826c60326165df7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/__init__.py:17
from opentelemetry.metrics import Meter as APIMeter

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #3fa50dbb98a647fd Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/__init__.py:18
from opentelemetry.metrics import MeterProvider as APIMeterProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #beb06ae85fb352d6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/__init__.py:19
from opentelemetry.metrics import NoOpMeter

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #aefacf4cab6a113e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/__init__.py:20
from opentelemetry.metrics import ObservableCounter as APIObservableCounter

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #e84ebb7de88efa89 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/__init__.py:21
from opentelemetry.metrics import ObservableGauge as APIObservableGauge

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #3dfb07e9e99dd622 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/__init__.py:22
from opentelemetry.metrics import (
    ObservableUpDownCounter as APIObservableUpDownCounter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #7ed01b527e54af52 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/__init__.py:25
from opentelemetry.metrics import UpDownCounter as APIUpDownCounter

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #0a505c6fe5908147 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/__init__.py:26
from opentelemetry.metrics import _Gauge as APIGauge

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #776cbc20ccf8d241 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/__init__.py:27
from opentelemetry.sdk.environment_variables import (
    OTEL_METRICS_EXEMPLAR_FILTER,
    OTEL_SDK_DISABLED,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #d7dff2d4ea281634 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/__init__.py:31
from opentelemetry.sdk.metrics._internal.exceptions import MetricsTimeoutError

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #8ec27384dfe0cf95 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/__init__.py:32
from opentelemetry.sdk.metrics._internal.exemplar import (
    AlwaysOffExemplarFilter,
    AlwaysOnExemplarFilter,
    ExemplarFilter,
    TraceBasedExemplarFilter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #f2ec320005bc671b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/__init__.py:38
from opentelemetry.sdk.metrics._internal.instrument import (
    _Counter,
    _Gauge,
    _Histogram,
    _ObservableCounter,
    _ObservableGauge,
    _ObservableUpDownCounter,
    _UpDownCounter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #6dbdcf0516d4c18a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/__init__.py:47
from opentelemetry.sdk.metrics._internal.measurement_consumer import (
    MeasurementConsumer,
    SynchronousMeasurementConsumer,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #4945b8fa9b658094 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/__init__.py:51
from opentelemetry.sdk.metrics._internal.sdk_configuration import (
    SdkConfiguration,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #37a3594bb293b8f3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/__init__.py:54
from opentelemetry.sdk.resources import Resource

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #3faf45255b5092b3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/__init__.py:55
from opentelemetry.sdk.util._configurator import RuleBasedConfigurator

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #f1eed9d475195f0e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/__init__.py:56
from opentelemetry.sdk.util.instrumentation import (
    InstrumentationScope,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #fd2758800368e92e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/__init__.py:59
from opentelemetry.util._once import Once

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #bbb34ba438767748 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/__init__.py:60
from opentelemetry.util.types import (
    Attributes,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #aa1bb54c5011af74 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/_view_instrument_match.py:11
from opentelemetry.sdk.metrics._internal.aggregation import (
    Aggregation,
    AggregationTemporality,
    DefaultAggregation,
    _Aggregation,
    _SumAggregation,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #145394f24b6cd37f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/_view_instrument_match.py:18
from opentelemetry.sdk.metrics._internal.instrument import _Instrument

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #58d747deb38a609c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/_view_instrument_match.py:19
from opentelemetry.sdk.metrics._internal.measurement import Measurement

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #a5ded005a2016768 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/_view_instrument_match.py:20
from opentelemetry.sdk.metrics._internal.point import DataPointT

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #442a9171e77e016c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/_view_instrument_match.py:21
from opentelemetry.sdk.metrics._internal.view import View

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #ee0db10f28579ad0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/aggregation.py:20
from opentelemetry.metrics import (
    Asynchronous,
    Counter,
    Histogram,
    ObservableCounter,
    ObservableGauge,
    ObservableUpDownCounter,
    Synchronous,
    UpDownCounter,
    _Gauge,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #f649f22838b88861 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/aggregation.py:31
from opentelemetry.sdk.metrics._internal.exemplar import (
    Exemplar,
    ExemplarReservoirBuilder,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #49a52a959ff4bba9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/aggregation.py:35
from opentelemetry.sdk.metrics._internal.exponential_histogram.buckets import (
    Buckets,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #9272589349e23091 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/aggregation.py:38
from opentelemetry.sdk.metrics._internal.exponential_histogram.mapping import (
    Mapping,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #8d1fd4f1722576bf Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/aggregation.py:41
from opentelemetry.sdk.metrics._internal.exponential_histogram.mapping.exponent_mapping import (
    ExponentMapping,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #f466b13e7a5a3107 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/aggregation.py:44
from opentelemetry.sdk.metrics._internal.exponential_histogram.mapping.logarithm_mapping import (
    LogarithmMapping,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #422ff712bc5925cd Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/aggregation.py:47
from opentelemetry.sdk.metrics._internal.instrument import _Instrument

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #ca7a4580f4ebccb9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/aggregation.py:48
from opentelemetry.sdk.metrics._internal.measurement import Measurement

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #2845ba30d9ee8214 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/aggregation.py:49
from opentelemetry.sdk.metrics._internal.point import Buckets as BucketsPoint

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #6c908730006437b3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/aggregation.py:50
from opentelemetry.sdk.metrics._internal.point import (
    ExponentialHistogramDataPoint,
    HistogramDataPoint,
    NumberDataPoint,
    Sum,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #4785a8fdf34ebdd0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/aggregation.py:56
from opentelemetry.sdk.metrics._internal.point import Gauge as GaugePoint

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #4ccada2c1ba87d67 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/aggregation.py:57
from opentelemetry.sdk.metrics._internal.point import (
    Histogram as HistogramPoint,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #f1c47ae5ca83a19f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/aggregation.py:60
from opentelemetry.util.types import Attributes

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #ff2f0bf2d844935a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/exemplar/exemplar.py:6
from opentelemetry.util.types import Attributes

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #1e9d10a2bd8c0a6a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/exemplar/exemplar_filter.py:6
from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #a4dbf3d8a1d9dbab Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/exemplar/exemplar_filter.py:7
from opentelemetry.context import Context

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #9c4b29ad6ebca98b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/exemplar/exemplar_filter.py:8
from opentelemetry.trace.span import INVALID_SPAN

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #28a98a3107f6ecdb Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/exemplar/exemplar_filter.py:9
from opentelemetry.util.types import Attributes

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #3891a05e57a3bc5e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/exemplar/exemplar_reservoir.py:12
from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #c522407a798724af Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/exemplar/exemplar_reservoir.py:13
from opentelemetry.context import Context

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #a9f45e3289a5b3aa Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/exemplar/exemplar_reservoir.py:14
from opentelemetry.trace.span import INVALID_SPAN

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #296ed1cd152d04ef Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/exemplar/exemplar_reservoir.py:15
from opentelemetry.util.types import Attributes

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #eefcd7aac16aee5c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/exponential_histogram/mapping/exponent_mapping.py:7
from opentelemetry.sdk.metrics._internal.exponential_histogram.mapping import (
    Mapping,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #d8357bf637232e39 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/exponential_histogram/mapping/exponent_mapping.py:10
from opentelemetry.sdk.metrics._internal.exponential_histogram.mapping.errors import (
    MappingOverflowError,
    MappingUnderflowError,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #a1214a38b03d9109 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/exponential_histogram/mapping/exponent_mapping.py:14
from opentelemetry.sdk.metrics._internal.exponential_histogram.mapping.ieee_754 import (
    MANTISSA_WIDTH,
    MAX_NORMAL_EXPONENT,
    MIN_NORMAL_EXPONENT,
    MIN_NORMAL_VALUE,
    get_ieee_754_exponent,
    get_ieee_754_mantissa,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #4c6d998e51d7083a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/exponential_histogram/mapping/logarithm_mapping.py:7
from opentelemetry.sdk.metrics._internal.exponential_histogram.mapping import (
    Mapping,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #1277dcb03443ec7f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/exponential_histogram/mapping/logarithm_mapping.py:10
from opentelemetry.sdk.metrics._internal.exponential_histogram.mapping.errors import (
    MappingOverflowError,
    MappingUnderflowError,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #8325024d9a6d8fe0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/exponential_histogram/mapping/logarithm_mapping.py:14
from opentelemetry.sdk.metrics._internal.exponential_histogram.mapping.ieee_754 import (
    MAX_NORMAL_EXPONENT,
    MIN_NORMAL_EXPONENT,
    MIN_NORMAL_VALUE,
    get_ieee_754_exponent,
    get_ieee_754_mantissa,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #d95f46f1ad29020b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/export/__init__.py:21
import opentelemetry.sdk.metrics._internal

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #ff7144669dcad01c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/export/__init__.py:22
from opentelemetry.context import (
    _SUPPRESS_INSTRUMENTATION_KEY,
    attach,
    detach,
    set_value,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #605b511f3ccf6e8c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/export/__init__.py:28
from opentelemetry.metrics import MeterProvider, NoOpMeterProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #6631fe02020e1510 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/export/__init__.py:29
from opentelemetry.sdk.environment_variables import (
    OTEL_METRIC_EXPORT_INTERVAL,
    OTEL_METRIC_EXPORT_TIMEOUT,
    OTEL_PYTHON_SDK_INTERNAL_METRICS_ENABLED,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #1c3f8b6fd671a763 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/export/__init__.py:34
from opentelemetry.sdk.environment_variables._internal import (
    parse_boolean_environment_variable,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #833e357f154b95fc Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/export/__init__.py:37
from opentelemetry.sdk.metrics._internal.aggregation import (
    AggregationTemporality,
    DefaultAggregation,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #3e6a06cad61d19b2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/export/__init__.py:41
from opentelemetry.sdk.metrics._internal.exceptions import MetricsTimeoutError

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #704eaef0f8e07b81 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/export/__init__.py:42
from opentelemetry.sdk.metrics._internal.instrument import (
    Counter,
    Gauge,
    Histogram,
    ObservableCounter,
    ObservableGauge,
    ObservableUpDownCounter,
    UpDownCounter,
    _Counter,
    _Gauge,
    _Histogram,
    _ObservableCounter,
    _ObservableGauge,
    _ObservableUpDownCounter,
    _UpDownCounter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #a4af20004ffc3a83 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/export/__init__.py:58
from opentelemetry.sdk.metrics._internal.point import MetricsData

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #3afdf3db5de1bef9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/export/__init__.py:59
from opentelemetry.semconv._incubating.attributes.otel_attributes import (
    OtelComponentTypeValues,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #e7bb243643098ef8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/export/__init__.py:62
from opentelemetry.util._once import Once

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #68bdf0d43546d20a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/export/_metric_reader_metrics.py:7
from opentelemetry.metrics import MeterProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #fd529cd57939710d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/export/_metric_reader_metrics.py:8
from opentelemetry.semconv._incubating.attributes.otel_attributes import (
    OTEL_COMPONENT_NAME,
    OTEL_COMPONENT_TYPE,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #698a5c23cde671f2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/export/_metric_reader_metrics.py:12
from opentelemetry.semconv._incubating.metrics.otel_metrics import (
    create_otel_sdk_metric_reader_collection_duration,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #491cb3c562225f72 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/instrument.py:18
from opentelemetry.context import Context, get_current

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #cba7e524ed9e0bc6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/instrument.py:19
from opentelemetry.metrics import Asynchronous, CallbackT, Synchronous

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #1a79cc6302b5c16d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/instrument.py:20
from opentelemetry.metrics import Counter as APICounter

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #48c27531b0954d1d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/instrument.py:21
from opentelemetry.metrics import Histogram as APIHistogram

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #c4edcfa5a3f9902f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/instrument.py:22
from opentelemetry.metrics import ObservableCounter as APIObservableCounter

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #a972cf6dea0d3528 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/instrument.py:23
from opentelemetry.metrics import ObservableGauge as APIObservableGauge

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #fe5c31f15585f2a9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/instrument.py:24
from opentelemetry.metrics import (
    ObservableUpDownCounter as APIObservableUpDownCounter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #2a0e375e1d99f10f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/instrument.py:27
from opentelemetry.metrics import UpDownCounter as APIUpDownCounter

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #1ec6b361c903e4b5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/instrument.py:28
from opentelemetry.metrics import _Gauge as APIGauge

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #1152b532776f48b8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/instrument.py:29
from opentelemetry.metrics._internal.instrument import (
    CallbackOptions,
    _MetricsHistogramAdvisory,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #eb50a80c83d62029 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/instrument.py:33
from opentelemetry.sdk.metrics._internal.measurement import Measurement

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #964f337a35d2acd0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/instrument.py:36
    from opentelemetry.sdk.metrics._internal import (
        _ProxyMeterConfig,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #7dce4b7de040ecc9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/instrument.py:39
    from opentelemetry.sdk.metrics._internal.measurement_consumer import (
        MeasurementConsumer,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #e4939a1149ccc02f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/instrument.py:42
    from opentelemetry.sdk.util.instrumentation import InstrumentationScope

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #f4edeccec7ca9a21 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/measurement.py:9
from opentelemetry.context import Context

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #9fa3ddbf1b1830e0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/measurement.py:10
from opentelemetry.util.types import Attributes

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #0184820ed1373558 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/measurement.py:13
    from opentelemetry.sdk.metrics._internal.instrument import _Instrument

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #3151fa90df6e5f8f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/measurement_consumer.py:12
import opentelemetry.sdk.metrics

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #ac8cffba2c75f5e3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/measurement_consumer.py:13
import opentelemetry.sdk.metrics._internal.instrument

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #e8f3d9339d72a78c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/measurement_consumer.py:14
from opentelemetry.metrics._internal.instrument import CallbackOptions

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #a795081cc2603bb0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/measurement_consumer.py:15
from opentelemetry.sdk.metrics._internal.exceptions import MetricsTimeoutError

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #78894d22a958715e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/measurement_consumer.py:16
from opentelemetry.sdk.metrics._internal.measurement import Measurement

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #4c4bc66f5bf71b04 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/measurement_consumer.py:17
from opentelemetry.sdk.metrics._internal.metric_reader_storage import (
    MetricReaderStorage,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #28f2704421ed767d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/measurement_consumer.py:20
from opentelemetry.sdk.metrics._internal.point import MetricsData

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #9da4fc2d3b7fd212 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/metric_reader_storage.py:8
from opentelemetry.metrics import (
    Asynchronous,
    Counter,
    ObservableCounter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #fd84ec53d3bd1d0e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/metric_reader_storage.py:13
from opentelemetry.sdk.metrics._internal._view_instrument_match import (
    _ViewInstrumentMatch,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #7138b1cf121bc856 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/metric_reader_storage.py:16
from opentelemetry.sdk.metrics._internal.aggregation import (
    Aggregation,
    AggregationTemporality,
    ExplicitBucketHistogramAggregation,
    _DropAggregation,
    _ExplicitBucketHistogramAggregation,
    _ExponentialBucketHistogramAggregation,
    _LastValueAggregation,
    _SumAggregation,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #4e1c4fce697b48e1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/metric_reader_storage.py:26
from opentelemetry.sdk.metrics._internal.instrument import _Instrument

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #8ff4c7af5dbaabf6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/metric_reader_storage.py:27
from opentelemetry.sdk.metrics._internal.measurement import Measurement

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #530bf8fa4de5d41f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/metric_reader_storage.py:28
from opentelemetry.sdk.metrics._internal.point import (
    ExponentialHistogram,
    Gauge,
    Histogram,
    Metric,
    MetricsData,
    ResourceMetrics,
    ScopeMetrics,
    Sum,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #d29e52ae799c7497 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/metric_reader_storage.py:38
from opentelemetry.sdk.metrics._internal.sdk_configuration import (
    SdkConfiguration,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #344f5438506d5679 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/metric_reader_storage.py:41
from opentelemetry.sdk.metrics._internal.view import View

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #e9e1efbc69e2787c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/metric_reader_storage.py:42
from opentelemetry.sdk.util.instrumentation import InstrumentationScope

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #985fcec287a370ff Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/point.py:11
import opentelemetry.sdk.metrics._internal

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #563bf7c2368f4078 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/point.py:12
from opentelemetry.sdk.metrics._internal.exemplar import Exemplar

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #72925e2251723864 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/point.py:13
from opentelemetry.sdk.resources import Resource

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #e418c526878f8cb8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/point.py:14
from opentelemetry.sdk.util.instrumentation import InstrumentationScope

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #3473b10d285e4d73 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/point.py:15
from opentelemetry.util.types import Attributes

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #e7675936ab2ef346 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/sdk_configuration.py:10
import opentelemetry.sdk.metrics

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #fa57116ce2e2b398 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/sdk_configuration.py:11
import opentelemetry.sdk.resources

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #4110e84800a6cbf2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/view.py:9
from opentelemetry.metrics import Instrument

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #991457d7c853dd8b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/view.py:10
from opentelemetry.sdk.metrics._internal.aggregation import (
    Aggregation,
    DefaultAggregation,
    _Aggregation,
    _ExplicitBucketHistogramAggregation,
    _ExponentialBucketHistogramAggregation,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #347db488c37a894c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/view.py:17
from opentelemetry.sdk.metrics._internal.exemplar import (
    AlignedHistogramBucketExemplarReservoir,
    ExemplarReservoirBuilder,
    SimpleFixedSizeExemplarReservoir,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #a0c7e51ce0bd7727 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/view.py:22
from opentelemetry.sdk.metrics._internal.instrument import _Instrument

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #5bdea88f2ff8d85c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/export/__init__.py:5
from opentelemetry.sdk.metrics._internal.aggregation import (
    AggregationTemporality,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #62bc361cd8d0796a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/export/__init__.py:8
from opentelemetry.sdk.metrics._internal.export import (
    ConsoleMetricExporter,
    InMemoryMetricReader,
    MetricExporter,
    MetricExportResult,
    MetricReader,
    PeriodicExportingMetricReader,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #beb6ebb47709cebf Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/export/__init__.py:18
from opentelemetry.sdk.metrics._internal.point import (  # noqa: F401
    Buckets,
    DataPointT,
    DataT,
    ExponentialHistogram,
    ExponentialHistogramDataPoint,
    Gauge,
    Histogram,
    HistogramDataPoint,
    Metric,
    MetricsData,
    NumberDataPoint,
    ResourceMetrics,
    ScopeMetrics,
    Sum,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #66187f52ff8524fa Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/view/__init__.py:4
from opentelemetry.sdk.metrics._internal.aggregation import (
    Aggregation,
    DefaultAggregation,
    DropAggregation,
    ExplicitBucketHistogramAggregation,
    ExponentialBucketHistogramAggregation,
    LastValueAggregation,
    SumAggregation,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #b05f55c8bf180d05 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/view/__init__.py:13
from opentelemetry.sdk.metrics._internal.view import View

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #ba3bcb00a6f2caaf Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/resources/__init__.py:67
from opentelemetry.attributes import BoundedAttributes

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #264354fbe98dd08b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/resources/__init__.py:68
from opentelemetry.sdk.environment_variables import (
    OTEL_EXPERIMENTAL_RESOURCE_DETECTORS,
    OTEL_RESOURCE_ATTRIBUTES,
    OTEL_SERVICE_NAME,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #c2b34cf5c68e92e9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/resources/__init__.py:73
from opentelemetry.sdk.version import (
    __version__ as _OPENTELEMETRY_SDK_VERSION,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #ea4bede83de7fe5e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/resources/__init__.py:76
from opentelemetry.semconv.resource import ResourceAttributes

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #2c038e4a94b74a6e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/resources/__init__.py:77
from opentelemetry.util.types import AttributeValue

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #7daf151a68a680dd Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/resources/__init__.py:525
    from opentelemetry.util._importlib_metadata import (  # noqa: PLC0415
        entry_points,  # type: ignore[reportUnknownVariableType]

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #9fa9e34ab22fe469 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/__init__.py:33
from opentelemetry import context as context_api

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #52bdefd58c6628d9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/__init__.py:34
from opentelemetry import metrics as metrics_api

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #8d13122d55adc397 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/__init__.py:35
from opentelemetry import trace as trace_api

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #82049b02fcc39165 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/__init__.py:36
from opentelemetry.attributes import BoundedAttributes

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #5416de4d80429026 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/__init__.py:37
from opentelemetry.sdk import util

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #e23f8212489e087f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/__init__.py:38
from opentelemetry.sdk.environment_variables import (
    OTEL_ATTRIBUTE_COUNT_LIMIT,
    OTEL_ATTRIBUTE_VALUE_LENGTH_LIMIT,
    OTEL_EVENT_ATTRIBUTE_COUNT_LIMIT,
    OTEL_LINK_ATTRIBUTE_COUNT_LIMIT,
    OTEL_PYTHON_SDK_INTERNAL_METRICS_ENABLED,
    OTEL_SDK_DISABLED,
    OTEL_SPAN_ATTRIBUTE_COUNT_LIMIT,
    OTEL_SPAN_ATTRIBUTE_VALUE_LENGTH_LIMIT,
    OTEL_SPAN_EVENT_COUNT_LIMIT,
    OTEL_SPAN_LINK_COUNT_LIMIT,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #2c23b4d04b4be019 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/__init__.py:50
from opentelemetry.sdk.environment_variables._internal import (
    parse_boolean_environment_variable,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #4f524c53b538af7c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/__init__.py:53
from opentelemetry.sdk.resources import Resource

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #e0ba3b633d8f3e3b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/__init__.py:54
from opentelemetry.sdk.trace import sampling

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #adef7784db9b38e7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/__init__.py:55
from opentelemetry.sdk.trace._tracer_metrics import create_tracer_metrics

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #876075d188538122 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/__init__.py:56
from opentelemetry.sdk.trace.id_generator import IdGenerator, RandomIdGenerator

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #67eb3cca109ab5d0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/__init__.py:57
from opentelemetry.sdk.util import BoundedList

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #6e9e4b8c04bc6053 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/__init__.py:58
from opentelemetry.sdk.util._configurator import RuleBasedConfigurator

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #5d852ec2713a9ee6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/__init__.py:59
from opentelemetry.sdk.util.instrumentation import (
    InstrumentationInfo,
    InstrumentationScope,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #aeef82b8aac1920c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/__init__.py:63
from opentelemetry.semconv.attributes.exception_attributes import (
    EXCEPTION_ESCAPED,
    EXCEPTION_MESSAGE,
    EXCEPTION_STACKTRACE,
    EXCEPTION_TYPE,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #18af434d69510000 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/__init__.py:69
from opentelemetry.trace import NoOpTracer, SpanContext

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #f387444ed0bd064a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/__init__.py:70
from opentelemetry.trace.status import Status, StatusCode

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #43ef1afbb1a244d2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/__init__.py:71
from opentelemetry.util import types

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #0b2f3445659d5e55 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/__init__.py:72
from opentelemetry.util._decorator import _agnosticcontextmanager

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #67a20afc41b214fc Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/_sampling_experimental/_always_off.py:8
from opentelemetry.context import Context

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #c1aec84cca0a4fee Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/_sampling_experimental/_always_off.py:9
from opentelemetry.trace import Link, SpanKind, TraceState

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #03267595bd3ded99 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/_sampling_experimental/_always_off.py:10
from opentelemetry.util.types import Attributes

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #c4e201493cfcad1b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/_sampling_experimental/_always_on.py:8
from opentelemetry.context import Context

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #75a5f6f1c0d4f8d7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/_sampling_experimental/_always_on.py:9
from opentelemetry.trace import Link, SpanKind, TraceState

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #72ac9a9f6ddb6b06 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/_sampling_experimental/_always_on.py:10
from opentelemetry.util.types import Attributes

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #22aa075628378088 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/_sampling_experimental/_composable.py:10
from opentelemetry.context import Context

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #30a1978626bc086a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/_sampling_experimental/_composable.py:11
from opentelemetry.trace import Link, SpanKind, TraceState

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #a22bc9a4e0b0a5dc Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/_sampling_experimental/_composable.py:12
from opentelemetry.util.types import Attributes

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #b02b7334493e7026 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/_sampling_experimental/_parent_threshold.py:8
from opentelemetry.context import Context

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #dd4d80d5ed433470 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/_sampling_experimental/_parent_threshold.py:9
from opentelemetry.trace import Link, SpanKind, TraceState, get_current_span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #cd5837aae12cf2c9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/_sampling_experimental/_parent_threshold.py:10
from opentelemetry.util.types import Attributes

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #ddc014910b853578 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/_sampling_experimental/_rule_based.py:11
from opentelemetry.context import Context

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #a462472045ed698e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/_sampling_experimental/_rule_based.py:12
from opentelemetry.trace import (
    Link,
    SpanKind,
    TraceState,
    get_current_span,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #b4b8f035edd4afe4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/_sampling_experimental/_rule_based.py:18
from opentelemetry.util.types import AnyValue, Attributes

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #e63d5370605cd5f4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/_sampling_experimental/_sampler.py:8
from opentelemetry.context import Context

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #1b12bc7ebe573f37 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/_sampling_experimental/_sampler.py:9
from opentelemetry.sdk.trace.sampling import Decision, Sampler, SamplingResult

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #4e41b379b6981fcc Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/_sampling_experimental/_sampler.py:10
from opentelemetry.trace import Link, SpanKind, TraceState

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #cc4974399631325f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/_sampling_experimental/_sampler.py:11
from opentelemetry.util.types import Attributes

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #45e9040c38359019 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/_sampling_experimental/_trace_state.py:9
from opentelemetry.trace import TraceState

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #78b7b071f5b668f1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/_sampling_experimental/_traceid_ratio.py:8
from opentelemetry.context import Context

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #2d380d6e572489a6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/_sampling_experimental/_traceid_ratio.py:9
from opentelemetry.trace import Link, SpanKind, TraceState

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #19023e0bab12bd36 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/_sampling_experimental/_traceid_ratio.py:10
from opentelemetry.util.types import Attributes

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #628b6af277dff1df Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/_tracer_metrics.py:9
from opentelemetry import metrics as metrics_api

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #8a96aabdb9923e4d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/_tracer_metrics.py:10
from opentelemetry.sdk.trace.sampling import Decision

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #31daf2f2e11d0193 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/_tracer_metrics.py:11
from opentelemetry.semconv._incubating.attributes.otel_attributes import (
    OTEL_SPAN_PARENT_ORIGIN,
    OTEL_SPAN_SAMPLING_RESULT,
    OtelSpanSamplingResultValues,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #bf39431f31726cdb Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/_tracer_metrics.py:16
from opentelemetry.semconv._incubating.metrics.otel_metrics import (
    create_otel_sdk_span_live,
    create_otel_sdk_span_started,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #4dd0cae0456316f6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/_tracer_metrics.py:20
from opentelemetry.trace.span import SpanContext

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #3d70ed663a731af2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/export/__init__.py:12
from opentelemetry.context import (
    _SUPPRESS_INSTRUMENTATION_KEY,
    Context,
    attach,
    detach,
    set_value,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #4114b97ba396ea79 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/export/__init__.py:19
from opentelemetry.metrics import MeterProvider, get_meter_provider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #100e8806aec9981d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/export/__init__.py:20
from opentelemetry.sdk._shared_internal import (
    BatchProcessor,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #2502e8a6e458a918 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/export/__init__.py:23
from opentelemetry.sdk._shared_internal._processor_metrics import (
    create_processor_metrics,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #5a7b0c6bbb3f9c3a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/export/__init__.py:26
from opentelemetry.sdk.environment_variables import (
    OTEL_BSP_EXPORT_TIMEOUT,
    OTEL_BSP_MAX_EXPORT_BATCH_SIZE,
    OTEL_BSP_MAX_QUEUE_SIZE,
    OTEL_BSP_SCHEDULE_DELAY,
    OTEL_PYTHON_SDK_INTERNAL_METRICS_ENABLED,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #d0dd4f576233da36 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/export/__init__.py:33
from opentelemetry.sdk.environment_variables._internal import (
    parse_boolean_environment_variable,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #570f9fc9dfcba7e4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/export/__init__.py:36
from opentelemetry.sdk.trace import ReadableSpan, Span, SpanProcessor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #9609dfd93e3d92c3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/export/__init__.py:37
from opentelemetry.semconv._incubating.attributes.otel_attributes import (
    OtelComponentTypeValues,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #cb65f227b19f918f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/export/in_memory_span_exporter.py:7
from opentelemetry.sdk.trace import ReadableSpan

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #97778b4b5e5913cd Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/export/in_memory_span_exporter.py:8
from opentelemetry.sdk.trace.export import SpanExporter, SpanExportResult

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #91bae813c9d078cf Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/id_generator.py:7
from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #fe8a09abc115f462 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/sampling.py:135
from opentelemetry.context import Context

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #ca6d23132c13c65a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/sampling.py:136
from opentelemetry.sdk.environment_variables import (
    OTEL_TRACES_SAMPLER,
    OTEL_TRACES_SAMPLER_ARG,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #efa4439d0f853175 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/sampling.py:140
from opentelemetry.trace import Link, SpanKind, get_current_span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #cd5e641814424372 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/sampling.py:141
from opentelemetry.trace.span import TraceState

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #03562fcc5e3aa1f8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/sampling.py:142
from opentelemetry.util.types import Attributes

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #3dcae49b7a213dc0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/util/__init__.pyi:28
from opentelemetry.util.types import AttributesAsKey, AttributeValue

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #c314685c5ef7165d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/util/_configurator.py:6
from opentelemetry.sdk.util.instrumentation import (
    InstrumentationScope,
    _InstrumentationScopePredicateT,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #33214a1540bdf077 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/util/instrumentation.py:9
from opentelemetry.attributes import BoundedAttributes

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #602ae8aaaacb9770 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/sdk/util/instrumentation.py:10
from opentelemetry.util.types import (  # TODO: see if we can remove F401 when using new sphinx version # noqa: F401 # pylint: disable=unused-import
    AnyValue,
    Attributes,
    _ExtendedAttributes,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 48 low-confidence finding(s)
low env_fs dependency Excluded from app score #5b2fe377fb888ef4 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/__init__.py:154
    return environ.get(OTEL_TRACES_SAMPLER, None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dccb7d4967a3cc6e Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/__init__.py:158
    return environ.get(OTEL_PYTHON_ID_GENERATOR, _DEFAULT_ID_GENERATOR)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f978eeeb5e8d7c38 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/__init__.py:162
    return environ.get(OTEL_PYTHON_TRACER_CONFIGURATOR, None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5900fe1a51d628e7 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/__init__.py:166
    return environ.get(OTEL_PYTHON_METER_CONFIGURATOR, None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0c1fcc4279394736 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/__init__.py:170
    return environ.get(OTEL_PYTHON_LOGGER_CONFIGURATOR, None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b8941632d9ae483b Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/__init__.py:184
    otlp_protocol = environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #63baf0646fc99ea9 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/__init__.py:184
    otlp_protocol = environ.get(
        _PROTOCOL_ENV_BY_SIGNAL_TYPE[signal_type]
    ) or environ.get(OTEL_EXPORTER_OTLP_PROTOCOL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4c16085ff229d1c9 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/__init__.py:186
    ) or environ.get(OTEL_EXPORTER_OTLP_PROTOCOL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5f8f417a068e8f38 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/__init__.py:220
    names = environ.get(_EXPORTER_ENV_BY_SIGNAL_TYPE.get(signal_type, ""))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #31c11ad170aef211 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/__init__.py:506
                rate = float(os.getenv(OTEL_TRACES_SAMPLER_ARG, ""))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #79a44323dc146873 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/__init__.py:514
            arg = os.getenv(OTEL_TRACES_SAMPLER_ARG)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4c1db535af8a6268 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/__init__.py:663
            os.getenv(
                _OTEL_PYTHON_LOGGING_AUTO_INSTRUMENTATION_ENABLED, "false"
            )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ca8a393370515ddd Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/__init__.py:724
        if config_file := environ.get(OTEL_CONFIG_FILE):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e4e255b8d00dbd30 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/_resource.py:145
    if service_name := os.environ.get(OTEL_SERVICE_NAME):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ac9265a50ceb6001 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/file/_env_substitution.py:60
        value = os.environ.get(var_name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8d7e83515b7ad83e Filesystem access.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/file/_loader.py:54
            json.loads(schema_path.read_text(encoding="utf-8"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #94150545c093879a Filesystem access.
pkgs/python/[email protected]/src/opentelemetry/sdk/_configuration/file/_loader.py:97
        with open(path, encoding="utf-8") as config_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ad271e578cd9280f Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/_internal/__init__.py:170
            if env_var not in environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ddce98a07057ae66 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/_internal/__init__.py:173
            str_value = environ.get(env_var, "").strip().lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4037cdda871185f2 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/_internal/__init__.py:800
        disabled = environ.get(OTEL_SDK_DISABLED, "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #111fd473051270c9 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/_internal/export/__init__.py:338
                environ.get(OTEL_BLRP_MAX_QUEUE_SIZE, _DEFAULT_MAX_QUEUE_SIZE)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2a026511885935a3 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/_internal/export/__init__.py:352
                environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0c27b5addb2d6a22 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/_internal/export/__init__.py:352
                environ.get(
                    OTEL_BLRP_SCHEDULE_DELAY, _DEFAULT_SCHEDULE_DELAY_MILLIS
                )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #be66751896524996 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/_internal/export/__init__.py:368
                environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #14b478f9b0788156 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/_internal/export/__init__.py:368
                environ.get(
                    OTEL_BLRP_MAX_EXPORT_BATCH_SIZE,
                    _DEFAULT_MAX_EXPORT_BATCH_SIZE,
                )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e655826965efd755 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/_internal/export/__init__.py:385
                environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f1bcdf289fd4b9ea Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/sdk/_logs/_internal/export/__init__.py:385
                environ.get(
                    OTEL_BLRP_EXPORT_TIMEOUT, _DEFAULT_EXPORT_TIMEOUT_MILLIS
                )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #881e2aa0e8d64d3f Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/sdk/environment_variables/_internal.py:13
    value = environ.get(environment_variable)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d129aa70a9eac7e3 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/__init__.py:489
                    environ.get(OTEL_METRICS_EXEMPLAR_FILTER, "trace_based")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d49d716864c4fd51 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/__init__.py:500
        disabled = environ.get(OTEL_SDK_DISABLED, "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f44f1901a1221e88 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/export/__init__.py:498
                    environ.get(OTEL_METRIC_EXPORT_INTERVAL, 60000)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0db97fecb63aa025 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/sdk/metrics/_internal/export/__init__.py:508
                    environ.get(OTEL_METRIC_EXPORT_TIMEOUT, 30000)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #10c82ffd7ac8ff97 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/sdk/resources/__init__.py:300
        env_resources_items = environ.get(OTEL_RESOURCE_ATTRIBUTES)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a790047f9931cd3e Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/sdk/resources/__init__.py:317
        service_name = environ.get(OTEL_SERVICE_NAME)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #367eda3745aadff8 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/sdk/resources/__init__.py:511
                for name in environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8449e5c789b74917 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/sdk/resources/__init__.py:511
                for name in environ.get(
                    OTEL_EXPERIMENTAL_RESOURCE_DETECTORS, ""
                ).split(",")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4d38cae8c8d5bc04 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/__init__.py:735
            if env_var not in environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #136ddf776b3724f5 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/__init__.py:738
            str_value = environ.get(env_var, "").strip().lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a34bf9330e532057 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/__init__.py:1335
        disabled = environ.get(OTEL_SDK_DISABLED, "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #013214dbd7ec749f Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/export/__init__.py:242
                environ.get(OTEL_BSP_MAX_QUEUE_SIZE, _DEFAULT_MAX_QUEUE_SIZE)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8c55765b11d811d8 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/export/__init__.py:256
                environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #392ef9907629df34 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/export/__init__.py:256
                environ.get(
                    OTEL_BSP_SCHEDULE_DELAY, _DEFAULT_SCHEDULE_DELAY_MILLIS
                )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f79b4b3eff5dbe84 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/export/__init__.py:272
                environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f3cea31897139adf Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/export/__init__.py:272
                environ.get(
                    OTEL_BSP_MAX_EXPORT_BATCH_SIZE,
                    _DEFAULT_MAX_EXPORT_BATCH_SIZE,
                )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fd55ee35b1ce0c40 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/export/__init__.py:289
                environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6ca9a293d735db7b Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/export/__init__.py:289
                environ.get(
                    OTEL_BSP_EXPORT_TIMEOUT, _DEFAULT_EXPORT_TIMEOUT_MILLIS
                )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b321d20d17c78fd7 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/sampling.py:421
    trace_sampler = os.getenv(
        OTEL_TRACES_SAMPLER, "parentbased_always_on"
    ).lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #daa1e56147c66018 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/sdk/trace/sampling.py:430
            rate = float(os.getenv(OTEL_TRACES_SAMPLER_ARG, ""))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

opentelemetry-api

python dependency
medium telemetry dependency Excluded from app score #58dc1845d721f917 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/_events/__init__.py:13
from opentelemetry._logs import LogRecord

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #30763cc67a3888d5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/_events/__init__.py:14
from opentelemetry._logs.severity import SeverityNumber

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #f73fa03936dd401d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/_events/__init__.py:15
from opentelemetry.environment_variables import (
    _OTEL_PYTHON_EVENT_LOGGER_PROVIDER,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #6b34379694016668 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/_events/__init__.py:18
from opentelemetry.trace.span import TraceFlags

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #ea35070e45a9229c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/_events/__init__.py:19
from opentelemetry.util._once import Once

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #dc5cf3d11cc17273 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/_events/__init__.py:20
from opentelemetry.util._providers import _load_provider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #b864b00e578c8f47 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/_events/__init__.py:21
from opentelemetry.util.types import AnyValue, _ExtendedAttributes

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #552594b8d0829e8b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/_logs/__init__.py:25
from opentelemetry._logs._internal import (
    Logger,
    LoggerProvider,
    LogRecord,
    NoOpLogger,
    NoOpLoggerProvider,
    get_logger,
    get_logger_provider,
    set_logger_provider,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #0f800d010d209f4c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/_logs/__init__.py:35
from opentelemetry._logs.severity import SeverityNumber

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #9d8b1fd3040e0e28 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/_logs/_internal/__init__.py:35
from opentelemetry._logs.severity import SeverityNumber

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #bcbf2c5c2b461d79 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/_logs/_internal/__init__.py:36
from opentelemetry.context import get_current

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #0ea25f94bed8935d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/_logs/_internal/__init__.py:37
from opentelemetry.context.context import Context

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #4846a700bf075178 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/_logs/_internal/__init__.py:38
from opentelemetry.environment_variables import _OTEL_PYTHON_LOGGER_PROVIDER

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #ed5ed2c052b8dc9d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/_logs/_internal/__init__.py:39
from opentelemetry.trace import get_current_span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #dd4a81e31fa15c60 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/_logs/_internal/__init__.py:40
from opentelemetry.trace.span import TraceFlags

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #b91e8f8d1792fe88 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/_logs/_internal/__init__.py:41
from opentelemetry.util._once import Once

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #052a84715e7e9678 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/_logs/_internal/__init__.py:42
from opentelemetry.util._providers import _load_provider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #dc39bd0b01bbf818 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/_logs/_internal/__init__.py:43
from opentelemetry.util.types import AnyValue, _ExtendedAttributes

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #7d68b6d0ef6eb757 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/attributes/__init__.py:10
from opentelemetry.util import types

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #f85ae77b499af5d1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/baggage/__init__.py:9
from opentelemetry.context import create_key, get_value, set_value

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #cb933a95cfc912c1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/baggage/__init__.py:10
from opentelemetry.context.context import Context

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #d6b37f8b375ea689 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/baggage/__init__.py:11
from opentelemetry.util.re import (
    _BAGGAGE_PROPERTY_FORMAT,
    _KEY_FORMAT,
    _VALUE_FORMAT,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #dbcba3350a240673 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/baggage/propagation/__init__.py:9
from opentelemetry.baggage import _is_valid_pair, get_all, set_baggage

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #aa74c653389828c7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/baggage/propagation/__init__.py:10
from opentelemetry.context import get_current

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #2d8546aa72c6e237 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/baggage/propagation/__init__.py:11
from opentelemetry.context.context import Context

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #05f05b3b2ff76a5d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/baggage/propagation/__init__.py:12
from opentelemetry.propagators import textmap

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #f130b7ebb59ed198 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/baggage/propagation/__init__.py:13
from opentelemetry.util.re import _DELIMITER_PATTERN

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #c8ac906f17f83c07 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/context/__init__.py:12
from opentelemetry.context.context import Context, _RuntimeContext  # noqa

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #d1e8db8827f1d2af Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/context/__init__.py:13
from opentelemetry.context.contextvars_context import ContextVarsRuntimeContext

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #f500bb60fa0541d6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/context/__init__.py:14
from opentelemetry.environment_variables import OTEL_PYTHON_CONTEXT

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #d94d03162ef7b090 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/context/__init__.py:30
    from opentelemetry.util._importlib_metadata import (  # noqa: PLC0415
        entry_points,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #5efafd60e0715a2b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/context/contextvars_context.py:8
from opentelemetry.context.context import Context, _RuntimeContext

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #7293f0ea7156860a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/metrics/__init__.py:31
from opentelemetry.metrics._internal import (
    Meter,
    MeterProvider,
    NoOpMeter,
    NoOpMeterProvider,
    get_meter,
    get_meter_provider,
    set_meter_provider,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #6c957622262ddd34 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/metrics/__init__.py:40
from opentelemetry.metrics._internal.instrument import (
    Asynchronous,
    CallbackOptions,
    CallbackT,
    Counter,
    Histogram,
    Instrument,
    NoOpCounter,
    NoOpHistogram,
    NoOpObservableCounter,
    NoOpObservableGauge,
    NoOpObservableUpDownCounter,
    NoOpUpDownCounter,
    ObservableCounter,
    ObservableGauge,
    ObservableUpDownCounter,
    Synchronous,
    UpDownCounter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #b14466dbba8d8be8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/metrics/__init__.py:59
from opentelemetry.metrics._internal.instrument import Gauge as _Gauge

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #9ab0294290f3f861 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/metrics/__init__.py:60
from opentelemetry.metrics._internal.instrument import NoOpGauge as _NoOpGauge

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #f0a05fbf0e3f4a70 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/metrics/__init__.py:61
from opentelemetry.metrics._internal.observation import Observation

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #11d6e141438c49d1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/metrics/_internal/__init__.py:41
from opentelemetry.environment_variables import OTEL_PYTHON_METER_PROVIDER

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #ac9be3f052507974 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/metrics/_internal/__init__.py:42
from opentelemetry.metrics._internal.instrument import (
    CallbackT,
    Counter,
    Gauge,
    Histogram,
    NoOpCounter,
    NoOpGauge,
    NoOpHistogram,
    NoOpObservableCounter,
    NoOpObservableGauge,
    NoOpObservableUpDownCounter,
    NoOpUpDownCounter,
    ObservableCounter,
    ObservableGauge,
    ObservableUpDownCounter,
    UpDownCounter,
    _MetricsHistogramAdvisory,
    _ProxyCounter,
    _ProxyGauge,
    _ProxyHistogram,
    _ProxyObservableCounter,
    _ProxyObservableGauge,
    _ProxyObservableUpDownCounter,
    _ProxyUpDownCounter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #9db074c6303af9c4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/metrics/_internal/__init__.py:67
from opentelemetry.util._once import Once

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #f97a46ec3baa0e3a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/metrics/_internal/__init__.py:68
from opentelemetry.util._providers import _load_provider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #e5359cd12e791243 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/metrics/_internal/__init__.py:69
from opentelemetry.util.types import (
    Attributes,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #e22e9af89da9273f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/metrics/_internal/instrument.py:18
from opentelemetry import metrics

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #adfa8ea8dd7539d8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/metrics/_internal/instrument.py:19
from opentelemetry.context import Context

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #e5f1ccd904af573f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/metrics/_internal/instrument.py:20
from opentelemetry.metrics._internal.observation import Observation

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #067e35fc6b7cfa49 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/metrics/_internal/instrument.py:21
from opentelemetry.util.types import (
    Attributes,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #e83cb5192930701c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/metrics/_internal/observation.py:5
from opentelemetry.context import Context

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #aefbfc9433b33665 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/metrics/_internal/observation.py:6
from opentelemetry.util.types import Attributes

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #bed16e7bc45ef9ac Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/propagate/__init__.py:63
from opentelemetry.context.context import Context

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #4f9614e38aaf1597 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/propagate/__init__.py:64
from opentelemetry.environment_variables import OTEL_PROPAGATORS

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #f7902ae13f5da872 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/propagate/__init__.py:65
from opentelemetry.propagators import composite, textmap

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #f8d102fda05f93e5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/propagate/__init__.py:115
        from opentelemetry.baggage.propagation import (  # noqa: PLC0415
            W3CBaggagePropagator,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #2922a0b16b4a0467 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/propagate/__init__.py:120
        from opentelemetry.trace.propagation.tracecontext import (  # noqa: PLC0415
            TraceContextTextMapPropagator,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #c469c5ac57cb3bf2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/propagate/__init__.py:129
    from opentelemetry.util._importlib_metadata import (  # noqa: PLC0415
        entry_points,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #6405e2ee2384a006 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/propagators/_envcarrier.py:8
from opentelemetry.propagators.textmap import Getter, Setter

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #ae00de63aa598dd5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/propagators/composite.py:8
from opentelemetry.context.context import Context

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #15fab5bc8cb7a8e4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/propagators/composite.py:9
from opentelemetry.propagators import textmap

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #0066a48b7c153af9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/propagators/textmap.py:8
from opentelemetry.context.context import Context

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #ed224210474c34c7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/trace/__init__.py:74
from opentelemetry import context as context_api

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #63d920ef8409edf9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/trace/__init__.py:75
from opentelemetry.attributes import BoundedAttributes

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #f79d5d8d5e579251 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/trace/__init__.py:76
from opentelemetry.context.context import Context

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #ddc04c024630b8cc Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/trace/__init__.py:77
from opentelemetry.environment_variables import OTEL_PYTHON_TRACER_PROVIDER

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #7b2e1ffec908b911 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/trace/__init__.py:78
from opentelemetry.trace.propagation import (
    _SPAN_KEY,
    get_current_span,
    set_span_in_context,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #765c746efcf0e2e6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/trace/__init__.py:83
from opentelemetry.trace.span import (
    DEFAULT_TRACE_OPTIONS,
    DEFAULT_TRACE_STATE,
    INVALID_SPAN,
    INVALID_SPAN_CONTEXT,
    INVALID_SPAN_ID,
    INVALID_TRACE_ID,
    NonRecordingSpan,
    Span,
    SpanContext,
    TraceFlags,
    TraceState,
    format_span_id,
    format_trace_id,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #72da4af517a1c8df Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/trace/__init__.py:98
from opentelemetry.trace.status import Status, StatusCode

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #7405323ffcf168b4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/trace/__init__.py:99
from opentelemetry.util import types

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #e0c6de463f58fa59 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/trace/__init__.py:100
from opentelemetry.util._decorator import _agnosticcontextmanager

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #6e4708f2431a2acc Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/trace/__init__.py:101
from opentelemetry.util._once import Once

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #75eb6578b466e97c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/trace/__init__.py:102
from opentelemetry.util._providers import _load_provider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #c9779419661a792f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/trace/propagation/__init__.py:4
from opentelemetry.context import create_key, get_value, set_value

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #9e95999c88490d27 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/trace/propagation/__init__.py:5
from opentelemetry.context.context import Context

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #4755bf515c40d414 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/trace/propagation/__init__.py:6
from opentelemetry.trace.span import INVALID_SPAN, Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #7f6a71c206b4b089 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/trace/propagation/tracecontext.py:6
from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #2d75f95d967aa95a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/trace/propagation/tracecontext.py:7
from opentelemetry.context.context import Context

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #7ab058d2358a371f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/trace/propagation/tracecontext.py:8
from opentelemetry.propagators import textmap

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #2773cad0fee2d1d3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/trace/propagation/tracecontext.py:9
from opentelemetry.trace import format_span_id, format_trace_id

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #14a76f79f7bf11bc Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/trace/propagation/tracecontext.py:10
from opentelemetry.trace.span import TraceState

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #c8d28f5f22c4e652 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/trace/span.py:14
from opentelemetry.trace.status import Status, StatusCode

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #eefc02230ec077e7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/trace/span.py:15
from opentelemetry.util import types

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #376ebcad86b9e9cc Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/util/_providers.py:9
    from opentelemetry.metrics import MeterProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #fc12e21758c7cbd7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/util/_providers.py:10
    from opentelemetry.trace import TracerProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #346327af673178f4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/util/_providers.py:21
    from opentelemetry.util._importlib_metadata import (  # noqa: PLC0415
        entry_points,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 9 low-confidence finding(s)
low env_fs dependency Excluded from app score #93a0f9f086b18a90 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/_events/__init__.py:202
        if _OTEL_PYTHON_EVENT_LOGGER_PROVIDER not in environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d7a857c51b7ffcfc Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/_logs/_internal/__init__.py:394
        if _OTEL_PYTHON_LOGGER_PROVIDER not in environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #452ce6d402ef9aa2 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/context/__init__.py:25
    configured_context = os.environ.get(OTEL_PYTHON_CONTEXT)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e8d815b5fa7146d6 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/metrics/_internal/__init__.py:868
        if OTEL_PYTHON_METER_PROVIDER not in environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #16490128231ef130 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/propagate/__init__.py:112
    configured = environ.get(OTEL_PROPAGATORS)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #63c2787448e2c56b Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/propagate/__init__.py:167
environ_propagators = environ.get(OTEL_PROPAGATORS, "tracecontext,baggage")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a6657f851159e7b3 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/propagators/_envcarrier.py:50
            k: v for k, v in os.environ.items() if _is_normalized_key(k)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #41adf7c9e8f4766a Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/trace/__init__.py:573
        if OTEL_PYTHON_TRACER_PROVIDER not in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #414db070aa353a74 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/util/_providers.py:28
            environ.get(provider_environment_variable, f"default_{provider}"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

opentelemetry-exporter-otlp-proto-http

python dependency
medium telemetry dependency Excluded from app score #74e8cc93a6aea2c2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/_common/__init__.py:9
from opentelemetry.sdk.environment_variables import (
    _OTEL_PYTHON_EXPORTER_OTLP_HTTP_CREDENTIAL_PROVIDER,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #61feb44634196dae Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/_common/__init__.py:12
from opentelemetry.util._importlib_metadata import entry_points

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #7bf3763162382c5a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/_log_exporter/__init__.py:19
from opentelemetry.exporter.otlp.proto.common._exporter_metrics import (
    create_exporter_metrics,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #8746a5fd569ab84e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/_log_exporter/__init__.py:22
from opentelemetry.exporter.otlp.proto.common._log_encoder import encode_logs

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #5631fefbd50894fa Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/_log_exporter/__init__.py:23
from opentelemetry.exporter.otlp.proto.http import (
    _OTLP_HTTP_HEADERS,
    Compression,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #c5548694100dd942 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/_log_exporter/__init__.py:27
from opentelemetry.exporter.otlp.proto.http._common import (
    _is_retryable,
    _load_session_from_envvar,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #13022c1b77c2a1a4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/_log_exporter/__init__.py:31
from opentelemetry.metrics import MeterProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #916a35b1dfda92fa Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/_log_exporter/__init__.py:32
from opentelemetry.sdk._logs import ReadableLogRecord

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #85ff22fcbc726b34 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/_log_exporter/__init__.py:33
from opentelemetry.sdk._logs.export import (
    LogRecordExporter,
    LogRecordExportResult,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #c9d60284a3239b2d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/_log_exporter/__init__.py:37
from opentelemetry.sdk._shared_internal import DuplicateFilter

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #0e8e4896344b4b4b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/_log_exporter/__init__.py:38
from opentelemetry.sdk.environment_variables import (
    _OTEL_PYTHON_EXPORTER_OTLP_HTTP_LOGS_CREDENTIAL_PROVIDER,
    OTEL_EXPORTER_OTLP_CERTIFICATE,
    OTEL_EXPORTER_OTLP_CLIENT_CERTIFICATE,
    OTEL_EXPORTER_OTLP_CLIENT_KEY,
    OTEL_EXPORTER_OTLP_COMPRESSION,
    OTEL_EXPORTER_OTLP_ENDPOINT,
    OTEL_EXPORTER_OTLP_HEADERS,
    OTEL_EXPORTER_OTLP_LOGS_CERTIFICATE,
    OTEL_EXPORTER_OTLP_LOGS_CLIENT_CERTIFICATE,
    OTEL_EXPORTER_OTLP_LOGS_CLIENT_KEY,
    OTEL_EXPORTER_OTLP_LOGS_COMPRESSION,
    OTEL_EXPORTER_OTLP_LOGS_ENDPOINT,
    OTEL_EXPORTER_OTLP_LOGS_HEADERS,
    OTEL_EXPORTER_OTLP_LOGS_TIMEOUT,
    OTEL_EXPORTER_OTLP_TIMEOUT,
    OTEL_PYTHON_SDK_INTERNAL_METRICS_ENABLED,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #20fb8231eae78a8d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/_log_exporter/__init__.py:56
from opentelemetry.semconv._incubating.attributes.otel_attributes import (
    OtelComponentTypeValues,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #c67087c4636f0f1c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/_log_exporter/__init__.py:59
from opentelemetry.semconv.attributes.http_attributes import (
    HTTP_RESPONSE_STATUS_CODE,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #e15b68df13584205 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/_log_exporter/__init__.py:62
from opentelemetry.util.re import parse_env_headers

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #3485f7d51bf5b8b9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/metric_exporter/__init__.py:25
from opentelemetry.exporter.otlp.proto.common._exporter_metrics import (
    create_exporter_metrics,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #d57af650e2db145f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/metric_exporter/__init__.py:28
from opentelemetry.exporter.otlp.proto.common._internal import (
    _get_resource_data,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #051da602b6d46ea7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/metric_exporter/__init__.py:31
from opentelemetry.exporter.otlp.proto.common._internal.metrics_encoder import (
    OTLPMetricExporterMixin,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #1f22eee95b8a204b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/metric_exporter/__init__.py:34
from opentelemetry.exporter.otlp.proto.common.metrics_encoder import (
    encode_metrics,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #a807f8217d1c3347 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/metric_exporter/__init__.py:37
from opentelemetry.exporter.otlp.proto.http import (
    _OTLP_HTTP_HEADERS,
    Compression,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #370e89f44cfdd564 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/metric_exporter/__init__.py:41
from opentelemetry.exporter.otlp.proto.http._common import (
    _is_retryable,
    _load_session_from_envvar,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #7dafd5ebb2a57150 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/metric_exporter/__init__.py:45
from opentelemetry.metrics import MeterProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #934a1e7254211e19 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/metric_exporter/__init__.py:46
from opentelemetry.proto.collector.metrics.v1.metrics_service_pb2 import (  # noqa: F401
    ExportMetricsServiceRequest,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #f3cab28a3536bedb Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/metric_exporter/__init__.py:49
from opentelemetry.proto.common.v1.common_pb2 import (  # noqa: F401
    AnyValue,
    ArrayValue,
    InstrumentationScope,
    KeyValue,
    KeyValueList,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #378e5fed039f1f2a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/metric_exporter/__init__.py:56
from opentelemetry.proto.metrics.v1 import metrics_pb2 as pb2

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #f911a2b8c5311695 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/metric_exporter/__init__.py:57
from opentelemetry.proto.resource.v1.resource_pb2 import Resource  # noqa: F401

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #8190c37a840d969f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/metric_exporter/__init__.py:58
from opentelemetry.proto.resource.v1.resource_pb2 import (
    Resource as PB2Resource,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #794f0ddee3573efe Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/metric_exporter/__init__.py:61
from opentelemetry.sdk.environment_variables import (
    _OTEL_PYTHON_EXPORTER_OTLP_HTTP_METRICS_CREDENTIAL_PROVIDER,
    OTEL_EXPORTER_OTLP_CERTIFICATE,
    OTEL_EXPORTER_OTLP_CLIENT_CERTIFICATE,
    OTEL_EXPORTER_OTLP_CLIENT_KEY,
    OTEL_EXPORTER_OTLP_COMPRESSION,
    OTEL_EXPORTER_OTLP_ENDPOINT,
    OTEL_EXPORTER_OTLP_HEADERS,
    OTEL_EXPORTER_OTLP_METRICS_CERTIFICATE,
    OTEL_EXPORTER_OTLP_METRICS_CLIENT_CERTIFICATE,
    OTEL_EXPORTER_OTLP_METRICS_CLIENT_KEY,
    OTEL_EXPORTER_OTLP_METRICS_COMPRESSION,
    OTEL_EXPORTER_OTLP_METRICS_ENDPOINT,
    OTEL_EXPORTER_OTLP_METRICS_HEADERS,
    OTEL_EXPORTER_OTLP_METRICS_TIMEOUT,
    OTEL_EXPORTER_OTLP_TIMEOUT,
    OTEL_PYTHON_SDK_INTERNAL_METRICS_ENABLED,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #01538b305890b2ef Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/metric_exporter/__init__.py:79
from opentelemetry.sdk.metrics._internal.aggregation import Aggregation

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #68ec5dd24729c91b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/metric_exporter/__init__.py:80
from opentelemetry.sdk.metrics.export import (  # noqa: F401
    AggregationTemporality,
    Gauge,
    MetricExporter,
    MetricExportResult,
    MetricsData,
    Sum,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #5a3a5610638b6d97 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/metric_exporter/__init__.py:88
from opentelemetry.sdk.metrics.export import (  # noqa: F401
    Histogram as HistogramType,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #45f12834547d93fa Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/metric_exporter/__init__.py:91
from opentelemetry.sdk.resources import Resource as SDKResource

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #4aa300bac1f520fa Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/metric_exporter/__init__.py:92
from opentelemetry.semconv._incubating.attributes.otel_attributes import (
    OtelComponentTypeValues,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #d295f7186a5b90e6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/metric_exporter/__init__.py:95
from opentelemetry.semconv.attributes.http_attributes import (
    HTTP_RESPONSE_STATUS_CODE,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #48eea9542540b5d7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/metric_exporter/__init__.py:98
from opentelemetry.util.re import parse_env_headers

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #723f04bad62b3712 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/__init__.py:19
from opentelemetry.exporter.otlp.proto.common._exporter_metrics import (
    create_exporter_metrics,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #f9f9ae4ac0b1bde5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/__init__.py:22
from opentelemetry.exporter.otlp.proto.common.trace_encoder import (
    encode_spans,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #4a3894718959fcb0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/__init__.py:25
from opentelemetry.exporter.otlp.proto.http import (
    _OTLP_HTTP_HEADERS,
    Compression,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #2821071644c2fa4e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/__init__.py:29
from opentelemetry.exporter.otlp.proto.http._common import (
    _is_retryable,
    _load_session_from_envvar,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #5114d87428c408e3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/__init__.py:33
from opentelemetry.metrics import MeterProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #88ed7934786e2cd2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/__init__.py:34
from opentelemetry.sdk.environment_variables import (
    _OTEL_PYTHON_EXPORTER_OTLP_HTTP_TRACES_CREDENTIAL_PROVIDER,
    OTEL_EXPORTER_OTLP_CERTIFICATE,
    OTEL_EXPORTER_OTLP_CLIENT_CERTIFICATE,
    OTEL_EXPORTER_OTLP_CLIENT_KEY,
    OTEL_EXPORTER_OTLP_COMPRESSION,
    OTEL_EXPORTER_OTLP_ENDPOINT,
    OTEL_EXPORTER_OTLP_HEADERS,
    OTEL_EXPORTER_OTLP_TIMEOUT,
    OTEL_EXPORTER_OTLP_TRACES_CERTIFICATE,
    OTEL_EXPORTER_OTLP_TRACES_CLIENT_CERTIFICATE,
    OTEL_EXPORTER_OTLP_TRACES_CLIENT_KEY,
    OTEL_EXPORTER_OTLP_TRACES_COMPRESSION,
    OTEL_EXPORTER_OTLP_TRACES_ENDPOINT,
    OTEL_EXPORTER_OTLP_TRACES_HEADERS,
    OTEL_EXPORTER_OTLP_TRACES_TIMEOUT,
    OTEL_PYTHON_SDK_INTERNAL_METRICS_ENABLED,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #e6f8af9bfc7d4753 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/__init__.py:52
from opentelemetry.sdk.trace import ReadableSpan

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #34c2937b50f56ef3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/__init__.py:53
from opentelemetry.sdk.trace.export import SpanExporter, SpanExportResult

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #5c5a30d85462167c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/__init__.py:54
from opentelemetry.semconv._incubating.attributes.otel_attributes import (
    OtelComponentTypeValues,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #41f9d172eb82c75e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/__init__.py:57
from opentelemetry.semconv.attributes.http_attributes import (
    HTTP_RESPONSE_STATUS_CODE,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #fb9b7ad1bfd463a0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/__init__.py:60
from opentelemetry.util.re import parse_env_headers

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #0f8bc72dc1570b3e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/encoder/__init__.py:8
from opentelemetry.proto.collector.trace.v1.trace_service_pb2 import (  # noqa: F401
    ExportTraceServiceRequest as PB2ExportTraceServiceRequest,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #4ccccd28b8581867 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/encoder/__init__.py:11
from opentelemetry.proto.common.v1.common_pb2 import (  # noqa: F401
    AnyValue as PB2AnyValue,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #1891261aa4b0d0ad Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/encoder/__init__.py:14
from opentelemetry.proto.common.v1.common_pb2 import (  # noqa: F401
    ArrayValue as PB2ArrayValue,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #cbbc673df2b64b05 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/encoder/__init__.py:17
from opentelemetry.proto.common.v1.common_pb2 import (  # noqa: F401
    InstrumentationScope as PB2InstrumentationScope,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #5996b08b7739767a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/encoder/__init__.py:20
from opentelemetry.proto.common.v1.common_pb2 import (  # noqa: F401
    KeyValue as PB2KeyValue,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #30a95a3d1aa83611 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/encoder/__init__.py:23
from opentelemetry.proto.resource.v1.resource_pb2 import (  # noqa: F401
    Resource as PB2Resource,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #0f99e65369e6ed25 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/encoder/__init__.py:26
from opentelemetry.proto.trace.v1.trace_pb2 import (  # noqa: F401
    ResourceSpans as PB2ResourceSpans,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #8edc520317e8b517 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/encoder/__init__.py:29
from opentelemetry.proto.trace.v1.trace_pb2 import (  # noqa: F401
    ScopeSpans as PB2ScopeSpans,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #7d9fba6dc42e66de Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/encoder/__init__.py:32
from opentelemetry.proto.trace.v1.trace_pb2 import (  # noqa: F401
    Span as PB2SPan,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #f1d8c1595dc3212b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/encoder/__init__.py:35
from opentelemetry.proto.trace.v1.trace_pb2 import (  # noqa: F401
    Status as PB2Status,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #1fced0b16aee0f1f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/encoder/__init__.py:38
from opentelemetry.sdk.trace import (
    Event,  # noqa: F401
    Resource,  # noqa: F401

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #4facdbe4613718e9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/encoder/__init__.py:42
from opentelemetry.sdk.trace import Span as SDKSpan  # noqa: F401

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #ba4994d7ea0dabb3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/encoder/__init__.py:43
from opentelemetry.sdk.util.instrumentation import (  # noqa: F401
    InstrumentationScope,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #c26fc81626cecc81 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/encoder/__init__.py:46
from opentelemetry.trace import (
    Link,  # noqa: F401
    SpanKind,  # noqa: F401

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #76e9ac83738bcab2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/encoder/__init__.py:50
from opentelemetry.trace.span import (  # noqa: F401
    SpanContext,
    Status,
    TraceState,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #504391788a2880a0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/encoder/__init__.py:55
from opentelemetry.util.types import Attributes  # noqa: F401

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 70 low-confidence finding(s)
low env_fs dependency Excluded from app score #51572663b3e501f9 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/_common/__init__.py:30
    _credential_env = environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ffdf0bec3c2abae6 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/_common/__init__.py:30
    _credential_env = environ.get(
        _OTEL_PYTHON_EXPORTER_OTLP_HTTP_CREDENTIAL_PROVIDER
    ) or environ.get(cred_envvar)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #217daafe8a9f45bc Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/_common/__init__.py:32
    ) or environ.get(cred_envvar)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8d45f0063508fbc0 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/_log_exporter/__init__.py:91
        self._endpoint = endpoint or environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f69c3dfffc1c7e5d Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/_log_exporter/__init__.py:91
        self._endpoint = endpoint or environ.get(
            OTEL_EXPORTER_OTLP_LOGS_ENDPOINT,
            _append_logs_path(
                environ.get(OTEL_EXPORTER_OTLP_ENDPOINT, DEFAULT_ENDPOINT)
            ),
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1c9413d0369923b5 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/_log_exporter/__init__.py:94
                environ.get(OTEL_EXPORTER_OTLP_ENDPOINT, DEFAULT_ENDPOINT)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #36168739a6c27a2f Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/_log_exporter/__init__.py:98
        self._certificate_file = certificate_file or environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3c132bfaeb0eb4bd Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/_log_exporter/__init__.py:98
        self._certificate_file = certificate_file or environ.get(
            OTEL_EXPORTER_OTLP_LOGS_CERTIFICATE,
            environ.get(OTEL_EXPORTER_OTLP_CERTIFICATE, True),
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2409ddbdb27e3895 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/_log_exporter/__init__.py:100
            environ.get(OTEL_EXPORTER_OTLP_CERTIFICATE, True),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #60e2970a82ea6eb1 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/_log_exporter/__init__.py:102
        self._client_key_file = client_key_file or environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8f88681d96eb8ebe Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/_log_exporter/__init__.py:102
        self._client_key_file = client_key_file or environ.get(
            OTEL_EXPORTER_OTLP_LOGS_CLIENT_KEY,
            environ.get(OTEL_EXPORTER_OTLP_CLIENT_KEY, None),
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2cb03cf631ced8bb Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/_log_exporter/__init__.py:104
            environ.get(OTEL_EXPORTER_OTLP_CLIENT_KEY, None),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3de3042312713294 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/_log_exporter/__init__.py:106
        self._client_certificate_file = client_certificate_file or environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2daa0417e685ee87 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/_log_exporter/__init__.py:106
        self._client_certificate_file = client_certificate_file or environ.get(
            OTEL_EXPORTER_OTLP_LOGS_CLIENT_CERTIFICATE,
            environ.get(OTEL_EXPORTER_OTLP_CLIENT_CERTIFICATE, None),
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d1b74439c9b6b010 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/_log_exporter/__init__.py:108
            environ.get(OTEL_EXPORTER_OTLP_CLIENT_CERTIFICATE, None),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3883a002b49128f9 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/_log_exporter/__init__.py:115
        headers_string = environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ab2768112494da56 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/_log_exporter/__init__.py:115
        headers_string = environ.get(
            OTEL_EXPORTER_OTLP_LOGS_HEADERS,
            environ.get(OTEL_EXPORTER_OTLP_HEADERS, ""),
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f605fdc896e0a9c4 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/_log_exporter/__init__.py:117
            environ.get(OTEL_EXPORTER_OTLP_HEADERS, ""),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e8b93988efdd520c Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/_log_exporter/__init__.py:123
            environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #172d482888b7e240 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/_log_exporter/__init__.py:123
            environ.get(
                OTEL_EXPORTER_OTLP_LOGS_TIMEOUT,
                environ.get(OTEL_EXPORTER_OTLP_TIMEOUT, DEFAULT_TIMEOUT),
            )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c5acf3784765cb0e Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/_log_exporter/__init__.py:125
                environ.get(OTEL_EXPORTER_OTLP_TIMEOUT, DEFAULT_TIMEOUT),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6dfe62b82ec3ed98 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/_log_exporter/__init__.py:151
            os.environ.get(OTEL_PYTHON_SDK_INTERNAL_METRICS_ENABLED, "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b809fa9d64b47ef8 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/_log_exporter/__init__.py:280
        environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e4e9eab1c2b08786 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/_log_exporter/__init__.py:280
        environ.get(
            OTEL_EXPORTER_OTLP_LOGS_COMPRESSION,
            environ.get(OTEL_EXPORTER_OTLP_COMPRESSION, "none"),
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f7b965eab64a54c7 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/_log_exporter/__init__.py:282
            environ.get(OTEL_EXPORTER_OTLP_COMPRESSION, "none"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b9dff7f55eadafab Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/metric_exporter/__init__.py:150
        self._endpoint = endpoint or environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #504d5049a287962d Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/metric_exporter/__init__.py:150
        self._endpoint = endpoint or environ.get(
            OTEL_EXPORTER_OTLP_METRICS_ENDPOINT,
            _append_metrics_path(
                environ.get(OTEL_EXPORTER_OTLP_ENDPOINT, DEFAULT_ENDPOINT)
            ),
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6d2f539bc8ec2246 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/metric_exporter/__init__.py:153
                environ.get(OTEL_EXPORTER_OTLP_ENDPOINT, DEFAULT_ENDPOINT)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0e1ef8603bf60889 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/metric_exporter/__init__.py:156
        self._certificate_file = certificate_file or environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6773c72bbda1f62f Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/metric_exporter/__init__.py:156
        self._certificate_file = certificate_file or environ.get(
            OTEL_EXPORTER_OTLP_METRICS_CERTIFICATE,
            environ.get(OTEL_EXPORTER_OTLP_CERTIFICATE, True),
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2b4e8189c9dcff31 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/metric_exporter/__init__.py:158
            environ.get(OTEL_EXPORTER_OTLP_CERTIFICATE, True),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5b7cd4ba08dcacf2 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/metric_exporter/__init__.py:160
        self._client_key_file = client_key_file or environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d3618f3bad573805 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/metric_exporter/__init__.py:160
        self._client_key_file = client_key_file or environ.get(
            OTEL_EXPORTER_OTLP_METRICS_CLIENT_KEY,
            environ.get(OTEL_EXPORTER_OTLP_CLIENT_KEY, None),
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5a741b7639a21e03 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/metric_exporter/__init__.py:162
            environ.get(OTEL_EXPORTER_OTLP_CLIENT_KEY, None),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c57ea9b081be553b Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/metric_exporter/__init__.py:164
        self._client_certificate_file = client_certificate_file or environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6fcad33a92566d42 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/metric_exporter/__init__.py:164
        self._client_certificate_file = client_certificate_file or environ.get(
            OTEL_EXPORTER_OTLP_METRICS_CLIENT_CERTIFICATE,
            environ.get(OTEL_EXPORTER_OTLP_CLIENT_CERTIFICATE, None),
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9aa3e045d7793bf0 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/metric_exporter/__init__.py:166
            environ.get(OTEL_EXPORTER_OTLP_CLIENT_CERTIFICATE, None),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #484bcc770a47e1c0 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/metric_exporter/__init__.py:173
        headers_string = environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f7ba5be11f30c2f7 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/metric_exporter/__init__.py:173
        headers_string = environ.get(
            OTEL_EXPORTER_OTLP_METRICS_HEADERS,
            environ.get(OTEL_EXPORTER_OTLP_HEADERS, ""),
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dc4da113909b5bae Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/metric_exporter/__init__.py:175
            environ.get(OTEL_EXPORTER_OTLP_HEADERS, ""),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d2c154cc8c506cd6 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/metric_exporter/__init__.py:181
            environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #267d7261f8d324af Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/metric_exporter/__init__.py:181
            environ.get(
                OTEL_EXPORTER_OTLP_METRICS_TIMEOUT,
                environ.get(OTEL_EXPORTER_OTLP_TIMEOUT, DEFAULT_TIMEOUT),
            )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #13521794cc6b08a1 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/metric_exporter/__init__.py:183
                environ.get(OTEL_EXPORTER_OTLP_TIMEOUT, DEFAULT_TIMEOUT),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dc22619305720dba Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/metric_exporter/__init__.py:214
            os.environ.get(OTEL_PYTHON_SDK_INTERNAL_METRICS_ENABLED, "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e16ca5ed3d518cd7 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/metric_exporter/__init__.py:400
            os.environ.get(OTEL_PYTHON_SDK_INTERNAL_METRICS_ENABLED, "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e8ceb3e80afde6ac Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/metric_exporter/__init__.py:729
        environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #075b87fafb28180a Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/metric_exporter/__init__.py:729
        environ.get(
            OTEL_EXPORTER_OTLP_METRICS_COMPRESSION,
            environ.get(OTEL_EXPORTER_OTLP_COMPRESSION, "none"),
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1f18a9098a42a510 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/metric_exporter/__init__.py:731
            environ.get(OTEL_EXPORTER_OTLP_COMPRESSION, "none"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bc40b43886c3bbd1 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/__init__.py:87
        self._endpoint = endpoint or environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #56797bf429fc5ddf Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/__init__.py:87
        self._endpoint = endpoint or environ.get(
            OTEL_EXPORTER_OTLP_TRACES_ENDPOINT,
            _append_trace_path(
                environ.get(OTEL_EXPORTER_OTLP_ENDPOINT, DEFAULT_ENDPOINT)
            ),
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e74758f6a798e5ff Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/__init__.py:90
                environ.get(OTEL_EXPORTER_OTLP_ENDPOINT, DEFAULT_ENDPOINT)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a065fb53a441d06f Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/__init__.py:93
        self._certificate_file = certificate_file or environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8ec5e2d38bd7552b Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/__init__.py:93
        self._certificate_file = certificate_file or environ.get(
            OTEL_EXPORTER_OTLP_TRACES_CERTIFICATE,
            environ.get(OTEL_EXPORTER_OTLP_CERTIFICATE, True),
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d7be59137fb23782 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/__init__.py:95
            environ.get(OTEL_EXPORTER_OTLP_CERTIFICATE, True),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7e9613619ec9feaa Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/__init__.py:97
        self._client_key_file = client_key_file or environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1e09da60c11958e1 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/__init__.py:97
        self._client_key_file = client_key_file or environ.get(
            OTEL_EXPORTER_OTLP_TRACES_CLIENT_KEY,
            environ.get(OTEL_EXPORTER_OTLP_CLIENT_KEY, None),
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b9451fe158ea84e3 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/__init__.py:99
            environ.get(OTEL_EXPORTER_OTLP_CLIENT_KEY, None),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #412b12447be39c96 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/__init__.py:101
        self._client_certificate_file = client_certificate_file or environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #488fa05ed29abffe Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/__init__.py:101
        self._client_certificate_file = client_certificate_file or environ.get(
            OTEL_EXPORTER_OTLP_TRACES_CLIENT_CERTIFICATE,
            environ.get(OTEL_EXPORTER_OTLP_CLIENT_CERTIFICATE, None),
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4f058304c8ff4ba0 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/__init__.py:103
            environ.get(OTEL_EXPORTER_OTLP_CLIENT_CERTIFICATE, None),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #61d8ff5526670c99 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/__init__.py:110
        headers_string = environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4fc3d12a50d91740 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/__init__.py:110
        headers_string = environ.get(
            OTEL_EXPORTER_OTLP_TRACES_HEADERS,
            environ.get(OTEL_EXPORTER_OTLP_HEADERS, ""),
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #508784d0cdcc7e39 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/__init__.py:112
            environ.get(OTEL_EXPORTER_OTLP_HEADERS, ""),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6f60e7dd9e35474e Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/__init__.py:118
            environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #52459e1ed02155fa Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/__init__.py:118
            environ.get(
                OTEL_EXPORTER_OTLP_TRACES_TIMEOUT,
                environ.get(OTEL_EXPORTER_OTLP_TIMEOUT, DEFAULT_TIMEOUT),
            )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f479480e15043c11 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/__init__.py:120
                environ.get(OTEL_EXPORTER_OTLP_TIMEOUT, DEFAULT_TIMEOUT),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d48176ae3ad84db3 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/__init__.py:146
            os.environ.get(OTEL_PYTHON_SDK_INTERNAL_METRICS_ENABLED, "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d2cfd7493a59d883 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/__init__.py:273
        environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #28a9dcdd04977367 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/__init__.py:273
        environ.get(
            OTEL_EXPORTER_OTLP_TRACES_COMPRESSION,
            environ.get(OTEL_EXPORTER_OTLP_COMPRESSION, "none"),
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #045361716b5d6936 Environment-variable access.
pkgs/python/[email protected]/src/opentelemetry/exporter/otlp/proto/http/trace_exporter/__init__.py:275
            environ.get(OTEL_EXPORTER_OTLP_COMPRESSION, "none"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

patronus

python dependency
medium telemetry tooling reachable #6047daebeb4ea346 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/examples/patronus_examples/otel_tracing_integration.py:3
from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry tooling reachable #58400ae5c7cedeb6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/examples/patronus_examples/otel_tracing_integration.py:4
from opentelemetry.exporter.otlp.proto.grpc.trace_exporter import OTLPSpanExporter

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry tooling reachable #0142c0573e34036b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/examples/patronus_examples/otel_tracing_integration.py:5
from opentelemetry.sdk.trace import TracerProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry tooling reachable #6b6ee585e37e11b5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/examples/patronus_examples/otel_tracing_integration.py:6
from opentelemetry.sdk.trace.export import (
    BatchSpanProcessor,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry tooling reachable #b330a02d7800819e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/examples/patronus_examples/tracking/crewai_weather.py:15
from opentelemetry.instrumentation.threading import ThreadingInstrumentor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry tooling reachable #0628661cd48a27e1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/examples/patronus_examples/tracking/crewai_weather.py:16
from opentelemetry.instrumentation.asyncio import AsyncioInstrumentor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry tooling reachable #88ad71012c505f78 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/examples/patronus_examples/tracking/langchain_weather.py:28
from opentelemetry.instrumentation.threading import ThreadingInstrumentor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry tooling reachable #546919bd317ee398 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/examples/patronus_examples/tracking/langchain_weather.py:29
from opentelemetry.instrumentation.asyncio import AsyncioInstrumentor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry tooling reachable #32634b2fbd4826d7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/examples/patronus_examples/tracking/openai_agents_weather.py:14
from opentelemetry.instrumentation.threading import ThreadingInstrumentor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry tooling reachable #7f1df25cd2669d2c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/examples/patronus_examples/tracking/openai_agents_weather.py:15
from opentelemetry.instrumentation.asyncio import AsyncioInstrumentor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry tooling reachable #caf23b3fe08a4886 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/examples/patronus_examples/tracking/otel_openai_weather.py:19
from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry tooling reachable #cc3d3acab8a309c3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/examples/patronus_examples/tracking/otel_openai_weather.py:20
from opentelemetry.sdk.trace import TracerProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry tooling reachable #9876ce0137156c3f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/examples/patronus_examples/tracking/otel_openai_weather.py:21
from opentelemetry.sdk.trace.export import BatchSpanProcessor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry tooling reachable #77404fb1b9e1f624 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/examples/patronus_examples/tracking/otel_openai_weather.py:22
from opentelemetry.exporter.otlp.proto.grpc.trace_exporter import OTLPSpanExporter

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry tooling reachable #2dc7a244f3ed722c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/examples/patronus_examples/tracking/otel_openai_weather.py:23
from opentelemetry.sdk.resources import Resource

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry tooling reachable #96fc89c25ae5599a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/examples/patronus_examples/tracking/otel_openai_weather.py:24
from opentelemetry.semconv.resource import ResourceAttributes

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry tooling reachable #824fdbb41db6ebc1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/examples/patronus_examples/tracking/otel_openai_weather.py:50
    from opentelemetry.sdk.trace.export import ConsoleSpanExporter

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry tooling reachable #2a534b2253a55101 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/examples/patronus_examples/tracking/pydanticai_weather.py:13
from opentelemetry.instrumentation.threading import ThreadingInstrumentor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry tooling reachable #6e9a881bbbf9c41f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/examples/patronus_examples/tracking/pydanticai_weather.py:14
from opentelemetry.instrumentation.asyncio import AsyncioInstrumentor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry tooling reachable #f6989f81e0bac62e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/examples/patronus_examples/tracking/smolagents_weather.py:15
from opentelemetry.instrumentation.threading import ThreadingInstrumentor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #c703642826a21f9a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/patronus/context/__init__.py:12
from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #2c11bbed2054abd7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/patronus/context/__init__.py:24
    from opentelemetry.sdk.trace import TracerProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #a74e6c539a8ebb95 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/patronus/context/__init__.py:25
    from opentelemetry._logs import LoggerProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #5d63dc10c7ba5067 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/patronus/evals/evaluators.py:16
from opentelemetry.trace import get_current_span, SpanContext

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #296322049e833565 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/patronus/init.py:247
            from opentelemetry.instrumentation.instrumentor import BaseInstrumentor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #c80c08d073ad2be6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/patronus/integrations/otel.py:8
    from opentelemetry.instrumentation.instrumentor import BaseInstrumentor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #71362b8bf23e7d5c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/patronus/integrations/pydantic_ai.py:4
from opentelemetry.sdk._events import EventLoggerProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #4665a4d75b2336a7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/patronus/tracing/decorators.py:7
from opentelemetry.util.types import Attributes

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #c6aa9d0de8e5514e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/patronus/tracing/decorators.py:8
from opentelemetry._logs import SeverityNumber

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #08ade6aef508a75a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/patronus/tracing/exporters.py:9
from opentelemetry.exporter.otlp.proto.grpc._log_exporter import OTLPLogExporter as OTLPLogExporterGRPC

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #a980d3240b07d7be Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/patronus/tracing/exporters.py:10
from opentelemetry.exporter.otlp.proto.grpc.trace_exporter import OTLPSpanExporter as OTLPSpanExporterGRPC

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #26b19a72275b417a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/patronus/tracing/exporters.py:11
from opentelemetry.exporter.otlp.proto.http._log_exporter import OTLPLogExporter as OTLPLogExporterHTTP

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #02c8f0ed20dc664c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/patronus/tracing/exporters.py:12
from opentelemetry.exporter.otlp.proto.http.trace_exporter import OTLPSpanExporter as OTLPSpanExporterHTTP

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #1556cf62fa11d19f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/patronus/tracing/exporters.py:13
from opentelemetry.sdk._logs.export import LogExporter

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #ec5570c98521fdc0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/patronus/tracing/exporters.py:14
from opentelemetry.sdk.trace.export import SpanExporter

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #dd87c2e6f7d35d1a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/patronus/tracing/logger.py:10
from opentelemetry._logs import SeverityNumber, LogRecord

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #be4f2c64c70a33fd Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/patronus/tracing/logger.py:12
from opentelemetry.sdk._logs import Logger as OTELLogger

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #9b683a1dd87bc652 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/patronus/tracing/logger.py:13
from opentelemetry.sdk._logs import LoggerProvider as OTELLoggerProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #9880e27cac3fd107 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/patronus/tracing/logger.py:14
from opentelemetry.sdk._logs import LoggingHandler as OTeLLoggingHandler

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #51ed570c9dd78210 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/patronus/tracing/logger.py:15
from opentelemetry.sdk._logs._internal import ConcurrentMultiLogRecordProcessor, SynchronousMultiLogRecordProcessor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #6ab6b85f53d2f18a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/patronus/tracing/logger.py:16
from opentelemetry.sdk._logs.export import BatchLogRecordProcessor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #4b7d56fc9ebc0266 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/patronus/tracing/logger.py:17
from opentelemetry.sdk.resources import Resource

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #46447033656467c5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/patronus/tracing/logger.py:18
from opentelemetry.sdk.util.instrumentation import InstrumentationScope

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #5097a2ca17b4abe9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/patronus/tracing/logger.py:19
from opentelemetry.trace import get_current_span, SpanContext

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #1b23f80f3b4d7d76 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/patronus/tracing/logger.py:20
from opentelemetry.util.types import Attributes as OTeLAttributes

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #ea5cfb76295fd983 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/patronus/tracing/tracer.py:6
from opentelemetry.sdk.resources import Resource

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #2923ae407e135c6a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/patronus/tracing/tracer.py:9
from opentelemetry import context as context_api

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #c9e48dbd084e3bd2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/patronus/tracing/tracer.py:10
from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #dc9ed4ff3bb7cbb5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/patronus/tracing/tracer.py:11
from opentelemetry.sdk.trace import Span, SpanProcessor, TracerProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #c6d68cf9f9c1e475 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/patronus/tracing/tracer.py:12
from opentelemetry.sdk.trace.export import BatchSpanProcessor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 11 low-confidence finding(s)
low env_fs tooling reachable #cc208e7380a1e6c4 Environment-variable access.
pkgs/python/[email protected]/examples/patronus_examples/otel_tracing_integration.py:16
        endpoint=os.environ.get("OTEL_EXPORTER_OTLP_ENDPOINT"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #d9fb5b1cf197ab93 Environment-variable access.
pkgs/python/[email protected]/examples/patronus_examples/otel_tracing_integration.py:17
        headers=os.environ.get("OTEL_EXPORTER_OTLP_HEADERS"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #0719f3d7f03b1551 Environment-variable access.
pkgs/python/[email protected]/examples/patronus_examples/otel_tracing_integration.py:27
client = Client(api_key=os.environ.get("PATRONUS_API_KEY"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #7e183a501e71e611 Environment-variable access.
pkgs/python/[email protected]/examples/patronus_examples/tracing.py:15
    api_key=os.getenv("PATRONUS_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #26cdbae5a2adc8b0 Environment-variable access.
pkgs/python/[email protected]/examples/patronus_examples/tracking/otel_openai_weather.py:42
if os.environ.get("OTEL_EXPORTER_OTLP_ENDPOINT"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #24faf113ffb27399 Filesystem access.
pkgs/python/[email protected]/src/patronus/api/api_client.py:428
        with open(file_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e78488eb121e69ff Filesystem access.
pkgs/python/[email protected]/src/patronus/api/api_client.py:492
        with open(file_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3318af08f2c48c5d Environment-variable access.
pkgs/python/[email protected]/src/patronus/config.py:21
    otel_service_name = os.getenv("OTEL_SERVICE_NAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #807f96d1f889d1ea Environment-variable access.
pkgs/python/[email protected]/src/patronus/tracing/exporters.py:38
    traces_protocol = os.environ.get("OTEL_EXPORTER_OTLP_TRACES_PROTOCOL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #90b23c01b7076827 Environment-variable access.
pkgs/python/[email protected]/src/patronus/tracing/exporters.py:39
    logs_protocol = os.environ.get("OTEL_EXPORTER_OTLP_LOGS_PROTOCOL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #362c2adf59c1f5c4 Environment-variable access.
pkgs/python/[email protected]/src/patronus/tracing/exporters.py:40
    general_protocol = os.environ.get("OTEL_EXPORTER_OTLP_PROTOCOL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

daytona

python dependency
medium telemetry dependency Excluded from app score #76c2dab74c27423d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/daytona/_async/daytona.py:15
from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #fddead77b68170d9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/daytona/_async/daytona.py:16
from opentelemetry.exporter.otlp.proto.http.trace_exporter import OTLPSpanExporter

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #1cad3661bd088066 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/daytona/_async/daytona.py:17
from opentelemetry.instrumentation.aiohttp_client import AioHttpClientInstrumentor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #d1ee3da46b157fc9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/daytona/_async/daytona.py:18
from opentelemetry.sdk.resources import Resource

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #1888aab398da5004 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/daytona/_async/daytona.py:19
from opentelemetry.sdk.trace import TracerProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #50128ff47b7b9806 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/daytona/_async/daytona.py:20
from opentelemetry.sdk.trace.export import BatchSpanProcessor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #98b9b587363bf615 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/daytona/_async/daytona.py:21
from opentelemetry.semconv.attributes import service_attributes

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #bcd8274e43184054 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/daytona/_sync/daytona.py:16
from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #e5cbff74bd4cf7b8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/daytona/_sync/daytona.py:17
from opentelemetry.exporter.otlp.proto.http.trace_exporter import OTLPSpanExporter

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #30f9046ec8140a92 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/daytona/_sync/daytona.py:18
from opentelemetry.instrumentation.aiohttp_client import AioHttpClientInstrumentor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #2df5286cee0a9356 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/daytona/_sync/daytona.py:19
from opentelemetry.sdk.resources import Resource

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #acbb412253d4e8f4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/daytona/_sync/daytona.py:20
from opentelemetry.sdk.trace import TracerProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #ba556497384358e8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/daytona/_sync/daytona.py:21
from opentelemetry.sdk.trace.export import BatchSpanProcessor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #bb13c7d89322fe7f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/daytona/_sync/daytona.py:22
from opentelemetry.semconv.attributes import service_attributes

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #c01c7f3dd6af11e1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/daytona/_utils/otel_decorator.py:12
from opentelemetry import metrics, trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #b58d139677be146b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/daytona/_utils/otel_decorator.py:13
from opentelemetry.trace import Status, StatusCode

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 15 low-confidence finding(s)
low env_fs dependency Excluded from app score #656fc642765fa9d4 Filesystem access.
pkgs/python/[email protected]/src/daytona/_async/filesystem.py:947
                    stream = stack.enter_context(open(f.source, "rb"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #62fb470b9a4afbd0 Filesystem access.
pkgs/python/[email protected]/src/daytona/_async/filesystem.py:1200
        return stack.enter_context(open(source, "rb"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fe5ce7aa331e7bfb Filesystem access.
pkgs/python/[email protected]/src/daytona/_sync/computer_use.py:623
            with open(local_path, "wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ab98bdb8ef020913 Filesystem access.
pkgs/python/[email protected]/src/daytona/_sync/filesystem.py:472
                            writer = open(meta.dst, mode="wb")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #13f1a8f795a5fcd2 Filesystem access.
pkgs/python/[email protected]/src/daytona/_sync/filesystem.py:911
                    stream = stack.enter_context(open(f.source, "rb"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c34f653d485e04ce Filesystem access.
pkgs/python/[email protected]/src/daytona/_sync/filesystem.py:1022
        return stack.enter_context(open(source, "rb"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7f2002e328d62a62 Filesystem access.
pkgs/python/[email protected]/src/daytona/_sync/object_storage.py:110
            with open(abs_path_str, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3995926da087680c Filesystem access.
pkgs/python/[email protected]/src/daytona/_sync/object_storage.py:126
                    with open(file_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #38c9a3d5de9bcb6c Environment-variable access.
pkgs/python/[email protected]/src/daytona/_utils/env.py:26
        val = os.environ.get(name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #655418c4428a13ef Environment-variable access.
pkgs/python/[email protected]/src/daytona/_utils/environment.py:15
    old_env: MutableMapping[str, str] = deepcopy(os.environ)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3ef17ab16c06c8db Environment-variable access.
pkgs/python/[email protected]/src/daytona/_utils/environment.py:16
    os.environ.clear()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d4c52142e98d130b Environment-variable access.
pkgs/python/[email protected]/src/daytona/_utils/environment.py:18
        os.environ.update(temp_env)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4e397521efc07275 Environment-variable access.
pkgs/python/[email protected]/src/daytona/_utils/environment.py:22
        os.environ.clear()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #900bb50b43a07e5e Environment-variable access.
pkgs/python/[email protected]/src/daytona/_utils/environment.py:23
        os.environ.update(old_env)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cfa513e7aa469a8c Filesystem access.
pkgs/python/[email protected]/src/daytona/common/image.py:438
        dockerfile = path.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

couchbase

python dependency
medium telemetry dependency Excluded from app score #1b20908812185c6c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/couchbase/observability/otel_metrics.py:28
    from opentelemetry import metrics as otel_metrics

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #544b2fcf5f96e853 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/couchbase/observability/otel_metrics.py:29
    from opentelemetry.metrics import MeterProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #cb703f40e6d4049a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/couchbase/observability/otel_metrics.py:32
    from opentelemetry import metrics as otel_metrics  # noqa: F811

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #1414acb41f2bb41f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/couchbase/observability/otel_tracing.py:29
    from opentelemetry import trace as otel_trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #b7f4288c87e6f246 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/couchbase/observability/otel_tracing.py:30
    from opentelemetry.trace import TracerProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #215fe024f4bc790e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/couchbase/observability/otel_tracing.py:33
    from opentelemetry import trace as otel_trace  # noqa: F811

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #d16ad19e80859993 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/couchbase/observability/otel_tracing.py:34
    from opentelemetry.context import Context

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #103005205c13970b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/couchbase/observability/otel_tracing.py:35
    from opentelemetry.trace import SpanKind

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #9cf1312f24d2190c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/couchbase/observability/otel_tracing.py:36
    from opentelemetry.trace.status import Status as OtelStatus

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #efaad1a89d61ef74 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/couchbase/observability/otel_tracing.py:37
    from opentelemetry.trace.status import StatusCode as OtelStatusCode

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #d5b2d16913d448a8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/couchbase/otel_tracer.py:19
from opentelemetry.trace import (Span,
                                 Tracer,
                                 set_span_in_context)

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 30 low-confidence finding(s)
low env_fs dependency Excluded from app score #39d2dbf09e026a89 Environment-variable access.
pkgs/python/[email protected]/couchbase/__init__.py:28
        open_ssl_dir = os.getenv('PYCBC_OPENSSL_DIR')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cd20c5185d370060 Environment-variable access.
pkgs/python/[email protected]/couchbase/logic/logging_config.py:162
    log_level = os.getenv('PYCBC_LOG_LEVEL', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d4c9774973d58e48 Environment-variable access.
pkgs/python/[email protected]/couchbase/logic/logging_config.py:164
        log_file = os.getenv('PYCBC_LOG_FILE', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #130bce543d47f905 Environment-variable access.
pkgs/python/[email protected]/couchbase/logic/logging_config.py:166
            enable_console_logging = 0 if os.getenv('PYCBC_ENABLE_CONSOLE', None) is None else 1

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #36a01edd8bbd3791 Filesystem access.
pkgs/python/[email protected]/couchbase_version.py:108
    fp = open(VERSION_FILE, "r")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #353f8daf34953c60 Filesystem access.
pkgs/python/[email protected]/couchbase_version.py:172
    with open(VERSION_FILE, "w") as fp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #176ec3af71c4a8ce Environment-variable access.
pkgs/python/[email protected]/pycbc_build_setup.py:36
CMAKE_EXE = os.environ.get('CMAKE_EXE', shutil.which('cmake'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c34f2fa438b581bb Environment-variable access.
pkgs/python/[email protected]/pycbc_build_setup.py:42
CXXCBC_CACHE_DIR = os.environ.get('PYCBC_CXXCBC_CACHE_DIR', os.path.join(PYCBC_ROOT, 'deps', 'couchbase-cxx-cache'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #437b6497b73d8cb5 Environment-variable access.
pkgs/python/[email protected]/pycbc_build_setup.py:55
    build_type = os.getenv('PYCBC_BUILD_TYPE', 'Release')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bee497259038d2ba Environment-variable access.
pkgs/python/[email protected]/pycbc_build_setup.py:60
            c_flags = os.getenv('CFLAGS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #79e153cc4a59a7f5 Environment-variable access.
pkgs/python/[email protected]/pycbc_build_setup.py:61
            cxx_flags = os.getenv('CXXFLAGS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c0c6b5e1d7b95809 Environment-variable access.
pkgs/python/[email protected]/pycbc_build_setup.py:62
            os.environ['CFLAGS'] = f'{c_flags} {debug_flags}'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b3ade019a71aba17 Environment-variable access.
pkgs/python/[email protected]/pycbc_build_setup.py:63
            os.environ['CXXFLAGS'] = f'{cxx_flags} {debug_flags}'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2fa250ad15b010a6 Environment-variable access.
pkgs/python/[email protected]/pycbc_build_setup.py:64
    os.environ['PYCBC_BUILD_TYPE'] = build_type

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #406a4d11da4def2c Environment-variable access.
pkgs/python/[email protected]/pycbc_build_setup.py:68
    ssl_dir = os.getenv('PYCBC_OPENSSL_DIR', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7ad2115c895501ea Environment-variable access.
pkgs/python/[email protected]/pycbc_build_setup.py:73
    pycbc_use_openssl = os.getenv('PYCBC_USE_OPENSSL', 'true').lower() in ENV_TRUE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1739963fdb12b3fb Environment-variable access.
pkgs/python/[email protected]/pycbc_build_setup.py:74
    pycbc_use_opensslv1_1 = os.getenv('PYCBC_USE_OPENSSLV1_1', 'false').lower() in ENV_TRUE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #924778a62a44953e Environment-variable access.
pkgs/python/[email protected]/pycbc_build_setup.py:77
        ssl_version = os.getenv('PYCBC_OPENSSL_VERSION', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e24a033af671ca0d Environment-variable access.
pkgs/python/[email protected]/pycbc_build_setup.py:92
    use_static_stdlib = os.getenv('PYCBC_USE_STATIC_STDLIB', 'false').lower() in ENV_TRUE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b39c3b02d70275e1 Environment-variable access.
pkgs/python/[email protected]/pycbc_build_setup.py:100
    download_mozilla_ca_bundle = os.getenv('PYCBC_DOWNLOAD_MOZILLA_CA_BUNDLE', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d7a7a56a19e88b54 Environment-variable access.
pkgs/python/[email protected]/pycbc_build_setup.py:107
    sanitizers = os.getenv('PYCBC_SANITIZERS', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c4ff4ddb5fd32c76 Environment-variable access.
pkgs/python/[email protected]/pycbc_build_setup.py:112
    if os.getenv('PYCBC_VERBOSE_MAKEFILE', None):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #72a09bfae0209da6 Environment-variable access.
pkgs/python/[email protected]/pycbc_build_setup.py:115
    pycbc_cmake_system_version = os.getenv('PYCBC_CMAKE_SYSTEM_VERSION', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5f154fb931d07c36 Environment-variable access.
pkgs/python/[email protected]/pycbc_build_setup.py:119
    pycbc_tls_key_log_file = os.getenv('PYCBC_TLS_KEY_LOG_FILE', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #90bc41a671e56c0e Environment-variable access.
pkgs/python/[email protected]/pycbc_build_setup.py:124
    os.environ['CMAKE_COMMON_VARIABLES'] = ' '.join(cmake_extra_args)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2e3844b9fb3ee7fa Environment-variable access.
pkgs/python/[email protected]/pycbc_build_setup.py:141
        env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bac4ab469932aa55 Environment-variable access.
pkgs/python/[email protected]/pycbc_build_setup.py:154
                os.environ.get('CMAKE_COMMON_VARIABLES', '').split(' ')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d6724a8f677cfe4e Environment-variable access.
pkgs/python/[email protected]/pycbc_build_setup.py:258
        set_cpm_cache = os.environ.get('PYCBC_SET_CPM_CACHE', 'true').lower() in ENV_TRUE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5e428aa9afef4c0e Environment-variable access.
pkgs/python/[email protected]/pycbc_build_setup.py:352
        env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fbfd5fb188a87308 Filesystem access.
pkgs/python/[email protected]/setup.py:82
      long_description=open(PYCBC_README, "r").read(),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

chromadb

python dependency
medium telemetry dependency Excluded from app score #4520ac417d672e3b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/chromadb/execution/executor/distributed.py:22
from opentelemetry.trace import Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #569e899bd629a0c8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/chromadb/proto/utils.py:4
from opentelemetry.trace import Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #ea594e2f5a006f44 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/chromadb/server/fastapi/__init__.py:77
from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #f97d842923eeabe4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/chromadb/telemetry/opentelemetry/__init__.py:7
from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #71ea4a0ffaf73f47 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/chromadb/telemetry/opentelemetry/__init__.py:8
from opentelemetry.sdk.resources import SERVICE_NAME, Resource

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #cfbdf43e01aa7313 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/chromadb/telemetry/opentelemetry/__init__.py:9
from opentelemetry.sdk.trace import TracerProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #406a18820182fc67 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/chromadb/telemetry/opentelemetry/__init__.py:10
from opentelemetry.sdk.trace.export import (
    BatchSpanProcessor,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #8fb26f51b8ad4f14 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/chromadb/telemetry/opentelemetry/__init__.py:13
from opentelemetry.exporter.otlp.proto.grpc.trace_exporter import OTLPSpanExporter

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #c1b44085535cf75b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/chromadb/telemetry/opentelemetry/fastapi.py:3
from opentelemetry.instrumentation.fastapi import FastAPIInstrumentor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #bf35a07e8019193d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/chromadb/telemetry/opentelemetry/grpc.py:5
from opentelemetry.trace import StatusCode, SpanKind

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 54 low-confidence finding(s)
low env_fs dependency Excluded from app score #9e126d7bfe5235ff Environment-variable access.
pkgs/python/[email protected]/chromadb/__init__.py:407
            arg.value = arg.value or os.environ.get(arg.env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6b4d5562a4378a2d Environment-variable access.
pkgs/python/[email protected]/chromadb/__init__.py:420
    tenant = tenant or os.environ.get("CHROMA_TENANT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8abc25d5acc7c044 Environment-variable access.
pkgs/python/[email protected]/chromadb/__init__.py:423
    database = database or os.environ.get("CHROMA_DATABASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5347c426e70a95e0 Filesystem access.
pkgs/python/[email protected]/chromadb/auth/__init__.py:124
            with open(_creds_file, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a54911666e5f18e0 Filesystem access.
pkgs/python/[email protected]/chromadb/auth/__init__.py:235
            with open(_config_file, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress dependency Excluded from app score #d4585fe7e4d6a8ba Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/python/[email protected]/chromadb/cli/cli.py:25
        response = requests.get(url)

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs dependency Excluded from app score #712420ca5dc63ae6 Filesystem access.
pkgs/python/[email protected]/chromadb/cli/utils.py:12
    with open(f"{log_config_path}", "r") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3c042dbf7a4ec01a Filesystem access.
pkgs/python/[email protected]/chromadb/db/migrations.py:256
    sql = file["path"].read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cbede7a161f4e2d3 Filesystem access.
pkgs/python/[email protected]/chromadb/segment/impl/vector/local_persistent_hnsw.py:74
        with open(filename, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b506850815f629d1 Filesystem access.
pkgs/python/[email protected]/chromadb/segment/impl/vector/local_persistent_hnsw.py:255
        with open(self._get_metadata_file(), "wb") as metadata_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0a264f4adeb019a3 Environment-variable access.
pkgs/python/[email protected]/chromadb/telemetry/opentelemetry/__init__.py:139
                        {"pod_name": os.environ.get("HOSTNAME")}

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d1453f08f7d0242e Environment-variable access.
pkgs/python/[email protected]/chromadb/telemetry/opentelemetry/__init__.py:155
                        {"pod_name": os.environ.get("HOSTNAME")}

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b25c13aa6020b913 Filesystem access.
pkgs/python/[email protected]/chromadb/telemetry/product/__init__.py:88
                with open(self.USER_ID_PATH, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #84af440bd2406028 Filesystem access.
pkgs/python/[email protected]/chromadb/telemetry/product/__init__.py:93
                with open(self.USER_ID_PATH, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b8149872d53f6b29 Environment-variable access.
pkgs/python/[email protected]/chromadb/telemetry/product/events.py:20
        self.is_cli = os.environ.get("CHROMA_CLI", "False") == "True"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4f0dcbf468a9af1b Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/baseten_embedding_function.py:39
        if os.getenv("BASETEN_API_KEY") is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #885cbc3effce4888 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/baseten_embedding_function.py:45
        resolved_api_key = api_key or os.getenv(self.api_key_env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e0a974d0538f09e4 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/chroma_cloud_qwen_embedding_function.py:61
        self.api_key = os.getenv(api_key_env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0795329ed3b6b7e9 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/chroma_cloud_splade_embedding_function.py:42
        self.api_key = os.getenv(self.api_key_env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #338f11ec6a1524aa Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/cloudflare_workers_ai_embedding_function.py:57
        if os.getenv("CLOUDFLARE_API_KEY") is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #90f05e7d838e75e3 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/cloudflare_workers_ai_embedding_function.py:62
        self.api_key = api_key or os.getenv(self.api_key_env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2afb212aaea50af9 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/cohere_embedding_function.py:46
        if os.getenv("COHERE_API_KEY") is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #69b642ea970ab934 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/cohere_embedding_function.py:51
        self.api_key = api_key or os.getenv(self.api_key_env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ec0794b8d1ede1ae Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/google_embedding_function.py:57
        self.api_key = os.getenv(self.api_key_env_var) if self.api_key_env_var else None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f089fe9a41598643 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/google_embedding_function.py:251
        if os.getenv("GOOGLE_API_KEY") is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dfbaac108b00b8a6 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/google_embedding_function.py:256
        self.api_key = api_key or os.getenv(self.api_key_env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #12f665d36ceee97a Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/google_embedding_function.py:401
        if os.getenv("GOOGLE_API_KEY") is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #29ac80e10e7e2739 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/google_embedding_function.py:406
        self.api_key = api_key or os.getenv(self.api_key_env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e0388a9f8a4dc4e5 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/google_embedding_function.py:529
        if os.getenv("GOOGLE_API_KEY") is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #01593b6af8a2a928 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/google_embedding_function.py:534
        self.api_key = api_key or os.getenv(self.api_key_env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #92dbdb08c8efc5f9 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/huggingface_embedding_function.py:43
        if os.getenv("HUGGINGFACE_API_KEY") is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bed4161aa107d3c8 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/huggingface_embedding_function.py:48
        self.api_key = api_key or os.getenv(self.api_key_env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c68b46e05a364ee9 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/huggingface_embedding_function.py:169
        if os.getenv("HUGGINGFACE_API_KEY") is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #00e241a98a3526ef Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/huggingface_embedding_function.py:173
            self.api_key = api_key or os.getenv(self.api_key_env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b1a5afb0efbb68ef Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/jina_embedding_function.py:84
        if os.getenv("JINA_API_KEY") is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d198b7a62a635737 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/jina_embedding_function.py:89
        self.api_key = api_key or os.getenv(self.api_key_env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #00e81dd36a06b074 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/mistral_embedding_function.py:29
        self.api_key = os.getenv(api_key_env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #617d002eb2e748b2 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/morph_embedding_function.py:49
        self.api_key = api_key or os.getenv(api_key_env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #28e81c9d2e2441a9 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/nomic_embedding_function.py:50
        self.api_key = os.getenv(api_key_env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #59138723a47a8561 Filesystem access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/onnx_mini_lm_l6_v2.py:24
    with open(fname, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #383d917d81c1a481 Filesystem access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/onnx_mini_lm_l6_v2.py:109
            with open(fname, "wb") as file, self.tqdm(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e5a86f9fdb6aa319 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/openai_embedding_function.py:60
        if os.getenv("OPENAI_API_KEY") is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #13212578683af449 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/openai_embedding_function.py:65
        self.api_key = api_key or os.getenv(self.api_key_env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #70fe40254a41820f Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/perplexity_embedding_function.py:52
        if os.getenv("PERPLEXITY_API_KEY") is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b27e1e1759a47575 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/perplexity_embedding_function.py:57
        self.api_key = api_key or os.getenv(self.api_key_env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #839457c0adcd53ad Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/roboflow_embedding_function.py:48
        if os.getenv("ROBOFLOW_API_KEY") is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #da1b7022c1f3d8f3 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/roboflow_embedding_function.py:53
        self.api_key = api_key or os.getenv(self.api_key_env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3e3715f4ad3985f6 Filesystem access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/schemas/registry.py:38
        with open(schema_path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1017b859036a4745 Filesystem access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/schemas/schema_utils.py:36
    with open(schema_path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #30353319e5a9ac6b Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/together_ai_embedding_function.py:52
        if os.getenv("TOGETHER_API_KEY") is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5e2f97c8736a14e6 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/together_ai_embedding_function.py:57
        self.api_key = api_key or os.getenv(self.api_key_env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #78277e1514bb58ea Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/utils.py:11
    return (os.environ.get("CHROMA_EMBED_URL") or DEFAULT_CHROMA_EMBED_URL).rstrip("/")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0685e4a6dec6fddb Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/voyageai_embedding_function.py:50
        if os.getenv("VOYAGE_API_KEY") is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #27cb0d9626cbd6c4 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/voyageai_embedding_function.py:55
        self.api_key = api_key or os.getenv(self.api_key_env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

azure-ai-inference

python dependency
medium telemetry dependency Excluded from app score #4ebea49cb934f154 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/azure/ai/inference/tracing.py:24
    from opentelemetry.trace import StatusCode, Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #61e2ca670687332e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/samples/sample_chat_completions_with_azure_monitor_tracing.py:31
from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #34b5f068075b39e8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/samples/sample_chat_completions_with_azure_monitor_tracing.py:39
from opentelemetry.trace import get_tracer

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #a11e1ba34e08e205 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/samples/sample_chat_completions_with_tracing.py:32
from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #19dd328b6a3b9033 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/samples/sample_chat_completions_with_tracing.py:35
from opentelemetry.sdk.trace import TracerProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #105f89197237770e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/samples/sample_chat_completions_with_tracing.py:36
from opentelemetry.sdk.trace.export import SimpleSpanProcessor, ConsoleSpanExporter

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #f95cc3b3d552c956 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/samples/sample_chat_completions_with_tracing.py:55
from opentelemetry.trace import get_tracer

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 93 low-confidence finding(s)
low env_fs dependency Excluded from app score #6f0f7415e2d8d1ed Filesystem access.
pkgs/python/[email protected]/azure/ai/inference/models/_patch.py:320
        with open(image_file, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b3be2044ee5c0df9 Filesystem access.
pkgs/python/[email protected]/azure/ai/inference/models/_patch.py:346
        with open(image_file, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c82850559eddaa53 Filesystem access.
pkgs/python/[email protected]/azure/ai/inference/models/_patch.py:548
        with open(audio_file, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #64edd55661b207da Environment-variable access.
pkgs/python/[email protected]/azure/ai/inference/prompts/_core.py:190
        if variable in os.environ.keys():

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #675aae7a0b62310d Environment-variable access.
pkgs/python/[email protected]/azure/ai/inference/prompts/_core.py:191
            return os.environ[variable]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6f844d98a0b07438 Filesystem access.
pkgs/python/[email protected]/azure/ai/inference/prompts/_parsers.py:64
        with open(image_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #67a42f6bb03a650a Filesystem access.
pkgs/python/[email protected]/azure/ai/inference/prompts/_tracer.py:306
        with open(trace_file, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8c486ea0709b296d Filesystem access.
pkgs/python/[email protected]/azure/ai/inference/prompts/_utils.py:22
    with open(file_path, "r", encoding=encoding) as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #073f674663dea92d Environment-variable access.
pkgs/python/[email protected]/azure/ai/inference/tracing.py:147
            var_value = os.environ.get("AZURE_TRACING_GEN_AI_CONTENT_RECORDING_ENABLED")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bc34d84ae4206f30 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_chat_completions_async.py:35
        endpoint = os.environ["AZURE_AI_CHAT_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fb59fe1fd7c7ddbd Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_chat_completions_async.py:36
        key = os.environ["AZURE_AI_CHAT_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d69e006046ff7598 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_chat_completions_from_input_bytes_async.py:37
        endpoint = os.environ["AZURE_AI_CHAT_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0cf643713b354a8c Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_chat_completions_from_input_bytes_async.py:38
        key = os.environ["AZURE_AI_CHAT_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #949090001c1546f1 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_chat_completions_from_input_dict_async.py:38
        endpoint = os.environ["AZURE_AI_CHAT_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7525526d9154e452 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_chat_completions_from_input_dict_async.py:39
        key = os.environ["AZURE_AI_CHAT_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b3cb9012e8ba5a3c Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_chat_completions_streaming_async.py:36
        endpoint = os.environ["AZURE_AI_CHAT_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #228a2828a5c8e0d7 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_chat_completions_streaming_async.py:37
        key = os.environ["AZURE_AI_CHAT_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #af75cf071f34403e Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_chat_completions_streaming_azure_openai_async.py:38
        endpoint = os.environ["AZURE_OPENAI_CHAT_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e476778fa8e7e282 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_chat_completions_streaming_azure_openai_async.py:50
            key = os.environ["AZURE_OPENAI_CHAT_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f04dddafeb3f59da Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_embeddings_async.py:34
        endpoint = os.environ["AZURE_AI_EMBEDDINGS_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e7b03f799da74604 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_embeddings_async.py:35
        key = os.environ["AZURE_AI_EMBEDDINGS_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1dfab089e5969af3 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_image_embeddings_async.py:32
        endpoint = os.environ["AZURE_AI_IMAGE_EMBEDDINGS_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8647fc16f2789506 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_image_embeddings_async.py:33
        key = os.environ["AZURE_AI_IMAGE_EMBEDDINGS_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7ec5699a28f34bd9 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_load_client_async.py:30
        endpoint = os.environ["AZURE_AI_EMBEDDINGS_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4cf79de2484e714f Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_load_client_async.py:31
        key = os.environ["AZURE_AI_EMBEDDINGS_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9006955a341007e3 Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions.py:31
        endpoint = os.environ["AZURE_AI_CHAT_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #53927679e0c7e88a Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions.py:32
        key = os.environ["AZURE_AI_CHAT_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a702c796adf04b88 Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_azure_openai.py:36
        endpoint = os.environ["AZURE_OPENAI_CHAT_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1b290cb3c244163f Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_azure_openai.py:48
            key = os.environ["AZURE_OPENAI_CHAT_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2545c36bdd556b11 Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_from_input_bytes.py:37
        endpoint = os.environ["AZURE_AI_CHAT_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ed58ea7ddd9e56d7 Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_from_input_bytes.py:38
        key = os.environ["AZURE_AI_CHAT_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c35a1bb0a1c27995 Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_from_input_dict.py:38
        endpoint = os.environ["AZURE_AI_CHAT_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3295974e67989a43 Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_from_input_dict.py:39
        key = os.environ["AZURE_AI_CHAT_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #21bde3b075304aac Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_from_input_dict_with_image_url.py:42
        endpoint = os.environ["AZURE_AI_CHAT_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aeba609d0ee3ce8c Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_from_input_dict_with_image_url.py:43
        key = os.environ["AZURE_AI_CHAT_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fef09fa9b2a7a8d0 Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_from_input_dict_with_image_url.py:50
        model_deployment = os.environ["AZURE_AI_CHAT_DEPLOYMENT_NAME"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #11b96e08aa00fb75 Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_from_input_prompt_string.py:36
        endpoint = os.environ["AZURE_AI_CHAT_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9fc4a5e9d5f516f1 Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_from_input_prompt_string.py:37
        key = os.environ["AZURE_AI_CHAT_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #247f9aa5586a5a3e Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_from_input_prompty.py:36
        endpoint = os.environ["AZURE_AI_CHAT_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2fb092fad3e18d83 Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_from_input_prompty.py:37
        key = os.environ["AZURE_AI_CHAT_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1c285ea2dc8af0c6 Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_streaming.py:31
        endpoint = os.environ["AZURE_AI_CHAT_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dc46c47705784e2a Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_streaming.py:32
        key = os.environ["AZURE_AI_CHAT_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3cb9bd64f039386c Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_streaming_with_entra_id_auth.py:31
        endpoint = os.environ["AZURE_AI_CHAT_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #352a4599c0537569 Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_streaming_with_entra_id_auth.py:38
        model_deployment = os.environ["AZURE_AI_CHAT_DEPLOYMENT_NAME"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a7e617f84524e244 Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_streaming_with_tools.py:45
            endpoint = os.environ["AZURE_OPENAI_CHAT_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f03e837de2e6d3c6 Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_streaming_with_tools.py:46
            key = os.environ["AZURE_OPENAI_CHAT_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8f94b1dc8cbfc6da Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_streaming_with_tools.py:48
            endpoint = os.environ["AZURE_AI_CHAT_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #508501eb0da32fc3 Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_streaming_with_tools.py:49
            key = os.environ["AZURE_AI_CHAT_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dc0c8f9867e5409e Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_with_audio_data.py:47
        endpoint = os.environ["AZURE_AI_CHAT_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2716efab8e29595b Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_with_audio_data.py:48
        key = os.environ["AZURE_AI_CHAT_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0287eba801a84d8f Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_with_audio_data.py:55
        model_deployment = os.environ["AZURE_AI_CHAT_DEPLOYMENT_NAME"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #874b4e3130253fdc Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_with_azure_monitor_tracing.py:151
        endpoint = os.environ["AZURE_AI_CHAT_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #330b14c94f95923c Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_with_azure_monitor_tracing.py:152
        key = os.environ["AZURE_AI_CHAT_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #478b61a0593cf38f Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_with_defaults.py:33
        endpoint = os.environ["AZURE_AI_CHAT_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ac9252ada50dc4cc Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_with_defaults.py:34
        key = os.environ["AZURE_AI_CHAT_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a08f6cf5aa61b289 Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_with_entra_id_auth.py:42
        endpoint = os.environ["AZURE_AI_CHAT_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1348f7309e33dcac Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_with_entra_id_auth.py:43
        model_deployment_name = os.environ["AZURE_AI_CHAT_MODEL_DEPLOYMENT_NAME"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7744a8378a659589 Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_with_history.py:32
        endpoint = os.environ["AZURE_AI_CHAT_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1bed556ba87bc62d Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_with_history.py:33
        key = os.environ["AZURE_AI_CHAT_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5244108f4a598ae7 Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_with_image_data.py:47
        endpoint = os.environ["AZURE_AI_CHAT_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #421aa4e0151d232e Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_with_image_data.py:48
        key = os.environ["AZURE_AI_CHAT_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #376247fe73b15208 Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_with_image_data.py:55
        model_deployment = os.environ["AZURE_AI_CHAT_DEPLOYMENT_NAME"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8e5666c189e7a563 Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_with_image_url.py:47
        endpoint = os.environ["AZURE_AI_CHAT_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6277fee4bfa72c45 Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_with_image_url.py:48
        key = os.environ["AZURE_AI_CHAT_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d9beb355d8b66a44 Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_with_image_url.py:55
        model_deployment = os.environ["AZURE_AI_CHAT_DEPLOYMENT_NAME"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5a7cdd8e4e45774a Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_with_model_extras.py:33
        endpoint = os.environ["AZURE_AI_CHAT_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5e8e6a9f5d380f90 Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_with_model_extras.py:34
        key = os.environ["AZURE_AI_CHAT_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c0b0d046078fe58f Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_with_structured_output.py:54
        endpoint = os.environ["AZURE_OPENAI_CHAT_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1d530d1522473af3 Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_with_structured_output.py:55
        key = os.environ["AZURE_OPENAI_CHAT_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1dfe50854b79abd2 Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_with_structured_output_pydantic.py:57
        endpoint = os.environ["AZURE_OPENAI_CHAT_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #28e3da1cf294fd2c Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_with_structured_output_pydantic.py:58
        key = os.environ["AZURE_OPENAI_CHAT_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9aaed9242ec78e52 Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_with_tools.py:34
        endpoint = os.environ["AZURE_AI_CHAT_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #34908b33b5b82234 Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_with_tools.py:35
        key = os.environ["AZURE_AI_CHAT_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #546effe89cf40e26 Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_with_tracing.py:170
        endpoint = os.environ["AZURE_AI_CHAT_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e73806ffbab2cb06 Environment-variable access.
pkgs/python/[email protected]/samples/sample_chat_completions_with_tracing.py:171
        key = os.environ["AZURE_AI_CHAT_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0b0bda82117258ef Environment-variable access.
pkgs/python/[email protected]/samples/sample_embeddings.py:32
        endpoint = os.environ["AZURE_AI_EMBEDDINGS_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4ba4ec75d522ab68 Environment-variable access.
pkgs/python/[email protected]/samples/sample_embeddings.py:33
        key = os.environ["AZURE_AI_EMBEDDINGS_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6fa0fd936a1e19a5 Environment-variable access.
pkgs/python/[email protected]/samples/sample_embeddings_azure_openai.py:36
        endpoint = os.environ["AZURE_OPENAI_EMBEDDINGS_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dc3cd66ddc7a729b Environment-variable access.
pkgs/python/[email protected]/samples/sample_embeddings_azure_openai.py:48
            key = os.environ["AZURE_OPENAI_EMBEDDINGS_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2f0f713d1953063f Environment-variable access.
pkgs/python/[email protected]/samples/sample_embeddings_with_base64_encoding.py:32
        endpoint = os.environ["AZURE_AI_EMBEDDINGS_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #75c8b4630e67671d Environment-variable access.
pkgs/python/[email protected]/samples/sample_embeddings_with_base64_encoding.py:33
        key = os.environ["AZURE_AI_EMBEDDINGS_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d774a57cc6eb429e Environment-variable access.
pkgs/python/[email protected]/samples/sample_embeddings_with_defaults.py:33
        endpoint = os.environ["AZURE_AI_EMBEDDINGS_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b99d568e8bafa6ae Environment-variable access.
pkgs/python/[email protected]/samples/sample_embeddings_with_defaults.py:34
        key = os.environ["AZURE_AI_EMBEDDINGS_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2e1e2bf7fd8fa79e Environment-variable access.
pkgs/python/[email protected]/samples/sample_get_model_info.py:30
        endpoint = os.environ["AZURE_AI_CHAT_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #773cb62b5ba2b5a8 Environment-variable access.
pkgs/python/[email protected]/samples/sample_get_model_info.py:31
        key = os.environ["AZURE_AI_CHAT_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bf6b319d35c2c3d7 Environment-variable access.
pkgs/python/[email protected]/samples/sample_image_embeddings.py:31
        endpoint = os.environ["AZURE_AI_IMAGE_EMBEDDINGS_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6864ffd761dd4942 Environment-variable access.
pkgs/python/[email protected]/samples/sample_image_embeddings.py:32
        key = os.environ["AZURE_AI_IMAGE_EMBEDDINGS_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d771a1189f756ac1 Environment-variable access.
pkgs/python/[email protected]/samples/sample_image_embeddings_with_defaults.py:33
        endpoint = os.environ["AZURE_AI_IMAGE_EMBEDDINGS_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7ef9ae0ac145fb0f Environment-variable access.
pkgs/python/[email protected]/samples/sample_image_embeddings_with_defaults.py:34
        key = os.environ["AZURE_AI_IMAGE_EMBEDDINGS_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #41e1086855f12a68 Environment-variable access.
pkgs/python/[email protected]/samples/sample_load_client.py:30
        endpoint = os.environ["AZURE_AI_CHAT_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aafbf8d7fe60c8fe Environment-variable access.
pkgs/python/[email protected]/samples/sample_load_client.py:31
        key = os.environ["AZURE_AI_CHAT_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a82fd2852f4b085b Filesystem access.
pkgs/python/[email protected]/setup.py:22
with open(os.path.join(package_folder_path, "_version.py"), "r") as fd:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #17bbafcd4cef0467 Filesystem access.
pkgs/python/[email protected]/setup.py:33
    long_description=open("README.md", "r").read(),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

crewai-core

python dependency
medium telemetry dependency Excluded from app score #984032b6be96a781 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/crewai_core/telemetry.py:22
from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #cfd3aaf20c4de2d8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/crewai_core/telemetry.py:23
from opentelemetry.exporter.otlp.proto.http.trace_exporter import OTLPSpanExporter

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #ddf3a5100383bd64 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/crewai_core/telemetry.py:24
from opentelemetry.sdk.resources import SERVICE_NAME, Resource

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #305d9b807bc2d8f2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/crewai_core/telemetry.py:25
from opentelemetry.sdk.trace import TracerProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #11a265974144d4b7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/crewai_core/telemetry.py:26
from opentelemetry.sdk.trace.export import (
    BatchSpanProcessor,
    SpanExportResult,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #6c2c0f0cf7b5b55f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/crewai_core/telemetry.py:30
from opentelemetry.trace import ProxyTracerProvider, Span, Status, StatusCode

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 21 low-confidence finding(s)
low env_fs dependency Excluded from app score #87bdc071e186962a Environment-variable access.
pkgs/python/[email protected]/src/crewai_core/lock_store.py:33
_REDIS_URL: str | None = os.environ.get("REDIS_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #db37a8f7e9587131 Environment-variable access.
pkgs/python/[email protected]/src/crewai_core/paths.py:13
    return os.environ.get("CREWAI_STORAGE_DIR", Path.cwd().name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ec23c91d10d95518 Environment-variable access.
pkgs/python/[email protected]/src/crewai_core/plus_api.py:168
            os.getenv("CREWAI_PLUS_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e4d7eddb3a518bf1 Filesystem access.
pkgs/python/[email protected]/src/crewai_core/project.py:26
    with open(file_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2e3b3058620d7346 Filesystem access.
pkgs/python/[email protected]/src/crewai_core/project.py:163
        with open(pyproject_path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ecaf19a6e515960e Filesystem access.
pkgs/python/[email protected]/src/crewai_core/settings.py:97
                test_file.write_text("test")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #70138241d8a833a5 Environment-variable access.
pkgs/python/[email protected]/src/crewai_core/telemetry.py:125
            os.getenv("OTEL_SDK_DISABLED", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #abd958e212a1a26e Environment-variable access.
pkgs/python/[email protected]/src/crewai_core/telemetry.py:126
            or os.getenv("CREWAI_DISABLE_TELEMETRY", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9aee8d2709ea6a23 Environment-variable access.
pkgs/python/[email protected]/src/crewai_core/telemetry.py:127
            or os.getenv("CREWAI_DISABLE_TRACKING", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #15d3d26bed4e25a5 Environment-variable access.
pkgs/python/[email protected]/src/crewai_core/token_manager.py:88
            base_path = os.environ.get("LOCALAPPDATA")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #98ba3a441c89d665 Filesystem access.
pkgs/python/[email protected]/src/crewai_core/token_manager.py:150
            with open(file_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6ea45978d78341ab Environment-variable access.
pkgs/python/[email protected]/src/crewai_core/tool_credentials.py:24
    env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8aac5334a1e6d038 Environment-variable access.
pkgs/python/[email protected]/src/crewai_core/tool_credentials.py:42
    env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e9d46bc2049e9fe8 Filesystem access.
pkgs/python/[email protected]/src/crewai_core/user_data.py:39
            return cast(dict[str, Any], json.loads(p.read_text()))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #473c8ac9a367f92f Filesystem access.
pkgs/python/[email protected]/src/crewai_core/user_data.py:49
        p.write_text(json.dumps(data, indent=2))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fb0a24e7c436166e Environment-variable access.
pkgs/python/[email protected]/src/crewai_core/user_data.py:86
    if os.getenv("CREWAI_TRACING_ENABLED", "false").lower() in ("true", "1"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1e3dedec4c79ae03 Filesystem access.
pkgs/python/[email protected]/src/crewai_core/version.py:117
            cache_data = json.loads(cache_file.read_text())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress dependency Excluded from app score #8f0eda4e09c923ca Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/python/[email protected]/src/crewai_core/version.py:125
        with request.urlopen(
            "https://pypi.org/pypi/crewai/json", timeout=timeout
        ) as response:

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs dependency Excluded from app score #3d152dab96442576 Filesystem access.
pkgs/python/[email protected]/src/crewai_core/version.py:142
            cache_file.write_text(json.dumps(cache_data))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #135bf8b6a8535d06 Filesystem access.
pkgs/python/[email protected]/src/crewai_core/version.py:154
            cache_data = json.loads(cache_file.read_text())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e2827b17f00b13e1 Filesystem access.
pkgs/python/[email protected]/src/crewai_core/version.py:168
        cache_data = json.loads(cache_file.read_text())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

a2a-sdk

python dependency
medium telemetry dependency Excluded from app score #d421991122d7eb0a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/a2a/utils/telemetry.py:81
    from opentelemetry.trace import (
        SpanKind as SpanKindType,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #461d5f276251f520 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/a2a/utils/telemetry.py:90
    from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #804b72b1042b0069 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/a2a/utils/telemetry.py:91
    from opentelemetry.trace import (
        SpanKind as _SpanKind,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #c096525ff3925920 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/a2a/utils/telemetry.py:94
    from opentelemetry.trace import (
        StatusCode,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 11 low-confidence finding(s)
low env_fs dependency Excluded from app score #e0f885e6662ef6a4 Environment-variable access.
pkgs/python/[email protected]/itk/main.py:55
log_level_str = os.environ.get('ITK_LOG_LEVEL', 'INFO').upper()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8769092162b92f03 Environment-variable access.
pkgs/python/[email protected]/src/a2a/a2a_db_cli.py:144
        os.environ['DATABASE_URL'] = db_url

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a2728bd0b30fd86f Environment-variable access.
pkgs/python/[email protected]/src/a2a/migrations/env.py:25
db_url = os.getenv('DATABASE_URL')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f94d749c82dbde9a Environment-variable access.
pkgs/python/[email protected]/src/a2a/utils/telemetry.py:112
env_value = os.getenv(ENABLED_ENV_VAR, 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f31b1eedac571086 Environment-variable access.
pkgs/python/[email protected]/tck/sut_agent.py:145
    http_port = int(os.environ.get('HTTP_PORT', '41241'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5ed15c24611a4b53 Environment-variable access.
pkgs/python/[email protected]/tck/sut_agent.py:147
    grpc_port = int(os.environ.get('GRPC_PORT', '50051'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #28d6da283d7c23cb Environment-variable access.
pkgs/python/[email protected]/tck/sut_agent_with_vertex_task_store.py:20
    project = os.environ.get('VERTEX_PROJECT')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #18a982f998fbf25e Environment-variable access.
pkgs/python/[email protected]/tck/sut_agent_with_vertex_task_store.py:21
    location = os.environ.get('VERTEX_LOCATION')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6df4b37c8a59c884 Environment-variable access.
pkgs/python/[email protected]/tck/sut_agent_with_vertex_task_store.py:22
    base_url = os.environ.get('VERTEX_BASE_URL')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f2e2c8990309c556 Environment-variable access.
pkgs/python/[email protected]/tck/sut_agent_with_vertex_task_store.py:23
    api_version = os.environ.get('VERTEX_API_VERSION')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f60d441266af5c2d Environment-variable access.
pkgs/python/[email protected]/tck/sut_agent_with_vertex_task_store.py:24
    agent_engine_resource_id = os.environ.get('AGENT_ENGINE_RESOURCE_ID')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

scrapfly-sdk

python dependency
medium telemetry dependency Excluded from app score #b6151e48d79899e7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/scrapfly/reporter/sentry.py:42
            import sentry_sdk  # noqa: F401  # validate the dependency is present

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #014c9cc49254d1f2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/scrapfly/reporter/sentry.py:55
        from sentry_sdk import capture_exception, push_scope

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #2793d0e1260af0ad Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/scrapfly/reporter/sentry.py:57
        with push_scope() as scope:

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #a55d760481f9889c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/scrapfly/reporter/sentry.py:75
                capture_exception(error)

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 9 low-confidence finding(s)
low env_fs dependency Excluded from app score #58ef5e1daa4e3b86 Filesystem access.
pkgs/python/[email protected]/scrapfly/api_response.py:611
            file = open(file_path, 'wb')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #23d2421435883c13 Filesystem access.
pkgs/python/[email protected]/scrapfly/client.py:1154
        with open(file_path, 'wb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cca6ae96a15cbda1 Filesystem access.
pkgs/python/[email protected]/scrapfly/client.py:1230
            file = open(file_path, 'wb')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #172b4d0170d59663 Filesystem access.
pkgs/python/[email protected]/scrapfly/client.py:1840
            with open(save_path, 'wb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #14e83212f286cfe0 Filesystem access.
pkgs/python/[email protected]/scrapfly/client.py:1892
        with open(file_path, 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #54ce4d52869e63d7 Filesystem access.
pkgs/python/[email protected]/scrapfly/crawler/crawler_response.py:502
        with open(filepath, 'wb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #182fc8cbf5fc6763 Environment-variable access.
pkgs/python/[email protected]/scrapfly/scrapy/spider.py:114
        return environ.get('SPIDER_RUN_ID') or str(uuid.uuid4())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a4f79a10e877199a Filesystem access.
pkgs/python/[email protected]/setup.py:24
txt = (HERE / MODULE / '__init__.py').read_text('utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e91a7665437fa2a1 Filesystem access.
pkgs/python/[email protected]/setup.py:41
    return (HERE / f).read_text('utf-8').strip()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

bedrock-agentcore

python dependency
medium telemetry dependency Excluded from app score #65d17ea1c80a3d23 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/bedrock_agentcore/runtime/tracing.py:47
        from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #da401c90ba7d2cf9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/bedrock_agentcore/runtime/tracing.py:83
        from opentelemetry.sdk.trace import SpanProcessor  # type: ignore[import]

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #eadbb4c5ea2b3192 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/bedrock_agentcore/runtime/tracing.py:121
                from opentelemetry import baggage as otel_baggage

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 167 low-confidence finding(s)
low env_fs tooling reachable #b50356f29914857b Filesystem access.
pkgs/python/[email protected]/scripts/bump_version.py:11
    content = Path("pyproject.toml").read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #8f583afed687da0b Filesystem access.
pkgs/python/[email protected]/scripts/bump_version.py:56
    content = file_path.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #5f6241c9b97e5faf Filesystem access.
pkgs/python/[email protected]/scripts/bump_version.py:67
        file_path.write_text(new_content)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #34fd145091be0115 Filesystem access.
pkgs/python/[email protected]/scripts/bump_version.py:76
    content = pyproject.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #db192c270f2ad84a Filesystem access.
pkgs/python/[email protected]/scripts/bump_version.py:84
        pyproject.write_text(content)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #248b4d2f2f9bc7b4 Filesystem access.
pkgs/python/[email protected]/scripts/bump_version.py:163
        content = changelog_path.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #a066c8f66026ffb9 Filesystem access.
pkgs/python/[email protected]/scripts/bump_version.py:191
    changelog_path.write_text(content)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d3a86759a4410e14 Environment-variable access.
pkgs/python/[email protected]/src/bedrock_agentcore/_utils/endpoints.py:8
DP_ENDPOINT_OVERRIDE = os.getenv("BEDROCK_AGENTCORE_DP_ENDPOINT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5462a2a724d54a1b Environment-variable access.
pkgs/python/[email protected]/src/bedrock_agentcore/_utils/endpoints.py:9
CP_ENDPOINT_OVERRIDE = os.getenv("BEDROCK_AGENTCORE_CP_ENDPOINT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #46962775c57fd8ee Environment-variable access.
pkgs/python/[email protected]/src/bedrock_agentcore/_utils/endpoints.py:10
DEFAULT_REGION = os.getenv("AWS_REGION") or os.getenv("AWS_DEFAULT_REGION") or "us-west-2"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #09388391cf951f28 Filesystem access.
pkgs/python/[email protected]/src/bedrock_agentcore/evaluation/runner/dataset_providers.py:74
            with open(self._file_path) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6f66852eb224a2cb Filesystem access.
pkgs/python/[email protected]/src/bedrock_agentcore/evaluation/runner/dataset_providers.py:77
            with open(self._file_path) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #693c5825ab68a872 Environment-variable access.
pkgs/python/[email protected]/src/bedrock_agentcore/identity/auth.py:290
        if os.getenv("DOCKER_CONTAINER") == "1":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ff34adf790b6ed06 Filesystem access.
pkgs/python/[email protected]/src/bedrock_agentcore/identity/auth.py:310
            with open(config_path, "r", encoding="utf-8") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #78788fda993feeec Filesystem access.
pkgs/python/[email protected]/src/bedrock_agentcore/identity/auth.py:331
        with open(config_path, "w", encoding="utf-8") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #abf5e40e3101021f Environment-variable access.
pkgs/python/[email protected]/src/bedrock_agentcore/identity/auth.py:340
    region_env = os.getenv("AWS_REGION", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #106221b26cdf6f03 Environment-variable access.
pkgs/python/[email protected]/src/bedrock_agentcore/memory/controlplane.py:37
        service_name = os.getenv("BEDROCK_AGENTCORE_CONTROL_SERVICE", "bedrock-agentcore-control")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #49994565a0be00f4 Environment-variable access.
pkgs/python/[email protected]/src/bedrock_agentcore/memory/controlplane.py:39
        control_endpoint = os.getenv("BEDROCK_AGENTCORE_CONTROL_ENDPOINT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d6318616202a8d46 Environment-variable access.
pkgs/python/[email protected]/src/bedrock_agentcore/memory/session.py:179
            region_name or session_region or os.environ.get("AWS_REGION") or boto3.Session().region_name or "us-west-2"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c7e721ebf60abb96 Environment-variable access.
pkgs/python/[email protected]/src/bedrock_agentcore/payments/manager.py:316
            region_name or session_region or os.environ.get("AWS_REGION") or boto3.Session().region_name or "us-west-2"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fddca22969d695a6 Environment-variable access.
pkgs/python/[email protected]/src/bedrock_agentcore/runtime/a2a.py:217
    runtime_url = os.environ.get(AGENTCORE_RUNTIME_URL_ENV, "http://localhost:9000/")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1e8509172b5651bc Environment-variable access.
pkgs/python/[email protected]/src/bedrock_agentcore/runtime/a2a.py:221
    elif os.environ.get(AGENTCORE_RUNTIME_URL_ENV):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8cbecec595166d7b Environment-variable access.
pkgs/python/[email protected]/src/bedrock_agentcore/runtime/a2a.py:297
        if os.path.exists("/.dockerenv") or os.environ.get("DOCKER_CONTAINER"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b98561c77d8e583b Environment-variable access.
pkgs/python/[email protected]/src/bedrock_agentcore/runtime/ag_ui.py:139
            if os.path.exists("/.dockerenv") or os.environ.get("DOCKER_CONTAINER"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #658be96b18058dba Environment-variable access.
pkgs/python/[email protected]/src/bedrock_agentcore/runtime/app.py:83
        otel_attrs = os.environ.get("OTEL_RESOURCE_ATTRIBUTES", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d0f289cf944397ad Environment-variable access.
pkgs/python/[email protected]/src/bedrock_agentcore/runtime/app.py:658
            if os.path.exists("/.dockerenv") or os.environ.get("DOCKER_CONTAINER"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #80196df23eb85b17 Filesystem access.
pkgs/python/[email protected]/tests_integ/async/interactive_async_strands.py:159
            with open(self.result_file, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6df6370080b0ea65 Filesystem access.
pkgs/python/[email protected]/tests_integ/async/interactive_async_strands.py:211
            with open(processor.result_file, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b2ce6ca006e39ec2 Filesystem access.
pkgs/python/[email protected]/tests_integ/async/interactive_async_strands.py:333
        with open(result_file, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b8a9ace8ed3d721d Environment-variable access.
pkgs/python/[email protected]/tests_integ/evaluation/integrations/strands_agents_evals/test_strands_evaluation.py:20
REGION = os.environ.get("BEDROCK_TEST_REGION", "us-west-2")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e415f0c7b549927d Environment-variable access.
pkgs/python/[email protected]/tests_integ/evaluation/integrations/strands_agents_evals/test_strands_evaluation.py:42
        cls.region = os.environ.get("BEDROCK_TEST_REGION", "us-west-2")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #76840f8e6d70540d Environment-variable access.
pkgs/python/[email protected]/tests_integ/evaluation/test_dataset_client.py:22
        cls.region = os.environ.get("BEDROCK_TEST_REGION", "us-west-2")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #47e1aa7b466cab7a Environment-variable access.
pkgs/python/[email protected]/tests_integ/evaluation/test_dataset_client.py:53
        cls.region = os.environ.get("BEDROCK_TEST_REGION", "us-west-2")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #65d9fc831e0babde Environment-variable access.
pkgs/python/[email protected]/tests_integ/evaluation/test_evaluation_passthrough.py:18
        cls.region = os.environ.get("BEDROCK_TEST_REGION", "us-west-2")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b53a54a04b5fc163 Environment-variable access.
pkgs/python/[email protected]/tests_integ/evaluation/test_evaluation_passthrough.py:54
        cls.region = os.environ.get("BEDROCK_TEST_REGION", "us-west-2")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #90e504e7aa40f468 Environment-variable access.
pkgs/python/[email protected]/tests_integ/evaluation/test_evaluation_passthrough.py:131
        cls.region = os.environ.get("BEDROCK_TEST_REGION", "us-west-2")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8dbfc2382a4a90ec Environment-variable access.
pkgs/python/[email protected]/tests_integ/evaluation/test_evaluation_passthrough.py:132
        cls.role_arn = os.environ.get("EVAL_ROLE_ARN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d072bc084ff81a9c Environment-variable access.
pkgs/python/[email protected]/tests_integ/evaluation/test_evaluation_passthrough.py:133
        cls.log_group = os.environ.get("EVAL_LOG_GROUP")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #98de648aa92a8695 Environment-variable access.
pkgs/python/[email protected]/tests_integ/evaluation/test_runners_with_service_dataset.py:33
RUNTIME_ARN = os.environ.get("INTEG_AGENT_RUNTIME_ARN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2dbb92d0a84223b4 Environment-variable access.
pkgs/python/[email protected]/tests_integ/evaluation/test_runners_with_service_dataset.py:34
REGION = RUNTIME_ARN.split(":")[3] if RUNTIME_ARN else os.environ.get("BEDROCK_TEST_REGION", "us-west-2")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a2d1e8e358ce5f16 Environment-variable access.
pkgs/python/[email protected]/tests_integ/evaluation/test_runners_with_service_dataset.py:68
        cls.log_group = os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3954a8e80a9852d4 Environment-variable access.
pkgs/python/[email protected]/tests_integ/evaluation/test_runners_with_service_dataset.py:68
        cls.log_group = os.environ.get(
            "INTEG_AGENT_LOG_GROUP",
            f"/aws/bedrock-agentcore/runtimes/{cls.runtime_id}-DEFAULT",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #609caafcb4d5c24b Environment-variable access.
pkgs/python/[email protected]/tests_integ/evaluation/test_service_dataset_provider.py:30
        cls.region = os.environ.get("BEDROCK_TEST_REGION", "us-west-2")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #85c4f4753e369168 Environment-variable access.
pkgs/python/[email protected]/tests_integ/gateway/integrations/test_agentcore_tool_search_plugin.py:157
        cls.region = os.environ.get("BEDROCK_TEST_REGION", "us-west-2")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7d4af82a086d7854 Environment-variable access.
pkgs/python/[email protected]/tests_integ/gateway/integrations/test_agentcore_tool_search_plugin.py:158
        cls.role_arn = os.environ.get("GATEWAY_ROLE_ARN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b0f14adcb645f867 Environment-variable access.
pkgs/python/[email protected]/tests_integ/gateway/integrations/test_agentcore_tool_search_plugin.py:159
        cls.lambda_arn = os.environ.get("GATEWAY_LAMBDA_ARN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a27506892539a57d Environment-variable access.
pkgs/python/[email protected]/tests_integ/gateway/integrations/test_agentcore_tool_search_plugin.py:432
        cls.region = os.environ.get("BEDROCK_TEST_REGION", "us-west-2")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #10fa3fd233e2e3be Environment-variable access.
pkgs/python/[email protected]/tests_integ/gateway/test_gateway_client.py:23
        cls.region = os.environ.get("BEDROCK_TEST_REGION", "us-west-2")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8b73ef1bdb4ae671 Environment-variable access.
pkgs/python/[email protected]/tests_integ/gateway/test_gateway_client.py:24
        cls.role_arn = os.environ.get("GATEWAY_ROLE_ARN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eced8f22474c3958 Environment-variable access.
pkgs/python/[email protected]/tests_integ/gateway/test_gateway_client.py:127
        cls.region = os.environ.get("BEDROCK_TEST_REGION", "us-west-2")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #345df0e82b569c3d Environment-variable access.
pkgs/python/[email protected]/tests_integ/gateway/test_gateway_client.py:128
        cls.role_arn = os.environ.get("GATEWAY_ROLE_ARN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e1d3cc17391e5b6a Environment-variable access.
pkgs/python/[email protected]/tests_integ/gateway/test_gateway_client.py:129
        cls.lambda_arn = os.environ.get("GATEWAY_LAMBDA_ARN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c31c4e39d1c9dbca Environment-variable access.
pkgs/python/[email protected]/tests_integ/gateway/test_gateway_kb_targets.py:25
        cls.region = os.environ.get("BEDROCK_TEST_REGION", "us-west-2")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3735134b7a76f713 Environment-variable access.
pkgs/python/[email protected]/tests_integ/gateway/test_gateway_kb_targets.py:26
        cls.gateway_role_arn = os.environ.get("GATEWAY_ROLE_ARN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a0a90d65f2ee099e Environment-variable access.
pkgs/python/[email protected]/tests_integ/gateway/test_gateway_kb_targets.py:27
        cls.kb_role_arn = os.environ.get("KB_ROLE_ARN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #431339084c751fc3 Environment-variable access.
pkgs/python/[email protected]/tests_integ/identity/test_identity_client.py:22
        cls.region = os.environ.get("BEDROCK_TEST_REGION", "us-west-2")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2812c4284b1e2d17 Environment-variable access.
pkgs/python/[email protected]/tests_integ/identity/test_identity_client.py:79
        cls.region = os.environ.get("BEDROCK_TEST_REGION", "us-west-2")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5a3bbf68871a24f2 Environment-variable access.
pkgs/python/[email protected]/tests_integ/identity/test_identity_client.py:80
        cls.pool_id = os.environ.get("COGNITO_POOL_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #28f5facbd5bd49a7 Environment-variable access.
pkgs/python/[email protected]/tests_integ/identity/test_identity_client.py:81
        cls.client_id = os.environ.get("COGNITO_CLIENT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eca8232c5d3360bf Environment-variable access.
pkgs/python/[email protected]/tests_integ/identity/test_identity_client.py:82
        cls.client_secret = os.environ.get("COGNITO_CLIENT_SECRET")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ab8e5ca13d582fd1 Environment-variable access.
pkgs/python/[email protected]/tests_integ/knowledge_base/test_knowledge_base_client.py:25
        cls.region = os.environ.get("BEDROCK_TEST_REGION", "us-east-1")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a21e0c8476a34c9f Environment-variable access.
pkgs/python/[email protected]/tests_integ/knowledge_base/test_knowledge_base_client.py:26
        cls.role_arn = os.environ.get("KB_ROLE_ARN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #754208499e127c01 Environment-variable access.
pkgs/python/[email protected]/tests_integ/memory/integrations/test_session_manager.py:32
REGION = os.environ.get("BEDROCK_TEST_REGION", "us-east-1")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a4f138a4084d5f16 Environment-variable access.
pkgs/python/[email protected]/tests_integ/memory/integrations/test_session_manager.py:42
        cls.region = os.environ.get("BEDROCK_TEST_REGION", "us-east-1")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5dcbb88593dc537b Environment-variable access.
pkgs/python/[email protected]/tests_integ/memory/test_controlplane.py:17
        cls.region = os.environ.get("BEDROCK_TEST_REGION", "us-west-2")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e197f7e1431ca755 Environment-variable access.
pkgs/python/[email protected]/tests_integ/memory/test_memory_client.py:32
        cls.kinesis_stream_arn = os.environ.get("MEMORY_KINESIS_ARN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #24b2689bfc93f5d1 Environment-variable access.
pkgs/python/[email protected]/tests_integ/memory/test_memory_client.py:33
        cls.execution_role_arn = os.environ.get("MEMORY_ROLE_ARN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1415ea396f617f29 Environment-variable access.
pkgs/python/[email protected]/tests_integ/memory/test_memory_client.py:38
        cls.prepopulated_memory_id = os.environ.get("MEMORY_PREPOPULATED_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2c4e9aff6bca837d Environment-variable access.
pkgs/python/[email protected]/tests_integ/memory/test_memory_client.py:39
        cls.prepopulated_actor_id = os.environ.get("MEMORY_PREPOPULATED_ACTOR_ID", "integ-test-actor")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3dc6877c7ebb3eb1 Environment-variable access.
pkgs/python/[email protected]/tests_integ/memory/test_memory_client.py:40
        cls.prepopulated_session_id = os.environ.get("MEMORY_PREPOPULATED_SESSION_ID", "integ-test-session")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f59a32f5cb8fe024 Environment-variable access.
pkgs/python/[email protected]/tests_integ/memory/test_memory_client.py:44
        cls.region = os.environ.get("BEDROCK_TEST_REGION", "us-west-2")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9882c4b1ddbef46b Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_payment_tools_integration.py:38
        cls.region = os.environ.get("BEDROCK_TEST_REGION", "us-west-2")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #86b01bff9f4b907c Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_payment_tools_integration.py:39
        cls.user_id = os.environ.get("TEST_USER_ID", f"test-user-{uuid.uuid4().hex[:8]}")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b3f35bf65a083479 Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_payment_tools_integration.py:40
        cls.payment_manager_arn = os.environ.get("TEST_PAYMENT_MANAGER_ARN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #425ac8803460d1d4 Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_payment_tools_integration.py:41
        cls.payment_instrument_id = os.environ.get("TEST_PAYMENT_INSTRUMENT_ID", "payment-instrument-abcdefghijklmno")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9ec3b35136f31b76 Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_payment_tools_integration.py:42
        cls.payment_session_id = os.environ.get("TEST_PAYMENT_SESSION_ID", "payment-session-abcdefghijklmno")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2dc3b36ad7098b1e Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_payment_tools_integration.py:191
        cls.region = os.environ.get("BEDROCK_TEST_REGION", "us-west-2")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0d48f059deea550c Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_payment_tools_integration.py:192
        cls.user_id = os.environ.get("TEST_USER_ID", f"test-user-{uuid.uuid4().hex[:8]}")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #86cfd42e53a921e6 Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_payment_tools_integration.py:193
        cls.payment_manager_arn = os.environ.get("TEST_PAYMENT_MANAGER_ARN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2f7c2cf82ffd75d0 Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_payment_tools_integration.py:194
        cls.payment_instrument_id = os.environ.get("TEST_PAYMENT_INSTRUMENT_ID", "payment-instrument-abcdefghijklmno")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ad46af18e51cab6d Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_payment_tools_integration.py:195
        cls.payment_session_id = os.environ.get("TEST_PAYMENT_SESSION_ID", "payment-session-abcdefghijklmno")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dd61a691d3eff9bf Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_payment_tools_integration.py:286
        cls.region = os.environ.get("BEDROCK_TEST_REGION", "us-west-2")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #805b6a76a98076b9 Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_payment_tools_integration.py:287
        cls.user_id = os.environ.get("TEST_USER_ID", f"test-user-{uuid.uuid4().hex[:8]}")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cd5d05da79a4a0d0 Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_payment_tools_integration.py:288
        cls.payment_manager_arn = os.environ.get("TEST_PAYMENT_MANAGER_ARN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ddd45193effe3d0f Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_payment_tools_integration.py:289
        cls.payment_instrument_id = os.environ.get("TEST_PAYMENT_INSTRUMENT_ID", "payment-instrument-abcdefghijklmno")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2a8658c0699171c9 Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_payment_tools_integration.py:290
        cls.payment_session_id = os.environ.get("TEST_PAYMENT_SESSION_ID", "payment-session-abcdefghijklmno")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ea36efa516519e19 Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_plugin_integration.py:38
        cls.region = os.environ.get("BEDROCK_TEST_REGION", "us-west-2")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #831dbb8ab50c47d3 Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_plugin_integration.py:39
        cls.user_id = os.environ.get("TEST_USER_ID", f"test-user-{uuid.uuid4().hex[:8]}")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5c5900ab69fcfd53 Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_plugin_integration.py:81
                        instrument_id = os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aa08d9b665ce951e Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_plugin_integration.py:81
                        instrument_id = os.environ.get(
                            "TEST_PAYMENT_INSTRUMENT_ID", "payment-instrument-abcdefghijklmno"
                        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c67acd891fdf51ee Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_plugin_integration.py:101
                        session_id = os.environ.get("TEST_PAYMENT_SESSION_ID", "payment-session-abcdefghijklmno")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ef6eee9a14619296 Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_plugin_integration.py:118
                        session_id = os.environ.get("TEST_PAYMENT_SESSION_ID", "payment-session-abcdefghijklmno")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9abb1773a6b60a29 Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_plugin_integration.py:149
            payment_manager_arn=os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3077f23730854a2d Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_plugin_integration.py:149
            payment_manager_arn=os.environ.get(
                "TEST_PAYMENT_MANAGER_ARN",
                "arn:aws:bedrock-agentcore:us-west-2:12345678910:payment-manager/mypaymentmanager-cyrc25gr4c",
            ),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #127c8cdaa7b8c89b Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_plugin_integration.py:154
            payment_session_id=os.environ.get("TEST_PAYMENT_SESSION_ID", "payment-session-bWOGg4z2irAGbzA"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f42cb41bb13f20a5 Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_plugin_integration.py:155
            payment_instrument_id=os.environ.get("TEST_PAYMENT_INSTRUMENT_ID", "payment-instrument-vnL29CKAdyESdQ7"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7fd98985d5fcbe91 Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_plugin_integration.py:194
        payment_manager_arn = os.environ.get("TEST_PAYMENT_MANAGER_ARN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6657bff0ab82cd7c Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_plugin_integration.py:425
        cls.region = os.environ.get("BEDROCK_TEST_REGION", "us-west-2")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bb84c11b1e405b6c Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_plugin_integration.py:426
        cls.user_id = os.environ.get("TEST_USER_ID", f"test-user-{uuid.uuid4().hex[:8]}")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a22a50ef1dcd0266 Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_plugin_integration.py:458
        payment_manager_arn = os.environ.get("TEST_PAYMENT_MANAGER_ARN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #691aa90a62ac1e11 Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_plugin_integration.py:468
            payment_instrument_id=os.environ.get("TEST_PAYMENT_INSTRUMENT_ID", "payment-instrument-test123"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9e583bd2e7afda9b Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_plugin_integration.py:469
            payment_session_id=os.environ.get("TEST_PAYMENT_SESSION_ID", "payment-session-test456"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #43c519ff242ab81a Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_plugin_integration.py:645
        cls.region = os.environ.get("BEDROCK_TEST_REGION", "us-west-2")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8c331ada7e20306b Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_plugin_integration.py:646
        cls.user_id = os.environ.get("TEST_USER_ID", f"test-user-{uuid.uuid4().hex[:8]}")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5ee9f861e866213c Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_plugin_integration.py:651
            payment_manager_arn=os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2ca797e3b62ee6ed Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_plugin_integration.py:651
            payment_manager_arn=os.environ.get(
                "TEST_PAYMENT_MANAGER_ARN",
                "arn:aws:bedrock-agentcore:us-west-2:12345678910:payment-manager/mypaymentmanager-cyrc25gr4c",
            ),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #235d13dadf21ee80 Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_plugin_integration.py:656
            payment_session_id=os.environ.get("TEST_PAYMENT_SESSION_ID", "payment-session-bWOGg4z2irAGbzA"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #24ee9f4bbcf5632b Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_plugin_integration.py:657
            payment_instrument_id=os.environ.get("TEST_PAYMENT_INSTRUMENT_ID", "payment-instrument-vnL29CKAdyESdQ7"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #529c3c6377fc6d5c Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_plugin_integration.py:670
            payment_manager_arn=os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1e9dccd3a749f7a8 Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_plugin_integration.py:670
            payment_manager_arn=os.environ.get(
                "TEST_PAYMENT_MANAGER_ARN",
                "arn:aws:bedrock-agentcore:us-west-2:12345678910:payment-manager/mypaymentmanager-cyrc25gr4c",
            ),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dd17c090d6f2d080 Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_plugin_integration.py:675
            payment_session_id=os.environ.get("TEST_PAYMENT_SESSION_ID", "payment-session-bWOGg4z2irAGbzA"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7298105bb0aee403 Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_plugin_integration.py:676
            payment_instrument_id=os.environ.get("TEST_PAYMENT_INSTRUMENT_ID", "payment-instrument-vnL29CKAdyESdQ7"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b81112340212e33f Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_plugin_integration.py:692
            payment_manager_arn=os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bb33424bbac0d7a8 Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_plugin_integration.py:692
            payment_manager_arn=os.environ.get(
                "TEST_PAYMENT_MANAGER_ARN",
                "arn:aws:bedrock-agentcore:us-west-2:12345678910:payment-manager/mypaymentmanager-cyrc25gr4c",
            ),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7da74513914901a7 Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_plugin_integration.py:697
            payment_session_id=os.environ.get("TEST_PAYMENT_SESSION_ID", "payment-session-bWOGg4z2irAGbzA"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #262967a79df97357 Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_plugin_integration.py:698
            payment_instrument_id=os.environ.get("TEST_PAYMENT_INSTRUMENT_ID", "payment-instrument-vnL29CKAdyESdQ7"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2a6a1e4ac20f5efe Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_plugin_integration.py:730
        cls.region = os.environ.get("BEDROCK_TEST_REGION", "us-west-2")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #18d98edb168fb56b Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/integrations/strands/test_plugin_integration.py:731
        cls.user_id = os.environ.get("TEST_USER_ID", f"test-user-{uuid.uuid4().hex[:8]}")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #356eb23b02e8fbcd Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/test_payment_client.py:66
        cls.region = os.environ.get("BEDROCK_TEST_REGION", "us-west-2")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0612cb138d7273f5 Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/test_payment_client.py:67
        cls.role_arn = os.environ.get("RUNTIME_ROLE_ARN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fb7c8eeff8150157 Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/test_payment_client.py:271
        cls.region = os.environ.get("BEDROCK_TEST_REGION", "us-west-2")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #27e05720b5754b6d Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/test_payment_client.py:280
        cls.api_key_secret = os.environ.get("PAYMENT_TEST_API_KEY_SECRET")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #15268b395f78e5eb Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/test_payment_client.py:281
        cls.wallet_secret = os.environ.get("PAYMENT_TEST_WALLET_SECRET")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c446bcecc910899f Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/test_payment_client.py:283
        cls.role_arn = os.environ.get("RUNTIME_ROLE_ARN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7fa434e834fe8ce0 Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/test_payment_manager.py:64
        cls.region = os.environ.get("BEDROCK_TEST_REGION", "us-west-2")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c8ae9e7ba654409c Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/test_payment_manager.py:66
        cls.payment_manager_arn = os.environ.get("TEST_PAYMENT_MANAGER_ARN", default_arn)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cf5b659222b9defc Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/test_payment_manager.py:67
        cls.payment_connector_id = os.environ.get("TEST_PAYMENT_CONNECTOR_ID", "pc-test")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9351f8417677d76b Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/test_payment_manager.py:68
        cls.user_id = os.environ.get("TEST_USER_ID", f"test-user-{uuid.uuid4().hex[:8]}")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a2174f598ddbcf3e Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/test_payment_manager.py:99
        cls.region = os.environ.get("BEDROCK_TEST_REGION", "us-west-2")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2b8ff36d8541307d Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/test_payment_manager.py:100
        cls.payment_manager_arn = os.environ.get("TEST_PAYMENT_MANAGER_ARN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4b13b3af0c5ec753 Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/test_payment_manager.py:101
        cls.payment_connector_id = os.environ.get("TEST_PAYMENT_CONNECTOR_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f5f56d0929994457 Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/test_payment_manager.py:102
        cls.user_id = os.environ.get("TEST_USER_ID", f"test-user-{uuid.uuid4().hex[:8]}")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fc7af2a7609dc406 Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/test_payment_manager.py:126
        not os.environ.get("TEST_PAYMENT_MANAGER_ARN"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #74cc7f006e5a3133 Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/test_payment_manager.py:188
        not os.environ.get("TEST_PAYMENT_MANAGER_ARN"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f8d9fc644f007b99 Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/test_payment_manager.py:220
        not os.environ.get("TEST_PAYMENT_MANAGER_ARN"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #566bcd7629e848a6 Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/test_payment_manager.py:238
        cls.region = os.environ.get("BEDROCK_TEST_REGION", "us-west-2")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7476a9cadff48571 Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/test_payment_manager.py:239
        cls.payment_manager_arn = os.environ.get("TEST_PAYMENT_MANAGER_ARN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1557c6895e2f0bc7 Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/test_payment_manager.py:240
        cls.payment_connector_id = os.environ.get("TEST_PAYMENT_CONNECTOR_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9a804bfc87ef208a Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/test_payment_manager.py:241
        cls.user_id = os.environ.get("TEST_USER_ID", f"test-user-{uuid.uuid4().hex[:8]}")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7baec32034008709 Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/test_payment_manager.py:254
        not os.environ.get("TEST_PAYMENT_MANAGER_ARN"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9b32e08eebc21f81 Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/test_payment_manager.py:271
        not os.environ.get("TEST_PAYMENT_MANAGER_ARN"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b93dc4128c8148c9 Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/test_payment_manager.py:305
        cls.region = os.environ.get("BEDROCK_TEST_REGION", "us-west-2")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fdd8afd8f1564717 Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/test_payment_manager.py:306
        cls.payment_manager_arn = os.environ.get("TEST_PAYMENT_MANAGER_ARN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a3672c2d3d61ad1a Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/test_payment_manager.py:307
        cls.payment_connector_id = os.environ.get("TEST_PAYMENT_CONNECTOR_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3d939bc35a05e0b6 Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/test_payment_manager.py:308
        cls.user_id = os.environ.get("TEST_USER_ID", f"test-user-{uuid.uuid4().hex[:8]}")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1c15f93cccf98a13 Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/test_payment_manager.py:390
        not os.environ.get("TEST_PAYMENT_MANAGER_ARN"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d61d398aa2b444fd Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/test_payment_manager.py:469
        not os.environ.get("TEST_PAYMENT_MANAGER_ARN"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fad17e81b861e65e Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/test_payment_manager.py:554
        not os.environ.get("TEST_PAYMENT_MANAGER_ARN"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6ce0f1073044008b Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/test_payment_manager.py:608
        not os.environ.get("TEST_PAYMENT_MANAGER_ARN"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #26f889a12ba93a28 Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/test_payment_manager.py:672
        cls.region = os.environ.get("BEDROCK_TEST_REGION", "us-west-2")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f66004d42ae0f9fa Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/test_payment_manager.py:674
        cls.payment_manager_arn = os.environ.get("TEST_PAYMENT_MANAGER_ARN", default_arn)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d52e1a8df593d50f Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/test_payment_manager.py:751
        not os.environ.get("TEST_PAYMENT_MANAGER_ARN"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bc161b191adb3a7d Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/test_payment_manager.py:766
        user_id = os.environ.get("TEST_USER_ID", f"test-user-{uuid.uuid4().hex[:8]}")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f12aaf4da8de7e12 Environment-variable access.
pkgs/python/[email protected]/tests_integ/payments/test_payment_manager.py:798
        cls.region = os.environ.get("BEDROCK_TEST_REGION", "us-east-1")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #53696560831c1cec Environment-variable access.
pkgs/python/[email protected]/tests_integ/policy/test_policy_engine_client.py:18
        cls.region = os.environ.get("BEDROCK_TEST_REGION", "us-west-2")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0131b158d932d4d7 Environment-variable access.
pkgs/python/[email protected]/tests_integ/runtime/test_runtime_passthrough.py:24
        cls.region = os.environ.get("BEDROCK_TEST_REGION", "us-west-2")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4e29253ed9efa2a6 Environment-variable access.
pkgs/python/[email protected]/tests_integ/runtime/test_runtime_passthrough.py:52
        cls.region = os.environ.get("BEDROCK_TEST_REGION", "us-west-2")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6ad2e016b9ff649f Environment-variable access.
pkgs/python/[email protected]/tests_integ/runtime/test_runtime_passthrough.py:53
        cls.role_arn = os.environ.get("RUNTIME_ROLE_ARN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ec5f5d99644eec97 Environment-variable access.
pkgs/python/[email protected]/tests_integ/runtime/test_runtime_passthrough.py:54
        cls.s3_code_uri = os.environ.get("RUNTIME_S3_CODE_URI")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #700d8a10e490ffd7 Filesystem access.
pkgs/python/[email protected]/tests_integ/runtime/test_simple_agent.py:13
        with open(self.agent_module + ".py", "w") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #703814c50a2f9853 Filesystem access.
pkgs/python/[email protected]/tests_integ/runtime/test_websocket_agent.py:18
        with open(self.agent_module + ".py", "w") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cef25411be0c1de3 Environment-variable access.
pkgs/python/[email protected]/tests_integ/services/test_resource_policy.py:45
        cls.resource_arn = os.environ.get("RESOURCE_POLICY_TEST_ARN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0b7d7cc3b139d212 Environment-variable access.
pkgs/python/[email protected]/tests_integ/services/test_resource_policy.py:46
        cls.principal_arn = os.environ.get("RESOURCE_POLICY_TEST_PRINCIPAL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d054ea09ab00fbd8 Environment-variable access.
pkgs/python/[email protected]/tests_integ/services/test_resource_policy.py:47
        cls.region = os.environ.get("BEDROCK_TEST_REGION", "us-west-2")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #a0a5b67130374cf8 Environment-variable access.
pkgs/python/[email protected]/tests_integ/tools/test_code.py:236
secret_arn = os.environ.get("TEST_ROOT_CA_SECRET_ARN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #f71f8311aea06750 Environment-variable access.
pkgs/python/[email protected]/tests_integ/tools/test_code.py:237
execution_role_arn = os.environ.get("TEST_EXECUTION_ROLE_ARN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #bc8d142444a896cb Environment-variable access.
pkgs/python/[email protected]/tests_integ/tools/test_code_interpreter_client.py:40
        cls.region = os.environ.get("BEDROCK_TEST_REGION", "us-east-1")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

snowflake-connector-python

python dependency
medium telemetry dependency Excluded from app score #537cc1606b8b61b9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/snowflake/connector/aio/_network.py:220
            from opentelemetry.trace.propagation.tracecontext import (
                TraceContextTextMapPropagator,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #b30247c3bf27d7f1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/snowflake/connector/network.py:486
            from opentelemetry.trace.propagation.tracecontext import (
                TraceContextTextMapPropagator,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 156 low-confidence finding(s)
low env_fs dependency Excluded from app score #c896bcd774cf889e Filesystem access.
pkgs/python/[email protected]/setup.py:18
    with open(
        os.path.join(CONNECTOR_SRC_DIR, "generated_version.py"), encoding="utf-8"
    ) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6ab195c5d9bba579 Filesystem access.
pkgs/python/[email protected]/setup.py:23
    with open(os.path.join(CONNECTOR_SRC_DIR, "version.py"), encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1714a97e2140af3f Environment-variable access.
pkgs/python/[email protected]/setup.py:47
    os.environ.get("SNOWFLAKE_DISABLE_COMPILE_ARROW_EXTENSIONS", "false").lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e6a6f79f6065b241 Environment-variable access.
pkgs/python/[email protected]/setup.py:51
    os.environ.get("SNOWFLAKE_NO_BOTO", "false").lower() in _POSITIVE_VALUES

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eb06d352833b3c1c Environment-variable access.
pkgs/python/[email protected]/setup.py:140
                    if "std=" not in os.environ.get("CXXFLAGS", ""):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b517c077f50842cc Environment-variable access.
pkgs/python/[email protected]/setup.py:145
                        and "macosx-version-min" not in os.environ.get("CXXFLAGS", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #169f022d57dd7797 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/_utils.py:125
    if not os.environ.get(_SPCS_ENV_VAR):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #55e9ec207c196d9b Filesystem access.
pkgs/python/[email protected]/src/snowflake/connector/_utils.py:128
        with open(_SPCS_TOKEN_PATH, encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8706ccac28a103c7 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/_utils.py:298
        value = str(os.getenv("SNOWFLAKE_DISABLE_MINICORE", None)).lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f99da1aca39dceb3 Filesystem access.
pkgs/python/[email protected]/src/snowflake/connector/aio/_azure_storage_client.py:181
            or open(self.meta.real_src_file_name, "rb")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0fabbf70a67f55b7 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/aio/_connection.py:236
        if "SF_OCSP_RESPONSE_CACHE_SERVER_URL" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4ee88ed01932b9c0 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/aio/_connection.py:239
                os.environ["SF_OCSP_RESPONSE_CACHE_SERVER_URL"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6d935defba754e3f Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/aio/_connection.py:247
            if "SF_OCSP_RESPONSE_CACHE_SERVER_URL" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #758265ad8c68998f Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/aio/_connection.py:248
                del os.environ["SF_OCSP_RESPONSE_CACHE_SERVER_URL"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a07b058f81d070b5 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/aio/_connection.py:804
        if os.environ.get(_DISABLE_CONNECTION_SHAPE_ENV, "").lower() == "true":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #97fc38308933517b Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/aio/_connection.py:1236
            os.environ["SF_OCSP_RESPONSE_CACHE_SERVER_URL"] = ocsp_cache_server

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #12f00c1504419773 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/aio/_ocsp_snowflake.py:92
                test_timeout = os.getenv(
                    "SF_TEST_OCSP_CACHE_SERVER_CONNECTION_TIMEOUT", None
                )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #43e2adea2ff6bb6c Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/aio/_ocsp_snowflake.py:95
                sf_cache_server_url = os.getenv("SF_TEST_OCSP_CACHE_SERVER_URL", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dd4de51d72f2fad2 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/aio/_ocsp_snowflake.py:153
        self.test_mode = os.getenv("SF_OCSP_TEST_MODE", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fbe9b12de44bbf96 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/aio/_ocsp_snowflake.py:168
        if os.getenv("SF_OCSP_FAIL_OPEN") is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8f7e23d305bef216 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/aio/_ocsp_snowflake.py:171
            self.FAIL_OPEN = os.getenv("SF_OCSP_FAIL_OPEN").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f45ae4b781d65582 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/aio/_ocsp_snowflake.py:525
            test_ocsp_url = os.getenv("SF_TEST_OCSP_URL", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3bae338ac4828e30 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/aio/_ocsp_snowflake.py:526
            test_timeout = os.getenv(
                "SF_TEST_CA_OCSP_RESPONDER_CONNECTION_TIMEOUT", None
            )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dd7b3abc1a188f90 Filesystem access.
pkgs/python/[email protected]/src/snowflake/connector/aio/_storage_client.py:284
            or open(self.data_file, "rb")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #faa07704bcb9b45d Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/aio/_wif_util.py:38
    region = os.environ.get("AWS_REGION") or os.environ.get("AWS_DEFAULT_REGION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2b15ddc3bb8525f0 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/aio/_wif_util.py:302
    identity_endpoint = os.environ.get("IDENTITY_ENDPOINT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #10741d599b341436 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/aio/_wif_util.py:303
    identity_header = os.environ.get("IDENTITY_HEADER")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f94ad0bdd885e724 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/aio/_wif_util.py:320
    managed_identity_client_id = os.environ.get("MANAGED_IDENTITY_CLIENT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a40d29dfe273c684 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/aio/auth/_webbrowser.py:88
        if os.getenv("SNOWFLAKE_AUTH_SOCKET_REUSE_PORT", "False").lower() == "true":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fd63c64263ea5f7e Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/aio/auth/_webbrowser.py:97
            hostname = os.getenv("SF_AUTH_SOCKET_ADDR", "localhost")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #827601cae3c11c8d Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/aio/auth/_webbrowser.py:102
                        int(os.getenv("SF_AUTH_SOCKET_PORT", 0)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ab5a404397210a71 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/aio/auth/_webbrowser.py:153
                or os.getenv("SNOWFLAKE_AUTH_FORCE_SERVER", "False").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3d5ed4d3014e7ab7 Filesystem access.
pkgs/python/[email protected]/src/snowflake/connector/auth/_auth.py:632
    with open(privatekey_path, "rb") as key:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2b384749e28b001c Filesystem access.
pkgs/python/[email protected]/src/snowflake/connector/auth/_auth.py:655
    with open(private_key_file, "rb") as key:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #205b1787833f68ac Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/auth/_http_server.py:24
    if os.getenv("SNOWFLAKE_AUTH_SOCKET_MSG_DONTWAIT", "false").lower() != "true":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b4e6753c9ce84d0f Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/auth/_http_server.py:79
        if os.getenv("SNOWFLAKE_AUTH_SOCKET_REUSE_PORT", "False").lower() == "true":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a5da2ec48ef1ad19 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/auth/by_plugin.py:74
                int(getenv("MAX_CON_RETRY_ATTEMPTS", DEFAULT_MAX_CON_RETRY_ATTEMPTS)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3c3263de7749cc77 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/auth/keypair.py:67
                os.getenv(
                    "JWT_CNXN_RETRY_ATTEMPTS", AuthByKeyPair.DEFAULT_JWT_RETRY_ATTEMPTS
                )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fabb1f92dbdf78d5 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/auth/keypair.py:78
                    os.getenv(
                        "JWT_CNXN_WAIT_TIME",
                        AuthByKeyPair.DEFAULT_JWT_CNXN_WAIT_TIME,
                    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0ad3511590b9a012 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/auth/keypair.py:93
            seconds=int(os.getenv("JWT_LIFETIME_IN_SECONDS", lifetime_in_seconds))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #def8b0fcfb2bb77b Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/auth/webbrowser.py:118
        if os.getenv("SNOWFLAKE_AUTH_SOCKET_REUSE_PORT", "False").lower() == "true":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c2c9a77c82bb0e5b Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/auth/webbrowser.py:127
            hostname = os.getenv("SF_AUTH_SOCKET_ADDR", "localhost")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3b2846bb68d47f54 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/auth/webbrowser.py:132
                        int(os.getenv("SF_AUTH_SOCKET_PORT", 0)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e533268e928bad42 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/auth/webbrowser.py:183
                or os.getenv("SNOWFLAKE_AUTH_FORCE_SERVER", "False").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #af4f0fcd6e33562f Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/auth/webbrowser.py:231
                    os.getenv("SNOWFLAKE_AUTH_SOCKET_MSG_DONTWAIT", "false").lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #10eaf89f83f4bbc2 Filesystem access.
pkgs/python/[email protected]/src/snowflake/connector/azure_storage_client.py:234
            or open(self.meta.real_src_file_name, "rb")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #25b4ae1ea938d9cd Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/cache.py:29
test_mode = os.getenv(ENV_VAR_TEST_MODE, "").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #da8dfeaf8ec3773f Filesystem access.
pkgs/python/[email protected]/src/snowflake/connector/cache.py:436
            with open(tmp_file, "w") as w_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9ddcab4077148e78 Filesystem access.
pkgs/python/[email protected]/src/snowflake/connector/cache.py:440
                with open(tmp_file_path) as r_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2b2073695e3f15e6 Filesystem access.
pkgs/python/[email protected]/src/snowflake/connector/cache.py:508
            with open(self.file_path, "rb") as r_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a9515a2a621afd86 Filesystem access.
pkgs/python/[email protected]/src/snowflake/connector/cache.py:576
                    with open(tmp_file, "wb") as w_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #795e02c4b489018d Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/config_manager.py:45
    if SKIP_WARNING_ENV_VAR in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4bfe81421cb99af2 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/config_manager.py:46
        return os.getenv(SKIP_WARNING_ENV_VAR, "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0d70f86f78eaac93 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/config_manager.py:47
    if SPCS_INJECTED_SKIP_WARNING_ENV_VAR in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #47f4137d1e68ad94 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/config_manager.py:48
        return os.getenv(SPCS_INJECTED_SKIP_WARNING_ENV_VAR, "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bc66585af2cf0c1c Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/config_manager.py:50
    if DEPRECATED_SKIP_WARNING_ENV_VAR in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f2f279fec3ae8c26 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/config_manager.py:54
        return os.getenv(DEPRECATED_SKIP_WARNING_ENV_VAR, "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1f349c0c53f2a2be Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/config_manager.py:190
        env_var = os.environ.get(env_name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #896e758132cd4ac8 Filesystem access.
pkgs/python/[email protected]/src/snowflake/connector/config_manager.py:412
                read_config_piece = tomlkit.parse(filep.read_text())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #30aa3f9d73844c3c Filesystem access.
pkgs/python/[email protected]/src/snowflake/connector/connection.py:197
    with open(private_key_file, "rb") as key:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fa8261e54d404973 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/connection.py:1379
        os.environ["SF_OCSP_RESPONSE_CACHE_SERVER_URL"] = ocsp_cache_server

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8eb798e76bf634f6 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/connection.py:1399
        if "SF_OCSP_RESPONSE_CACHE_SERVER_URL" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #744645b7c9a07151 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/connection.py:1402
                os.environ["SF_OCSP_RESPONSE_CACHE_SERVER_URL"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b7c132a103f7a377 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/connection.py:1408
            if "SF_OCSP_RESPONSE_CACHE_SERVER_URL" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cb919c7475057bbf Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/connection.py:1409
                del os.environ["SF_OCSP_RESPONSE_CACHE_SERVER_URL"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c7ca7212e097d3d7 Filesystem access.
pkgs/python/[email protected]/src/snowflake/connector/connection.py:1796
            with open(token_file_path) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fd6765bcf2586d4d Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/connection.py:2634
        if os.environ.get(_DISABLE_CONNECTION_SHAPE_ENV, "").lower() == "true":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #53504bd57ec41ecb Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/connection.py:2698
        if ENV_VAR_PARTNER in os.environ.keys():

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0dbee8c2055fd3dd Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/connection.py:2699
            return os.environ[ENV_VAR_PARTNER]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #038c702ab650a114 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/connection_diagnostic.py:120
            proxy_url = os.getenv("HTTPS_PROXY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c14920ab05c22b57 Filesystem access.
pkgs/python/[email protected]/src/snowflake/connector/connection_diagnostic.py:318
            results_file = open(self.full_connection_diag_allowlist_path)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a83d7a626de675cf Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/connection_diagnostic.py:508
            if proxy_key in os.environ.keys():

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #10fa9060ec59bfc8 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/connection_diagnostic.py:509
                env_proxy_backup[proxy_key] = os.environ.get(proxy_key)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #11a4756d0d8d30a3 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/connection_diagnostic.py:510
                del os.environ[proxy_key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #140daf8ab7d26309 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/connection_diagnostic.py:538
            os.environ[restore_key] = env_proxy_backup[restore_key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #63f12e43cf90e6e7 Filesystem access.
pkgs/python/[email protected]/src/snowflake/connector/connection_diagnostic.py:698
        self.report_file.write_text(message)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #438cdd3f78fccb2f Filesystem access.
pkgs/python/[email protected]/src/snowflake/connector/crl_cache.py:337
                    with open(crl_file_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ba98bf48da980e9f Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/crl_cache.py:709
    if "USERPROFILE" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #efd91ed40a2a99ba Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/crl_cache.py:710
        return Path(os.environ["USERPROFILE"])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #de239b8be9313e9d Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/crl_cache.py:711
    if "HOMEDRIVE" in os.environ and "HOMEPATH" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1e4bddf37ad83386 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/crl_cache.py:712
        return Path(os.environ["HOMEDRIVE"]) / os.environ["HOMEPATH"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #473468e874cf4162 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/crl_cache.py:713
    if "LOCALAPPDATA" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a9a3a1895f66d726 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/crl_cache.py:714
        return Path(os.environ["LOCALAPPDATA"]).parent.parent

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #16f0a203d5db09ba Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/crl_cache.py:715
    if "APPDATA" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9c0c79eb03eab4f5 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/crl_cache.py:716
        return Path(os.environ["APPDATA"]).parent.parent

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f491739998cd55a3 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/cursor.py:2057
        if "NANOARROW_USAGE" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aaa29aa089a65661 Filesystem access.
pkgs/python/[email protected]/src/snowflake/connector/encryption_util.py:141
        with open(in_filename, "rb") as infile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d0a3ad807342d8e9 Filesystem access.
pkgs/python/[email protected]/src/snowflake/connector/encryption_util.py:215
        with open(in_filename, "rb") as infile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #477068d7c71dd637 Filesystem access.
pkgs/python/[email protected]/src/snowflake/connector/encryption_util.py:216
            with open(temp_output_file, "wb", opener=file_opener) as outfile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e4ffcfcabb58a066 Filesystem access.
pkgs/python/[email protected]/src/snowflake/connector/file_transfer_agent.py:1171
                        with open(file_name, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #074ec103b928f559 Filesystem access.
pkgs/python/[email protected]/src/snowflake/connector/file_util.py:79
        with open(file_name, "rb") as fr:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6a8a3f0283255e2f Filesystem access.
pkgs/python/[email protected]/src/snowflake/connector/file_util.py:97
        with open(gzip_file_name, "r+b") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9d0a6d97c3e87ac1 Filesystem access.
pkgs/python/[email protected]/src/snowflake/connector/file_util.py:148
        with open(file_name, "rb") as src:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e8bdbe5fe7fbc674 Filesystem access.
pkgs/python/[email protected]/src/snowflake/connector/local_storage_client.py:55
        with open(self.stage_file_name, "rb") as sfd:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #429e9693186335b5 Filesystem access.
pkgs/python/[email protected]/src/snowflake/connector/local_storage_client.py:56
            with open(
                os.path.join(
                    self.meta.local_location,
                    os.path.basename(self.intermediate_dst_path),
                ),
                "rb+",
            ) as tfd:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b6aa337630e06a81 Filesystem access.
pkgs/python/[email protected]/src/snowflake/connector/local_storage_client.py:80
        with open(self.full_dst_file_name, "wb+") as fd:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #930559456925d0a0 Filesystem access.
pkgs/python/[email protected]/src/snowflake/connector/local_storage_client.py:84
        with open(self.full_dst_file_name, "rb+") as tfd:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #49dd19853df27ce4 Filesystem access.
pkgs/python/[email protected]/src/snowflake/connector/ocsp_asn1crypto.py:88
        with open(ca_bundle_file, "rb") as all_certs:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #47b0ef242352fa04 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/ocsp_asn1crypto.py:247
                ocsp_load_failure = getenv("SF_TEST_OCSP_FORCE_BAD_OCSP_RESPONSE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #937703c433282480 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/ocsp_asn1crypto.py:324
            test_cert_status = getenv("SF_TEST_OCSP_CERT_STATUS")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ee163292c0bc1900 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/ocsp_snowflake.py:416
    MAX_RETRY = int(os.getenv("OCSP_MAX_RETRY", "3"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1ce29fe0acaf7416 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/ocsp_snowflake.py:434
            self.CACHE_SERVER_URL = os.getenv(
                "SF_OCSP_RESPONSE_CACHE_SERVER_URL",
                "{}/{}".format(
                    self.DEFAULT_CACHE_SERVER_URL,
                    OCSPCache.OCSP_RESPONSE_CACHE_FILE_NAME,
                ),
            )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #91199b2e0e5c3c82 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/ocsp_snowflake.py:442
            self.CACHE_SERVER_URL = os.getenv("SF_OCSP_RESPONSE_CACHE_SERVER_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #71b547ac1c6f0737 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/ocsp_snowflake.py:445
            os.getenv("SF_OCSP_RESPONSE_CACHE_SERVER_ENABLED", "true") != "false"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #035d3071d838a396 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/ocsp_snowflake.py:453
        return os.getenv("SF_OCSP_ACTIVATE_NEW_ENDPOINT", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a86ee2d7160b85ad Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/ocsp_snowflake.py:542
                test_timeout = os.getenv(
                    "SF_TEST_OCSP_CACHE_SERVER_CONNECTION_TIMEOUT", None
                )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4e4f127f9e3b84e9 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/ocsp_snowflake.py:545
                sf_cache_server_url = os.getenv("SF_TEST_OCSP_CACHE_SERVER_URL", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #67840d8912ed8c46 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/ocsp_snowflake.py:640
        OCSPCache.CACHE_DIR = os.getenv("SF_OCSP_RESPONSE_CACHE_DIR")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d106c311852cae5a Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/ocsp_snowflake.py:1044
        self.test_mode = os.getenv("SF_OCSP_TEST_MODE", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #11187a06b93a9468 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/ocsp_snowflake.py:1059
        if os.getenv("SF_OCSP_FAIL_OPEN") is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2681776d4886a3ff Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/ocsp_snowflake.py:1062
            self.FAIL_OPEN = os.getenv("SF_OCSP_FAIL_OPEN").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #847ad0bcb3911ce0 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/ocsp_snowflake.py:1196
        return os.getenv("SF_OCSP_DO_RETRY", "true") == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dbb38ded2cd24d15 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/ocsp_snowflake.py:1431
                    ca_bundle = environ.get("REQUESTS_CA_BUNDLE") or environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3944cc8e4770e289 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/ocsp_snowflake.py:1431
                    ca_bundle = environ.get("REQUESTS_CA_BUNDLE") or environ.get(
                        "CURL_CA_BUNDLE"
                    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d3928661298d8213 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/ocsp_snowflake.py:1513
            force_validity_fail = os.getenv("SF_TEST_OCSP_FORCE_BAD_RESPONSE_VALIDITY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #85a379dcc336cf7d Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/ocsp_snowflake.py:1619
            test_ocsp_url = os.getenv("SF_TEST_OCSP_URL", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d8d51e1569f54b47 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/ocsp_snowflake.py:1620
            test_timeout = os.getenv(
                "SF_TEST_CA_OCSP_RESPONDER_CONNECTION_TIMEOUT", None
            )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bdf1afa701d72542 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/ocsp_snowflake.py:1752
            test_cert_status = os.getenv("SF_TEST_OCSP_CERT_STATUS")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7bef9744d2514bc3 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/options.py:104
        if "ARROW_DEFAULT_MEMORY_POOL" not in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #49b1533874b44a3f Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/options.py:105
            os.environ["ARROW_DEFAULT_MEMORY_POOL"] = "system"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4f3b96669fa9d941 Filesystem access.
pkgs/python/[email protected]/src/snowflake/connector/os_details.py:45
    with open("/etc/os-release", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ccca5d955805ec22 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/platform_detection.py:121
        if "LAMBDA_TASK_ROOT" in os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d04d2ea0483b0945 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/platform_detection.py:231
        if all(var in os.environ for var in service_vars)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b31d42b131d1edb2 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/platform_detection.py:275
    return bool(os.environ.get("IDENTITY_HEADER"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6cb4432c25d22a49 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/platform_detection.py:358
        if all(var in os.environ for var in service_vars)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8dbd0494f55aad36 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/platform_detection.py:377
        if all(var in os.environ for var in job_vars)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #77920c9553014bd7 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/platform_detection.py:427
        if "GITHUB_ACTIONS" in os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #83f7ffac6066d69b Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/platform_detection.py:442
        if os.environ.get("SNOWFLAKE_ENABLE_AWS_WIF_OUTBOUND_TOKEN", "false").lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dc9862650dc7cada Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/platform_detection.py:472
            os.environ.get(ENV_VAR_DISABLE_PLATFORM_DETECTION, "").lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #36c6ab872ad40007 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/secret_detector.py:15
MIN_TOKEN_LEN = os.getenv("MIN_TOKEN_LEN", 32)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #998be0ba3c8380af Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/secret_detector.py:16
MIN_PWD_LEN = os.getenv("MIN_PWD_LEN", 8)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #81c5ec4111ce9200 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/sf_dirs.py:31
        os.environ.get("SNOWFLAKE_HOME", "~/.snowflake/"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d49f73723fcba5e0 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/ssl_wrap_socket.py:64
    return os.environ.get("REQUESTS_CA_BUNDLE") or os.environ.get("SSL_CERT_FILE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b70a5845f4e3c46f Filesystem access.
pkgs/python/[email protected]/src/snowflake/connector/storage_client.py:428
            or open(self.data_file, "rb")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b6a4689887eb9edf Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/test_util.py:10
RUNNING_ON_JENKINS = os.getenv("JENKINS_HOME") is not None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6b741001848fe609 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/test_util.py:11
REGRESSION_TEST_LOG_DIR = os.getenv("CLIENT_LOG_DIR_PATH_DOCKER")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b86a9edd201a19bc Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/token_cache.py:291
            env_val = os.getenv(env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ccd438ed012a96d5 Filesystem access.
pkgs/python/[email protected]/src/snowflake/connector/tool/dump_certs.py:43
        open(f)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bbf373aa9731f397 Filesystem access.
pkgs/python/[email protected]/src/snowflake/connector/tool/dump_ocsp_response_cache.py:177
    with open(hostname_file) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4f5a8819762257a1 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/vendored/requests/sessions.py:768
                    os.environ.get("REQUESTS_CA_BUNDLE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #44ad9faf5349cca6 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/vendored/requests/sessions.py:769
                    or os.environ.get("CURL_CA_BUNDLE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #77e89acc6dedd6f3 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/vendored/requests/utils.py:210
    netrc_file = os.environ.get("NETRC")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fce08e7c98b1dd57 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/vendored/requests/utils.py:743
        old_value = os.environ.get(env_name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #957b4500df9ce28a Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/vendored/requests/utils.py:744
        os.environ[env_name] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c4e28344ec940af4 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/vendored/requests/utils.py:750
                del os.environ[env_name]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b1dfac72f7407698 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/vendored/requests/utils.py:752
                os.environ[env_name] = old_value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f4fe9633d5a84fce Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/vendored/requests/utils.py:765
        return os.environ.get(key) or os.environ.get(key.upper())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ca7827eb7fbf51a5 Filesystem access.
pkgs/python/[email protected]/src/snowflake/connector/vendored/urllib3/contrib/emscripten/fetch.py:204
        streaming_worker_code = (
            files(__package__)
            .joinpath("emscripten_fetch_worker.js")
            .read_text(encoding="utf-8")
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1f1d0ffa7660f6cc Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/vendored/urllib3/util/ssl_.py:317
    if "SSLKEYLOGFILE" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b4bc4fdde166f3ed Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/vendored/urllib3/util/ssl_.py:318
        sslkeylogfile = os.path.expandvars(os.environ.get("SSLKEYLOGFILE"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6670300232b577bd Filesystem access.
pkgs/python/[email protected]/src/snowflake/connector/vendored/urllib3/util/ssl_.py:452
    with open(key_file) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #04fa4bc316390963 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/wif_util.py:99
    region = os.environ.get("AWS_REGION") or os.environ.get("AWS_DEFAULT_REGION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a08b4c5d1c35596e Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/wif_util.py:200
        os.environ.get("SNOWFLAKE_ENABLE_AWS_WIF_OUTBOUND_TOKEN", "false").lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ea7fa110c7c1327b Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/wif_util.py:417
    identity_endpoint = os.environ.get("IDENTITY_ENDPOINT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5113ae6134f05c78 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/wif_util.py:418
    identity_header = os.environ.get("IDENTITY_HEADER")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2d828e6acbad5be9 Environment-variable access.
pkgs/python/[email protected]/src/snowflake/connector/wif_util.py:435
    managed_identity_client_id = os.environ.get("MANAGED_IDENTITY_CLIENT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

rich

python dependency
medium telemetry dependency Excluded from app score #210727cec0ead320 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/rich/progress.py:173
        yield from progress.track(
            sequence,
            total=total,
            completed=completed,
            description=description,
            update_period=update_period,
        )

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 22 low-confidence finding(s)
low env_fs dependency Excluded from app score #467a30d8f53c74be Environment-variable access.
pkgs/python/[email protected]/rich/_unicode_data/__init__.py:67
        unicode_version = os.environ.get("UNICODE_VERSION", "latest")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #de572ff7ef8e47fb Filesystem access.
pkgs/python/[email protected]/rich/_win32_console.py:441
        self.write_text(text)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dc0f14ebf220b6d9 Filesystem access.
pkgs/python/[email protected]/rich/_win32_console.py:612
    term.write_text("went back and wrapped to prev line")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #440406269e972f8c Filesystem access.
pkgs/python/[email protected]/rich/_win32_console.py:615
    term.write_text("we go up")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #474aa24586e83917 Filesystem access.
pkgs/python/[email protected]/rich/_win32_console.py:618
    term.write_text("and down")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #797741cef70490a7 Filesystem access.
pkgs/python/[email protected]/rich/_win32_console.py:623
    term.write_text("we went up and back 2")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #542ec0add7498c7e Filesystem access.
pkgs/python/[email protected]/rich/_win32_console.py:628
    term.write_text("we went down and back 2")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cd9cbb57ef6bd8f1 Filesystem access.
pkgs/python/[email protected]/rich/_win32_console.py:636
    term.write_text("The red arrow shows the cursor location, and direction of erase")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0bc1bf9f5c9995ba Filesystem access.
pkgs/python/[email protected]/rich/_win32_console.py:646
    term.write_text("The red arrow shows the cursor location, and direction of erase")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6ade24047c3a8eb0 Filesystem access.
pkgs/python/[email protected]/rich/_windows_renderer.py:19
                term.write_text(text)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d4dad0cb41f0f053 Filesystem access.
pkgs/python/[email protected]/rich/_windows_renderer.py:28
                    term.write_text("\r")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bd85030aa3286716 Environment-variable access.
pkgs/python/[email protected]/rich/console.py:515
        or os.getenv("DATABRICKS_RUNTIME_VERSION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #06d2e7a1be884c27 Environment-variable access.
pkgs/python/[email protected]/rich/console.py:617
    _environ: Mapping[str, str] = os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4232a27396e438f8 Filesystem access.
pkgs/python/[email protected]/rich/console.py:2241
        with open(path, "w", encoding="utf-8") as write_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0def62ace4656636 Filesystem access.
pkgs/python/[email protected]/rich/console.py:2349
        with open(path, "w", encoding="utf-8") as write_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #675f723f3af969d9 Filesystem access.
pkgs/python/[email protected]/rich/console.py:2641
        with open(path, "w", encoding="utf-8") as write_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #91bf261353c8413f Environment-variable access.
pkgs/python/[email protected]/rich/diagnose.py:32
    env = {name: os.getenv(name) for name in env_names}

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d5322a279bfabd20 Filesystem access.
pkgs/python/[email protected]/rich/json.py:134
            json_data = Path(args.path).read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #27cf8ee81246a79f Filesystem access.
pkgs/python/[email protected]/rich/markdown.py:777
        with open(args.path, encoding="utf-8") as markdown_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4ee6de22a9ec118f Filesystem access.
pkgs/python/[email protected]/rich/progress.py:1373
        handle = io.open(file, "rb", buffering=buffering)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #58df63d5f965054f Filesystem access.
pkgs/python/[email protected]/rich/syntax.py:360
        code = Path(path).read_text(encoding=encoding)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #db39a4a45f9bb3ba Filesystem access.
pkgs/python/[email protected]/rich/theme.py:73
        with open(path, encoding=encoding) as config_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

PyGithub

python dependency
expand_more 9 low-confidence finding(s)
low env_fs dependency Excluded from app score #28c430a470f3add6 Filesystem access.
pkgs/python/[email protected]/doc/conf.py:290
with open("github_objects.rst", "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f34923c92b0309d5 Filesystem access.
pkgs/python/[email protected]/doc/conf.py:301
    with open("github_objects/" + githubClass + ".rst", "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1366330fd380324c Filesystem access.
pkgs/python/[email protected]/doc/conf.py:309
    with open("../github/" + githubClass + ".py") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #94c7a94386d71830 Filesystem access.
pkgs/python/[email protected]/doc/conf.py:356
with open("apis.rst", "w") as apis:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ad34434c77b66bbb Filesystem access.
pkgs/python/[email protected]/github/Requester.py:632
            f = open(local_path, "rb")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #cb5aa249e74e7456 Filesystem access.
pkgs/python/[email protected]/scripts/add_attribute.py:95
with open(fileName) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #b408d556dfcbc022 Filesystem access.
pkgs/python/[email protected]/scripts/add_attribute.py:204
with open(fileName, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #8a9c678fd4f044c6 Filesystem access.
pkgs/python/[email protected]/scripts/fix_headers.py:180
        with open(filename) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #16f7b94abdb872fb Filesystem access.
pkgs/python/[email protected]/scripts/fix_headers.py:185
            with open(filename, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

SQLAlchemy

python dependency
expand_more 28 low-confidence finding(s)
low env_fs dependency Excluded from app score #576ce8096ab88ef5 Filesystem access.
pkgs/python/[email protected]/lib/sqlalchemy/testing/fixtures/mypy.py:42
            with open(
                Path(cachedir) / "sqla_mypy_config.cfg", "w"
            ) as config_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #61efc8d483a75846 Filesystem access.
pkgs/python/[email protected]/lib/sqlalchemy/testing/fixtures/mypy.py:56
            with open(
                Path(cachedir) / "plain_mypy_config.cfg", "w"
            ) as config_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f26472c3a3ff2c35 Environment-variable access.
pkgs/python/[email protected]/lib/sqlalchemy/testing/fixtures/mypy.py:106
            os.environ.pop("MYPY_FORCE_COLOR", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cdcf844ad7bcb740 Filesystem access.
pkgs/python/[email protected]/lib/sqlalchemy/testing/fixtures/mypy.py:146
        with open(path) as file_:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9a70eb58f4ddc168 Environment-variable access.
pkgs/python/[email protected]/lib/sqlalchemy/testing/plugin/plugin_base.py:398
    if os.environ.get("REQUIRE_SQLALCHEMY_CEXT", "0") == "1":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #faad33af5ce72486 Filesystem access.
pkgs/python/[email protected]/lib/sqlalchemy/testing/plugin/plugin_base.py:455
            with open(options.write_idents, "a") as file_:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7beee1279c1d0bc5 Environment-variable access.
pkgs/python/[email protected]/lib/sqlalchemy/testing/plugin/pytestplugin.py:880
        return os.environ.get("PYTEST_CURRENT_TEST")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6d24d3309e233fbb Filesystem access.
pkgs/python/[email protected]/lib/sqlalchemy/testing/profiling.py:200
            profile_f = open(self.fname)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4a8a35cccdb9c2d2 Filesystem access.
pkgs/python/[email protected]/lib/sqlalchemy/testing/profiling.py:219
        profile_f = open(self.fname, "w")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #607f5a9d23ef2528 Filesystem access.
pkgs/python/[email protected]/lib/sqlalchemy/testing/provision.py:453
    with open(idents_file) as file_:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #06252e217b87faa3 Environment-variable access.
pkgs/python/[email protected]/lib/sqlalchemy/util/_has_cy.py:27
    if os.environ.get("DISABLE_SQLALCHEMY_CEXT_RUNTIME"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #61e8eba31508d753 Filesystem access.
pkgs/python/[email protected]/lib/sqlalchemy/util/tool_support.py:134
            Path(destination_path).write_text(
                text, encoding="utf-8", newline="\n"
            )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e83087cb9574b0a9 Filesystem access.
pkgs/python/[email protected]/lib/sqlalchemy/util/tool_support.py:146
            with open(tempfile) as tf:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #176381346586d004 Filesystem access.
pkgs/python/[email protected]/lib/sqlalchemy/util/tool_support.py:162
            with open(source_file, encoding="utf-8") as tf:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8bf14ae6848a8062 Filesystem access.
pkgs/python/[email protected]/lib/sqlalchemy/util/tool_support.py:169
        with open(destination_path, encoding="utf-8") as dp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #92de8c4bd849d849 Environment-variable access.
pkgs/python/[email protected]/noxfile.py:95
    cmd.extend(os.environ.get(dburl_env, default_dburl).split())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #91dc2e77f7686def Environment-variable access.
pkgs/python/[email protected]/noxfile.py:106
    env_dbdrivers = os.environ.get(extra_driver_env, None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fe26b268dd61e656 Environment-variable access.
pkgs/python/[email protected]/noxfile.py:269
    cmd.extend(os.environ.get("TOX_WORKERS", "-n4").split())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7dbe1331887f9c5f Environment-variable access.
pkgs/python/[email protected]/setup.py:23
DISABLE_EXTENSION = bool(os.environ.get("DISABLE_SQLALCHEMY_CEXT"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #91363dcd5cc25d25 Environment-variable access.
pkgs/python/[email protected]/setup.py:24
REQUIRE_EXTENSION = bool(os.environ.get("REQUIRE_SQLALCHEMY_CEXT"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #6d0f374e9d832f4f Filesystem access.
pkgs/python/[email protected]/tools/format_docs_code.py:155
    original = file.read_text("utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #05b09c18e93056e9 Filesystem access.
pkgs/python/[email protected]/tools/format_docs_code.py:313
                file.write_text(updated, "utf-8", newline="\n")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #ff7fd6f8d9072fa7 Filesystem access.
pkgs/python/[email protected]/tools/generate_proxy_methods.py:145
    with open(fn.__code__.co_filename) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #27a7e134223af3ff Filesystem access.
pkgs/python/[email protected]/tools/generate_proxy_methods.py:373
        open(filename) as orig_py,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #964b1bb854da4d42 Filesystem access.
pkgs/python/[email protected]/tools/generate_sql_functions.py:38
        open(filename) as orig_py,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #a18579b0339c0207 Filesystem access.
pkgs/python/[email protected]/tools/generate_tuple_map_overloads.py:53
        open(filename) as orig_py,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #7bebf59a37eb7aac Filesystem access.
pkgs/python/[email protected]/tools/normalize_file_headers.py:27
    content = file.read_text("utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #8969c1ddc2db85ea Filesystem access.
pkgs/python/[email protected]/tools/sync_test_files.py:35
    source_data = Path(source).read_text().replace(remove_str, "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

aiobotocore

python dependency
expand_more 6 low-confidence finding(s)
low env_fs dependency Excluded from app score #32e5d16e08ef260f Environment-variable access.
pkgs/python/[email protected]/aiobotocore/configprovider.py:19
        if os.environ.get('AWS_EXECUTION_ENV'):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b71883c796dc08e6 Environment-variable access.
pkgs/python/[email protected]/aiobotocore/configprovider.py:20
            default_region = os.environ.get('AWS_DEFAULT_REGION')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #346d111640f7f8c2 Environment-variable access.
pkgs/python/[email protected]/aiobotocore/configprovider.py:21
            current_region = os.environ.get('AWS_REGION', default_region)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eb090ad14b3232c4 Environment-variable access.
pkgs/python/[email protected]/aiobotocore/httpsession.py:206
                os.environ.get('BOTO_EXPERIMENTAL__ADD_PROXY_HOST_HEADER', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #56c62eefd1ea3b47 Environment-variable access.
pkgs/python/[email protected]/aiobotocore/httpxsession.py:180
                os.environ.get('BOTO_EXPERIMENTAL__ADD_PROXY_HOST_HEADER', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0e7f5d76840fa80d Environment-variable access.
pkgs/python/[email protected]/aiobotocore/utils.py:97
            env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

aiocache

python dependency
expand_more 5 low-confidence finding(s)
low env_fs dependency Excluded from app score #30330e240a6af840 Environment-variable access.
pkgs/python/[email protected]/aiocache/base.py:62
                if os.getenv("AIOCACHE_DISABLE") == "1":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #15b3d61da70c78c8 Filesystem access.
pkgs/python/[email protected]/docs/conf.py:70
    version = re.findall(r'__version__ = "(.+?)"', _path.read_text())[0]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #3962a7e20e336b49 Environment-variable access.
pkgs/python/[email protected]/docs/conf.py:134
on_rtd = os.environ.get("READTHEDOCS", None) == "True"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4a49cb2e96358105 Filesystem access.
pkgs/python/[email protected]/setup.py:8
    version = re.findall(r"^__version__ = \"([^']+)\"\r?$", p.read_text(), re.M)[0]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b23398ebea16bacd Filesystem access.
pkgs/python/[email protected]/setup.py:12
readme = Path(__file__).with_name("README.rst").read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

appdirs

python dependency
expand_more 7 low-confidence finding(s)
low env_fs dependency Excluded from app score #9e7d798fbd099257 Environment-variable access.
pkgs/python/[email protected]/appdirs.py:92
        path = os.getenv('XDG_DATA_HOME', os.path.expanduser("~/.local/share"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e9ba240bda1e44a4 Environment-variable access.
pkgs/python/[email protected]/appdirs.py:147
        path = os.getenv('XDG_DATA_DIRS',
                         os.pathsep.join(['/usr/local/share', '/usr/share']))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0fae571aecdce25e Environment-variable access.
pkgs/python/[email protected]/appdirs.py:198
        path = os.getenv('XDG_CONFIG_HOME', os.path.expanduser("~/.config"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #92a7de58f2db8cb7 Environment-variable access.
pkgs/python/[email protected]/appdirs.py:243
        path = os.getenv('XDG_CONFIG_DIRS', '/etc/xdg')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6f16624ff31253bc Environment-variable access.
pkgs/python/[email protected]/appdirs.py:306
        path = os.getenv('XDG_CACHE_HOME', os.path.expanduser('~/.cache'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dc21587df2a2dba6 Environment-variable access.
pkgs/python/[email protected]/appdirs.py:348
        path = os.getenv('XDG_STATE_HOME', os.path.expanduser("~/.local/state"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2ee98bf1c0e77673 Filesystem access.
pkgs/python/[email protected]/setup.py:18
    inf = open(os.path.join(os.path.dirname(__file__), fname))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

av

python dependency
expand_more 9 low-confidence finding(s)
low env_fs dependency Excluded from app score #0f6e87638823bb6d Environment-variable access.
pkgs/python/[email protected]/av/datasets.py:14
        yield os.environ["PYAV_TESTDATA_DIR"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b0c981a382eeaf6c Filesystem access.
pkgs/python/[email protected]/av/datasets.py:88
    with open(tmp_path, "wb") as fh:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7f96a3bda99f9334 Filesystem access.
pkgs/python/[email protected]/av/video/frame.py:711
        with open(filepath, "w", options={"update": "1"}) as output:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #2980688953084fbb Filesystem access.
pkgs/python/[email protected]/docs/conf.py:35
with open("../av/about.py") as fp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #78150322c5d55fc1 Environment-variable access.
pkgs/python/[email protected]/examples/basics/hw_decode.py:24
HW_DEVICE = os.environ["HW_DEVICE"] if "HW_DEVICE" in os.environ else None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #b189fe0e24319e96 Environment-variable access.
pkgs/python/[email protected]/examples/basics/hw_decode.py:26
if "TEST_FILE_PATH" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #8189e2965720db8c Environment-variable access.
pkgs/python/[email protected]/examples/basics/hw_decode.py:27
    test_file_path = os.environ["TEST_FILE_PATH"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #ccea6d51add44896 Filesystem access.
pkgs/python/[email protected]/examples/basics/parse.py:26
fh = open(h264_path, "rb")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a79d6e251d183158 Environment-variable access.
pkgs/python/[email protected]/setup.py:82
    pkg_config = os.environ.get("PKG_CONFIG", "pkg-config")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

azure-identity

python dependency
expand_more 105 low-confidence finding(s)
low env_fs dependency Excluded from app score #a3bf350a8d8c8eac Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/app_service.py:22
    url = os.environ.get(EnvironmentVariables.IDENTITY_ENDPOINT)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8171f5fdff8864a0 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/app_service.py:23
    secret = os.environ.get(EnvironmentVariables.IDENTITY_HEADER)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d76356529f6299aa Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/azd_cli.py:239
        path = os.environ.get("SYSTEMROOT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4e8355a6349bdf5b Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/azd_cli.py:322
            "env": dict(os.environ, NO_COLOR="true"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #52b50d75c9541125 Filesystem access.
pkgs/python/[email protected]/azure/identity/_credentials/azure_arc.py:52
    with open(key_file, "r", encoding="utf-8") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #60bf714ca90f3db4 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/azure_arc.py:74
        program_data_path = os.environ.get("PROGRAMDATA")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #05453a91dd8e59ff Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/azure_cli.py:240
        path = os.environ.get("SYSTEMROOT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b5634cb50d84ab94 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/azure_cli.py:278
            "env": dict(os.environ, AZURE_CORE_NO_COLOR="true"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0e6c6393bc9c6ec7 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/azure_ml.py:23
    url = os.environ.get(EnvironmentVariables.MSI_ENDPOINT)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #989153ee4dade6f9 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/azure_ml.py:24
    secret = os.environ.get(EnvironmentVariables.MSI_SECRET)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8dfb1ff522c5dca6 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/azure_pipelines.py:25
    base_uri = os.environ[SYSTEM_OIDCREQUESTURI].rstrip("/")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #92e756a549ce6165 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/azure_pipelines.py:37
    if SYSTEM_OIDCREQUESTURI not in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #369989ff1de8168a Filesystem access.
pkgs/python/[email protected]/azure/identity/_credentials/certificate.py:149
        with open(certificate_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3f504407caba9a2f Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/cloud_shell.py:34
        url = os.environ.get(EnvironmentVariables.MSI_ENDPOINT)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5f9d63031003445c Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/default.py:154
            "interactive_browser_tenant_id", os.environ.get(EnvironmentVariables.AZURE_TENANT_ID)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d678287b91ab211f Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/default.py:158
            "managed_identity_client_id", os.environ.get(EnvironmentVariables.AZURE_CLIENT_ID)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a9f2b73e5e6353c4 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/default.py:162
            "workload_identity_tenant_id", os.environ.get(EnvironmentVariables.AZURE_TENANT_ID)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5703b1dcc4fe548c Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/default.py:166
        broker_tenant_id = kwargs.pop("broker_tenant_id", os.environ.get(EnvironmentVariables.AZURE_TENANT_ID))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dfe45786a44fb838 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/default.py:169
        shared_cache_username = kwargs.pop("shared_cache_username", os.environ.get(EnvironmentVariables.AZURE_USERNAME))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2c96d8752219dacb Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/default.py:171
            "shared_cache_tenant_id", os.environ.get(EnvironmentVariables.AZURE_TENANT_ID)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ced7a7da0221a73e Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/default.py:176
        token_credentials_env = os.environ.get(EnvironmentVariables.AZURE_TOKEN_CREDENTIALS, "").strip().lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #115abb3c085f75e0 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/default.py:268
                        token_file_path=os.environ.get(EnvironmentVariables.AZURE_FEDERATED_TOKEN_FILE),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5c9e07f9474f6bc9 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/environment.py:63
        if all(os.environ.get(v) is not None for v in EnvironmentVariables.CLIENT_SECRET_VARS):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bee52935bb4451e2 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/environment.py:65
                client_id=os.environ[EnvironmentVariables.AZURE_CLIENT_ID],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7c70f345f236bd41 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/environment.py:66
                client_secret=os.environ[EnvironmentVariables.AZURE_CLIENT_SECRET],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c620ba415889e2cb Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/environment.py:67
                tenant_id=os.environ[EnvironmentVariables.AZURE_TENANT_ID],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #31c246e65143c362 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/environment.py:70
        elif all(os.environ.get(v) is not None for v in EnvironmentVariables.CERT_VARS):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5e20b7f43d4ee23f Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/environment.py:72
                client_id=os.environ[EnvironmentVariables.AZURE_CLIENT_ID],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #214d5394fddbd14a Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/environment.py:73
                tenant_id=os.environ[EnvironmentVariables.AZURE_TENANT_ID],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8ad0dc574415e0a5 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/environment.py:74
                certificate_path=os.environ[EnvironmentVariables.AZURE_CLIENT_CERTIFICATE_PATH],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #07857822c5dd0ea4 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/environment.py:75
                password=os.environ.get(EnvironmentVariables.AZURE_CLIENT_CERTIFICATE_PASSWORD),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e91f5204e8689214 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/environment.py:77
                    os.environ.get(EnvironmentVariables.AZURE_CLIENT_SEND_CERTIFICATE_CHAIN, False)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aa238d0f2b3d8260 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/environment.py:81
        elif all(os.environ.get(v) is not None for v in EnvironmentVariables.USERNAME_PASSWORD_VARS):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a1b04901dd55166c Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/environment.py:83
                client_id=os.environ[EnvironmentVariables.AZURE_CLIENT_ID],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7385dd317515dcb3 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/environment.py:84
                username=os.environ[EnvironmentVariables.AZURE_USERNAME],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #24a74f2034cbfe73 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/environment.py:85
                password=os.environ[EnvironmentVariables.AZURE_PASSWORD],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5acd42616629f324 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/environment.py:86
                tenant_id=os.environ.get(EnvironmentVariables.AZURE_TENANT_ID),  # optional for username/password auth

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0a28f0a7a7f8b188 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/environment.py:106
            set_variables = [v for v in expected_variables if v in os.environ]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2f920c9fc37b8dba Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/imds.py:60
        os.environ.get(EnvironmentVariables.AZURE_POD_IDENTITY_AUTHORITY_HOST, IMDS_AUTHORITY).strip("/")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #20e89a899c58c211 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/imds.py:90
        if EnvironmentVariables.AZURE_POD_IDENTITY_AUTHORITY_HOST in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ceb4be171d33edcb Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/managed_identity.py:82
        if os.environ.get(EnvironmentVariables.IDENTITY_ENDPOINT):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0a617b15fa3f24b9 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/managed_identity.py:83
            if os.environ.get(EnvironmentVariables.IDENTITY_HEADER):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fa606b27b2d991e8 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/managed_identity.py:84
                if os.environ.get(EnvironmentVariables.IDENTITY_SERVER_THUMBPRINT):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #398d4179871cf757 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/managed_identity.py:98
            elif os.environ.get(EnvironmentVariables.IMDS_ENDPOINT):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #42b21a2a06eb0da5 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/managed_identity.py:103
        elif os.environ.get(EnvironmentVariables.MSI_ENDPOINT):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9bb53cb634ba3236 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/managed_identity.py:104
            if os.environ.get(EnvironmentVariables.MSI_SECRET):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a32d16192e698e34 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/managed_identity.py:115
            all(os.environ.get(var) for var in EnvironmentVariables.WORKLOAD_IDENTITY_VARS)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #79ecc636f1775812 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/managed_identity.py:120
            workload_client_id = client_id or os.environ.get(EnvironmentVariables.AZURE_CLIENT_ID)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d46992c490fc191e Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/managed_identity.py:131
                tenant_id=os.environ[EnvironmentVariables.AZURE_TENANT_ID],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e944a607cd1d3a45 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/managed_identity.py:133
                token_file_path=os.environ[EnvironmentVariables.AZURE_FEDERATED_TOKEN_FILE],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e9b79a6f11530b92 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/service_fabric.py:42
    url = os.environ.get(EnvironmentVariables.IDENTITY_ENDPOINT)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #35e821acecd7f0b0 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/service_fabric.py:43
    secret = os.environ.get(EnvironmentVariables.IDENTITY_HEADER)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #61d6b8d92777b586 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/service_fabric.py:44
    thumbprint = os.environ.get(EnvironmentVariables.IDENTITY_SERVER_THUMBPRINT)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9d524f178b294d4f Filesystem access.
pkgs/python/[email protected]/azure/identity/_credentials/vscode.py:50
            with open(expanded_path, "r", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c03e7d429bf110d9 Filesystem access.
pkgs/python/[email protected]/azure/identity/_credentials/workload_identity.py:33
            with open(self._token_file_path, encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #980883e7c342a1ac Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/workload_identity.py:79
        tenant_id = tenant_id or os.environ.get(EnvironmentVariables.AZURE_TENANT_ID)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #980673fd2641157b Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/workload_identity.py:80
        client_id = client_id or os.environ.get(EnvironmentVariables.AZURE_CLIENT_ID)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #18633b49cd2300c8 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/workload_identity.py:81
        token_file_path = token_file_path or os.environ.get(EnvironmentVariables.AZURE_FEDERATED_TOKEN_FILE)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #494e4550b4b1825b Environment-variable access.
pkgs/python/[email protected]/azure/identity/_internal/msal_credentials.py:39
        self._regional_authority = os.environ.get(EnvironmentVariables.AZURE_REGIONAL_AUTHORITY_NAME)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #54284cb8dd460cb2 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_internal/utils.py:90
    authority = os.environ.get(EnvironmentVariables.AZURE_AUTHORITY_HOST, KnownAuthorities.AZURE_PUBLIC_CLOUD)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4b9c80abdba45cac Environment-variable access.
pkgs/python/[email protected]/azure/identity/_internal/utils.py:151
    if default_tenant == "adfs" or os.environ.get(EnvironmentVariables.AZURE_IDENTITY_DISABLE_MULTITENANTAUTH):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #58e0d33c662ba53f Environment-variable access.
pkgs/python/[email protected]/azure/identity/_internal/utils.py:207
    token_credentials_env = os.environ.get(EnvironmentVariables.AZURE_TOKEN_CREDENTIALS, "").strip().lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #37a97eea30f339c4 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_persistent_cache.py:88
    if sys.platform.startswith("win") and "LOCALAPPDATA" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #85fde17547f2da57 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_persistent_cache.py:89
        cache_location = os.path.join(os.environ["LOCALAPPDATA"], ".IdentityService", cache_name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c34b699b14627621 Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/azd_cli.py:221
            env=dict(os.environ, NO_COLOR="true"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #93e9cc82f8b08e15 Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/azure_arc.py:19
        url = os.environ.get(EnvironmentVariables.IDENTITY_ENDPOINT)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #491ff3cb70546379 Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/azure_arc.py:20
        imds = os.environ.get(EnvironmentVariables.IMDS_ENDPOINT)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #db4560f0aa20bd25 Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/azure_cli.py:226
            env=dict(os.environ, AZURE_CORE_NO_COLOR="true"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0ff1b1ac30f9e9e2 Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/cloud_shell.py:21
        url = os.environ.get(EnvironmentVariables.MSI_ENDPOINT)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1a0326700da5ed43 Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/default.py:135
        shared_cache_username = kwargs.pop("shared_cache_username", os.environ.get(EnvironmentVariables.AZURE_USERNAME))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e9222806e7a3c95c Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/default.py:137
            "shared_cache_tenant_id", os.environ.get(EnvironmentVariables.AZURE_TENANT_ID)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #be8a1fca720a7833 Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/default.py:141
            "managed_identity_client_id", os.environ.get(EnvironmentVariables.AZURE_CLIENT_ID)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #657184a1992a739a Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/default.py:145
            "workload_identity_tenant_id", os.environ.get(EnvironmentVariables.AZURE_TENANT_ID)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6cbd3034352678c2 Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/default.py:150
        token_credentials_env = os.environ.get(EnvironmentVariables.AZURE_TOKEN_CREDENTIALS, "").strip().lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c71eddff19129f92 Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/default.py:231
                        token_file_path=os.environ.get(EnvironmentVariables.AZURE_FEDERATED_TOKEN_FILE),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #52fcce08797df33a Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/environment.py:57
        if all(os.environ.get(v) is not None for v in EnvironmentVariables.CLIENT_SECRET_VARS):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6d941d6595ec1619 Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/environment.py:59
                client_id=os.environ[EnvironmentVariables.AZURE_CLIENT_ID],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a57a5c80255d3731 Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/environment.py:60
                client_secret=os.environ[EnvironmentVariables.AZURE_CLIENT_SECRET],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8fde839aa81f9f1a Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/environment.py:61
                tenant_id=os.environ[EnvironmentVariables.AZURE_TENANT_ID],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c0b421fbe6bdb52f Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/environment.py:64
        elif all(os.environ.get(v) is not None for v in EnvironmentVariables.CERT_VARS):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5219bcda2b2421df Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/environment.py:66
                client_id=os.environ[EnvironmentVariables.AZURE_CLIENT_ID],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dde3424c73a596e7 Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/environment.py:67
                tenant_id=os.environ[EnvironmentVariables.AZURE_TENANT_ID],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #de19ad4cb128a4a3 Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/environment.py:68
                certificate_path=os.environ[EnvironmentVariables.AZURE_CLIENT_CERTIFICATE_PATH],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f933ed4bcfb1e591 Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/environment.py:69
                password=os.environ.get(EnvironmentVariables.AZURE_CLIENT_CERTIFICATE_PASSWORD),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6036dd8cd0f413ac Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/environment.py:71
                    os.environ.get(EnvironmentVariables.AZURE_CLIENT_SEND_CERTIFICATE_CHAIN, False)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f44553f33d141229 Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/environment.py:80
            set_variables = [v for v in expected_variables if v in os.environ]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9db49ffe7f49009c Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/imds.py:54
        if EnvironmentVariables.AZURE_POD_IDENTITY_AUTHORITY_HOST in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6facca192ff1819a Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/managed_identity.py:54
        if os.environ.get(EnvironmentVariables.IDENTITY_ENDPOINT):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f7b9af65ffc725d7 Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/managed_identity.py:55
            if os.environ.get(EnvironmentVariables.IDENTITY_HEADER):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c576e7af96bfbc10 Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/managed_identity.py:56
                if os.environ.get(EnvironmentVariables.IDENTITY_SERVER_THUMBPRINT):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #593d02603036b19c Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/managed_identity.py:70
            elif os.environ.get(EnvironmentVariables.IMDS_ENDPOINT):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2cddf14d46cb46f7 Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/managed_identity.py:75
        elif os.environ.get(EnvironmentVariables.MSI_ENDPOINT):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f368986352d9470d Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/managed_identity.py:76
            if os.environ.get(EnvironmentVariables.MSI_SECRET):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6357c4aba1246f3e Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/managed_identity.py:87
            all(os.environ.get(var) for var in EnvironmentVariables.WORKLOAD_IDENTITY_VARS)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #18305a1b53279b5b Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/managed_identity.py:92
            workload_client_id = client_id or os.environ.get(EnvironmentVariables.AZURE_CLIENT_ID)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d3b63b1edcead22f Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/managed_identity.py:103
                tenant_id=os.environ[EnvironmentVariables.AZURE_TENANT_ID],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d1ce863942bb0f5f Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/managed_identity.py:105
                token_file_path=os.environ[EnvironmentVariables.AZURE_FEDERATED_TOKEN_FILE],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5396548f4fee2f61 Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/workload_identity.py:57
        tenant_id = tenant_id or os.environ.get(EnvironmentVariables.AZURE_TENANT_ID)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #40ccf3df65c98dcb Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/workload_identity.py:58
        client_id = client_id or os.environ.get(EnvironmentVariables.AZURE_CLIENT_ID)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a1cd6ae7eb254b9d Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/workload_identity.py:59
        token_file_path = token_file_path or os.environ.get(EnvironmentVariables.AZURE_FEDERATED_TOKEN_FILE)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1f547945352a514d Environment-variable access.
pkgs/python/[email protected]/samples/control_interactive_prompts.py:17
VAULT_URL = os.environ.get("VAULT_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #02e0edbb9a16af55 Environment-variable access.
pkgs/python/[email protected]/samples/credential_creation_code_snippets.py:360
        system_access_token=os.environ["SYSTEM_ACCESSTOKEN"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #28ed19e719450f8c Environment-variable access.
pkgs/python/[email protected]/samples/credential_creation_code_snippets.py:374
        system_access_token=os.environ["SYSTEM_ACCESSTOKEN"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6417a2a31a759f98 Environment-variable access.
pkgs/python/[email protected]/samples/key_vault_cert.py:19
VAULT_URL = os.environ["VAULT_URL"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #da9db43e9b37e0d6 Environment-variable access.
pkgs/python/[email protected]/samples/user_authentication.py:14
VAULT_URL = os.environ.get("VAULT_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

boto3

python dependency
expand_more 4 low-confidence finding(s)
low env_fs tooling reachable #12405038252acd08 Filesystem access.
pkgs/python/[email protected]/boto3/docs/__init__.py:50
        with open(service_doc_path, 'wb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #c04f64eb6baf3a53 Filesystem access.
pkgs/python/[email protected]/boto3/docs/service.py:200
            with open(examples_file) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0143577d80a8a762 Filesystem access.
pkgs/python/[email protected]/setup.py:24
    init = open(os.path.join(ROOT, 'boto3', '__init__.py')).read()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9a2e1624ae6ad25d Filesystem access.
pkgs/python/[email protected]/setup.py:32
    long_description=open('README.rst').read(),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

browserbase

python dependency
expand_more 21 low-confidence finding(s)
low env_fs tooling reachable #a24816d3a881a12d Environment-variable access.
pkgs/python/[email protected]/examples/__init__.py:11
_BROWSERBASE_API_KEY = os.environ.get("BROWSERBASE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #fc5a9001767c4e9a Environment-variable access.
pkgs/python/[email protected]/examples/__init__.py:15
_BROWSERBASE_PROJECT_ID = os.environ.get("BROWSERBASE_PROJECT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #6a688babfdafd463 Environment-variable access.
pkgs/python/[email protected]/examples/e2e/test_playwright.py:23
CI = os.getenv("CI", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #47471cbc0a458749 Filesystem access.
pkgs/python/[email protected]/examples/playwright_extensions.py:42
        with open(f"{path}.zip", "wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8f80647cd09f3fff Environment-variable access.
pkgs/python/[email protected]/src/browserbase/_client.py:92
            api_key = os.environ.get("BROWSERBASE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b5380ed73eb37936 Environment-variable access.
pkgs/python/[email protected]/src/browserbase/_client.py:100
            base_url = os.environ.get("BROWSERBASE_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5d33485c8e6c1afe Environment-variable access.
pkgs/python/[email protected]/src/browserbase/_client.py:104
        custom_headers_env = os.environ.get("BROWSERBASE_CUSTOM_HEADERS")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f0e202f8a9629adf Environment-variable access.
pkgs/python/[email protected]/src/browserbase/_client.py:317
            api_key = os.environ.get("BROWSERBASE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e126178bd22b94f8 Environment-variable access.
pkgs/python/[email protected]/src/browserbase/_client.py:325
            base_url = os.environ.get("BROWSERBASE_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f1f7d88992b2f296 Environment-variable access.
pkgs/python/[email protected]/src/browserbase/_client.py:329
        custom_headers_env = os.environ.get("BROWSERBASE_CUSTOM_HEADERS")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #803f18138ee89d9e Filesystem access.
pkgs/python/[email protected]/src/browserbase/_files.py:69
            return (path.name, path.read_bytes())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c05a6019f9def637 Filesystem access.
pkgs/python/[email protected]/src/browserbase/_files.py:81
        return pathlib.Path(file).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #41fdefad4649854a Filesystem access.
pkgs/python/[email protected]/src/browserbase/_files.py:111
            return (path.name, await path.read_bytes())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #19bbd7eb9b648204 Filesystem access.
pkgs/python/[email protected]/src/browserbase/_files.py:123
        return await anyio.Path(file).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4722aabae37ed458 Environment-variable access.
pkgs/python/[email protected]/src/browserbase/_models.py:120
            extra="allow", defer_build=coerce_boolean(os.environ.get("DEFER_PYDANTIC_BUILD", "true"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b39490ec7da44860 Filesystem access.
pkgs/python/[email protected]/src/browserbase/_response.py:497
        with open(file, mode="wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4d5ddc763a27e88f Filesystem access.
pkgs/python/[email protected]/src/browserbase/_response.py:539
        with open(file, mode="wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #618b91fcaec42f88 Environment-variable access.
pkgs/python/[email protected]/src/browserbase/_utils/_logs.py:17
    env = os.environ.get("BROWSERBASE_LOG")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b4859bc3890e2c2f Filesystem access.
pkgs/python/[email protected]/src/browserbase/_utils/_transform.py:248
            binary = data.read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #48be927e5f6c47f8 Filesystem access.
pkgs/python/[email protected]/src/browserbase/_utils/_transform.py:414
            binary = await anyio.Path(data).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d8d578b941e9f4f3 Filesystem access.
pkgs/python/[email protected]/src/browserbase/_utils/_utils.py:379
    contents = Path(path).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

cel-python

python dependency
expand_more 8 low-confidence finding(s)
low env_fs dependency Excluded from app score #24e61394597273ac Environment-variable access.
pkgs/python/[email protected]/features/environment.py:42
        context.data['runner'] = RUNNERS[os.environ.get("CEL_RUNNER", "interpreted")]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2cbf8b84731e17b3 Filesystem access.
pkgs/python/[email protected]/features/steps/cli_binding.py:62
    temp.write_text("\n".join(context.data['json']) + "\n")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6b5f878e94c10916 Environment-variable access.
pkgs/python/[email protected]/src/celpy/__main__.py:123
        value_text = os.environ.get(name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #578a31b876791036 Filesystem access.
pkgs/python/[email protected]/src/celpy/__main__.py:543
    config_toml = config_paths[0].read_text() if config_paths else DEFAULT_CONFIG_TOML

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e7b2bf97dc35bf9c Filesystem access.
pkgs/python/[email protected]/src/celpy/celparser.py:109
            CEL_grammar = (Path(__file__).parent / "cel.lark").read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6a55bee817bd84ba Environment-variable access.
pkgs/python/[email protected]/src/celpy/evaluation.py:1374
    if os.environ.get("CEL_TRACE"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #c44dd35352f00e00 Filesystem access.
pkgs/python/[email protected]/tools/gherkinize.py:1076
        with open(path, encoding="utf_8") as file_handle:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #32aa0824827140c8 Filesystem access.
pkgs/python/[email protected]/tools/gherkinize.py:1093
            with open(path, "w", encoding="utf_8") as file_handle:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

certifi

python dependency
expand_more 4 low-confidence finding(s)
low env_fs dependency Excluded from app score #2375a8878509da8e Filesystem access.
pkgs/python/[email protected]/certifi/core.py:47
        return files("certifi").joinpath("cacert.pem").read_text(encoding="ascii")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #869fc1301feb7a7e Filesystem access.
pkgs/python/[email protected]/certifi/core.py:83
        return read_text("certifi", "cacert.pem", encoding="ascii")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9671f19f4adfac06 Filesystem access.
pkgs/python/[email protected]/setup.py:17
with open("certifi/__init__.py") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #684052641ba8dd0d Filesystem access.
pkgs/python/[email protected]/setup.py:30
    long_description=open("README.rst").read(),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

click

python dependency
expand_more 31 low-confidence finding(s)
low env_fs dependency Excluded from app score #0c769cd906777eb2 Filesystem access.
pkgs/python/[email protected]/src/click/_compat.py:366
        return open(file, mode)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #186b5e3a8320897e Filesystem access.
pkgs/python/[email protected]/src/click/_compat.py:368
    return open(file, mode, encoding=encoding, errors=errors)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4be3a594014eec61 Environment-variable access.
pkgs/python/[email protected]/src/click/_termui_impl.py:418
    pager_cmd_parts = shlex.split(os.environ.get("PAGER", ""))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4bfbb54147bcfa94 Environment-variable access.
pkgs/python/[email protected]/src/click/_termui_impl.py:424
    if os.environ.get("TERM") in ("dumb", "emacs"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #93f93abc5c0496d7 Environment-variable access.
pkgs/python/[email protected]/src/click/_termui_impl.py:516
    env = dict(os.environ)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #efe35c5c7b752b4e Environment-variable access.
pkgs/python/[email protected]/src/click/_termui_impl.py:521
        less_flags = f"{os.environ.get('LESS', '')}{' '.join(cmd_params)}"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b707ab479a7b6261 Environment-variable access.
pkgs/python/[email protected]/src/click/_termui_impl.py:673
            rv = os.environ.get(key)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f540125599089f42 Environment-variable access.
pkgs/python/[email protected]/src/click/_termui_impl.py:695
            environ = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #60df81fde4c9d056 Filesystem access.
pkgs/python/[email protected]/src/click/_termui_impl.py:761
            with open(name, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #17528c645445070f Filesystem access.
pkgs/python/[email protected]/src/click/_termui_impl.py:790
        null = open("/dev/null", "w")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #73502f99996e4288 Filesystem access.
pkgs/python/[email protected]/src/click/_termui_impl.py:916
            f = open("/dev/tty")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #350bea852fd7c570 Filesystem access.
pkgs/python/[email protected]/src/click/core.py:1243
                formatter.write_text(text)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d9bbf7e8d1bc7920 Filesystem access.
pkgs/python/[email protected]/src/click/core.py:1264
                formatter.write_text(epilog)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8de83183b32a1a8d Environment-variable access.
pkgs/python/[email protected]/src/click/core.py:1557
        instruction = os.environ.get(complete_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e50c7cb070a9b77a Environment-variable access.
pkgs/python/[email protected]/src/click/core.py:2631
            rv = os.environ.get(self.envvar)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1489195dd067ef12 Environment-variable access.
pkgs/python/[email protected]/src/click/core.py:2637
                rv = os.environ.get(envvar)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6d354c3bed4a64a3 Environment-variable access.
pkgs/python/[email protected]/src/click/core.py:3402
            rv = os.environ.get(envvar)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7a9d5508963a84d6 Environment-variable access.
pkgs/python/[email protected]/src/click/shell_completion.py:371
        cwords = split_arg_string(os.environ["COMP_WORDS"])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #93e2767da37d3958 Environment-variable access.
pkgs/python/[email protected]/src/click/shell_completion.py:372
        cword = int(os.environ["COMP_CWORD"])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #206f96c1fc2a70e7 Environment-variable access.
pkgs/python/[email protected]/src/click/shell_completion.py:393
        cwords = split_arg_string(os.environ["COMP_WORDS"])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cf2ddea6a34625c8 Environment-variable access.
pkgs/python/[email protected]/src/click/shell_completion.py:394
        cword = int(os.environ["COMP_CWORD"])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #70bd98e8393e1f45 Environment-variable access.
pkgs/python/[email protected]/src/click/shell_completion.py:429
        cwords = split_arg_string(os.environ["COMP_WORDS"])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9b2818b8ad0b8e35 Environment-variable access.
pkgs/python/[email protected]/src/click/shell_completion.py:430
        incomplete = os.environ["COMP_CWORD"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4d04ba5b1b1e4914 Environment-variable access.
pkgs/python/[email protected]/src/click/testing.py:567
                old_env[key] = os.environ.get(key)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7249b0d4f2878a7d Environment-variable access.
pkgs/python/[email protected]/src/click/testing.py:570
                        del os.environ[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3972c36b7928800a Environment-variable access.
pkgs/python/[email protected]/src/click/testing.py:574
                    os.environ[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #795cfb633ca3c5cd Environment-variable access.
pkgs/python/[email protected]/src/click/testing.py:580
                        del os.environ[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ceb57d82613be602 Environment-variable access.
pkgs/python/[email protected]/src/click/testing.py:584
                    os.environ[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ab0d0bde0deeacb9 Filesystem access.
pkgs/python/[email protected]/src/click/utils.py:149
                open(filename, mode).close()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e249c08e07a1bc02 Environment-variable access.
pkgs/python/[email protected]/src/click/utils.py:506
        folder = os.environ.get(key)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #69eaa1e53cbf16eb Environment-variable access.
pkgs/python/[email protected]/src/click/utils.py:517
        os.environ.get("XDG_CONFIG_HOME", os.path.expanduser("~/.config")),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

contextual-client

python dependency
expand_more 17 low-confidence finding(s)
low env_fs dependency Excluded from app score #a73198f98c4de151 Environment-variable access.
pkgs/python/[email protected]/src/contextual/_client.py:89
            api_key = os.environ.get("CONTEXTUAL_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fc239c1683fd4c29 Environment-variable access.
pkgs/python/[email protected]/src/contextual/_client.py:91
            if os.getenv('SNOWFLAKE_INTERNAL_API_SERVICE', False):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d96ec6546f44b67f Environment-variable access.
pkgs/python/[email protected]/src/contextual/_client.py:100
            base_url = os.environ.get("CONTEXTUAL_AI_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #538a6339594111ff Environment-variable access.
pkgs/python/[email protected]/src/contextual/_client.py:312
            api_key = os.environ.get("CONTEXTUAL_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a11b142221e1292f Environment-variable access.
pkgs/python/[email protected]/src/contextual/_client.py:314
            if os.getenv('SNOWFLAKE_INTERNAL_API_SERVICE', False):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #61c8db9aca795a65 Environment-variable access.
pkgs/python/[email protected]/src/contextual/_client.py:323
            base_url = os.environ.get("CONTEXTUAL_AI_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #35661ed6d9ca5ac6 Filesystem access.
pkgs/python/[email protected]/src/contextual/_files.py:67
            return (path.name, path.read_bytes())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #70283b1a3ad07370 Filesystem access.
pkgs/python/[email protected]/src/contextual/_files.py:79
        return pathlib.Path(file).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fdfc7df4a7665cd2 Filesystem access.
pkgs/python/[email protected]/src/contextual/_files.py:109
            return (path.name, await path.read_bytes())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #603de1c64a234003 Filesystem access.
pkgs/python/[email protected]/src/contextual/_files.py:121
        return await anyio.Path(file).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #34bf04effa542cd3 Environment-variable access.
pkgs/python/[email protected]/src/contextual/_models.py:97
            extra="allow", defer_build=coerce_boolean(os.environ.get("DEFER_PYDANTIC_BUILD", "true"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #91514d34d97ed9c7 Filesystem access.
pkgs/python/[email protected]/src/contextual/_response.py:494
        with open(file, mode="wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #98e4518153463181 Filesystem access.
pkgs/python/[email protected]/src/contextual/_response.py:536
        with open(file, mode="wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #22a077fc4a849e99 Environment-variable access.
pkgs/python/[email protected]/src/contextual/_utils/_logs.py:17
    env = os.environ.get("CONTEXTUAL_AI_LOG")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0b68eb5572dd2852 Filesystem access.
pkgs/python/[email protected]/src/contextual/_utils/_transform.py:248
            binary = data.read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #38c722898febdcdf Filesystem access.
pkgs/python/[email protected]/src/contextual/_utils/_transform.py:414
            binary = await anyio.Path(data).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e675a3f8acd44e61 Filesystem access.
pkgs/python/[email protected]/src/contextual/_utils/_utils.py:367
    contents = Path(path).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

crewai-files

python dependency
expand_more 16 low-confidence finding(s)
low env_fs dependency Excluded from app score #b847132c8b03ab23 Filesystem access.
pkgs/python/[email protected]/src/crewai_files/core/sources.py:263
            self._content = self.path.read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #baaffcf6f61b2b24 Filesystem access.
pkgs/python/[email protected]/src/crewai_files/core/sources.py:282
        with open(self.path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6bcb8a73afc64232 Environment-variable access.
pkgs/python/[email protected]/src/crewai_files/formatting/api.py:294
        s3_bucket = os.environ.get("CREWAI_BEDROCK_S3_BUCKET")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2a36cbadf94ab3e1 Environment-variable access.
pkgs/python/[email protected]/src/crewai_files/formatting/api.py:333
        s3_bucket_owner = os.environ.get("CREWAI_BEDROCK_S3_BUCKET_OWNER")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4bdc3131172ad344 Environment-variable access.
pkgs/python/[email protected]/src/crewai_files/uploaders/anthropic.py:39
        self._api_key = api_key or os.environ.get("ANTHROPIC_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #63f172edeb71c827 Filesystem access.
pkgs/python/[email protected]/src/crewai_files/uploaders/bedrock.py:94
    with open(file_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #15eff189dfe2e179 Environment-variable access.
pkgs/python/[email protected]/src/crewai_files/uploaders/bedrock.py:128
        self._bucket_name = bucket_name or os.environ.get("CREWAI_BEDROCK_S3_BUCKET")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e290559d4514a0b8 Environment-variable access.
pkgs/python/[email protected]/src/crewai_files/uploaders/bedrock.py:129
        self._bucket_owner = bucket_owner or os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f5883aa0f4b71a25 Environment-variable access.
pkgs/python/[email protected]/src/crewai_files/uploaders/bedrock.py:129
        self._bucket_owner = bucket_owner or os.environ.get(
            "CREWAI_BEDROCK_S3_BUCKET_OWNER"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #32de4b2ea8df3122 Environment-variable access.
pkgs/python/[email protected]/src/crewai_files/uploaders/bedrock.py:133
        self._region = region or os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8f21eeb620218ed3 Environment-variable access.
pkgs/python/[email protected]/src/crewai_files/uploaders/bedrock.py:133
        self._region = region or os.environ.get(
            "AWS_REGION", os.environ.get("AWS_DEFAULT_REGION")
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e5315a23554f3bdc Environment-variable access.
pkgs/python/[email protected]/src/crewai_files/uploaders/bedrock.py:134
            "AWS_REGION", os.environ.get("AWS_DEFAULT_REGION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e119d8b07749c2d1 Filesystem access.
pkgs/python/[email protected]/src/crewai_files/uploaders/bedrock.py:269
                with open(file_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3d8de2777247b4f9 Environment-variable access.
pkgs/python/[email protected]/src/crewai_files/uploaders/factory.py:192
            not os.environ.get("CREWAI_BEDROCK_S3_BUCKET")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #02d2338979d778b8 Environment-variable access.
pkgs/python/[email protected]/src/crewai_files/uploaders/gemini.py:108
        self._api_key = api_key or os.environ.get("GOOGLE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #070754a5cd0f9010 Environment-variable access.
pkgs/python/[email protected]/src/crewai_files/uploaders/openai.py:136
        self._api_key = api_key or os.environ.get("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

cryptography

python dependency
expand_more 22 low-confidence finding(s)
low env_fs tooling reachable #7b2ef552fe6e2d3f Filesystem access.
pkgs/python/[email protected]/docs/conf.py:88
with open(os.path.join(base_dir, "src", "cryptography", "__about__.py")) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #606a12365b9bba90 Filesystem access.
pkgs/python/[email protected]/docs/development/custom-vectors/aes-192-gcm-siv/generate_aes192gcmsiv.py:52
    with open(filename) as vector_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #0b7f935bc53b9812 Filesystem access.
pkgs/python/[email protected]/docs/development/custom-vectors/aes-192-gcm-siv/generate_aes192gcmsiv.py:81
    with open(filename, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #30d20cd30ea0cc01 Filesystem access.
pkgs/python/[email protected]/docs/development/custom-vectors/arc4/generate_arc4.py:92
    with open(filename, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #0575a46e0aa78b3e Filesystem access.
pkgs/python/[email protected]/docs/development/custom-vectors/cast5/generate_cast5.py:28
    with open(filename) as vector_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #eedec6bd5d4af304 Filesystem access.
pkgs/python/[email protected]/docs/development/custom-vectors/cast5/generate_cast5.py:52
    with open(filename, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #fd54806d96e7f72c Filesystem access.
pkgs/python/[email protected]/docs/development/custom-vectors/hkdf/generate_hkdf.py:34
    with open(filename, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #713854074b7ed37b Filesystem access.
pkgs/python/[email protected]/docs/development/custom-vectors/idea/generate_idea.py:18
    with open(filename) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #6530747a41891901 Filesystem access.
pkgs/python/[email protected]/docs/development/custom-vectors/idea/generate_idea.py:50
    with open(filename, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #985d44f798c9fc29 Filesystem access.
pkgs/python/[email protected]/docs/development/custom-vectors/idea/verify_idea.py:22
    with open(filename) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #d9ba1b61758a611e Filesystem access.
pkgs/python/[email protected]/docs/development/custom-vectors/rsa-oaep-sha2/generate_rsa_oaep_sha2.py:98
    with open(filename, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #ef688aace2c692a6 Filesystem access.
pkgs/python/[email protected]/docs/development/custom-vectors/seed/generate_seed.py:18
    with open(filename) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #299519866f12abcc Filesystem access.
pkgs/python/[email protected]/docs/development/custom-vectors/seed/generate_seed.py:49
    with open(filename, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #4543d3c243e487e2 Filesystem access.
pkgs/python/[email protected]/docs/development/custom-vectors/seed/verify_seed.py:20
    with open(filename) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5b1c90ad0a6d36ca Environment-variable access.
pkgs/python/[email protected]/noxfile.py:64
        rustflags = os.environ.get("RUSTFLAGS", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #01fe1294c056565a Environment-variable access.
pkgs/python/[email protected]/noxfile.py:239
    rustflags = os.environ.get("RUSTFLAGS", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #11639b8e8f2e2d9d Environment-variable access.
pkgs/python/[email protected]/noxfile.py:291
    if "CARGO_INCREMENTAL" not in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #37c059ad0ee824b4 Filesystem access.
pkgs/python/[email protected]/noxfile.py:406
        with open(f"{uuid.uuid4()}.lcov", "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #20a71a94b41aaadb Filesystem access.
pkgs/python/[email protected]/release.py:54
    content = p.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2e1613db41295559 Filesystem access.
pkgs/python/[email protected]/release.py:60
    p.write_text(new_content)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #71c1627ff0d4ab34 Environment-variable access.
pkgs/python/[email protected]/src/_cffi_src/build_openssl.py:49
    out_dir = os.environ["OUT_DIR"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3332689f195826d5 Filesystem access.
pkgs/python/[email protected]/src/_cffi_src/utils.py:16
with open(os.path.join(base_src, "cryptography", "__about__.py")) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

docling-core

python dependency
expand_more 23 low-confidence finding(s)
low env_fs dependency Excluded from app score #98b7775b1dfc5829 Filesystem access.
pkgs/python/[email protected]/docling_core/cli/serialize.py:125
        output.write_text(result, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c2c1a82349660fcd Filesystem access.
pkgs/python/[email protected]/docling_core/cli/view.py:72
    target_path.write_text(html_output, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e317eebdbe56aff3 Filesystem access.
pkgs/python/[email protected]/docling_core/transforms/chunker/tokenizer/huggingface.py:38
                with open(config_path) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #954b308ecd32f896 Filesystem access.
pkgs/python/[email protected]/docling_core/types/doc/document.py:6227
        filename.write_text(json.dumps(out, indent=indent), encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #384cfaa8e54d8736 Filesystem access.
pkgs/python/[email protected]/docling_core/types/doc/document.py:6242
        return cls.model_validate_json(filename.read_text(encoding="utf-8"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #05e34fb7e795cdb4 Filesystem access.
pkgs/python/[email protected]/docling_core/types/doc/document.py:6272
        filename.write_text(stream.getvalue(), encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #549c85c6c061e054 Filesystem access.
pkgs/python/[email protected]/docling_core/types/doc/document.py:6286
        data = yaml.load(filename.read_text(encoding="utf-8"), Loader=yaml.SafeLoader)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4fbdfa6b744c4f9e Filesystem access.
pkgs/python/[email protected]/docling_core/types/doc/document.py:6362
        filename.write_text(md_out, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7610ac010909ca47 Filesystem access.
pkgs/python/[email protected]/docling_core/types/doc/document.py:6616
        filename.write_text(html_out, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b9963ddae22d96e4 Filesystem access.
pkgs/python/[email protected]/docling_core/types/doc/document.py:6787
        filename.write_text(vtt_out, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d941436d9a632ee8 Filesystem access.
pkgs/python/[email protected]/docling_core/types/doc/document.py:7398
        filename.write_text(out, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0dd9ce9ff864f6e9 Filesystem access.
pkgs/python/[email protected]/docling_core/types/doc/document.py:7491
        filename.write_text(f"{out}\n", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8c60d242b6f15f8c Filesystem access.
pkgs/python/[email protected]/docling_core/types/doc/document.py:7528
            document_path.write_text(f"{serializer.serialize().text}\n", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b59606b63e015398 Filesystem access.
pkgs/python/[email protected]/docling_core/types/doc/document.py:7594
            document_xml.read_text(encoding="utf-8"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0628bf36c2cd9769 Filesystem access.
pkgs/python/[email protected]/docling_core/types/doc/page.py:691
        filename.write_text(json.dumps(out, indent=indent), encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e6fdb1e48ec67034 Filesystem access.
pkgs/python/[email protected]/docling_core/types/doc/page.py:705
        return cls.model_validate_json(filename.read_text(encoding="utf-8"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d8da9bfdee51c5bd Filesystem access.
pkgs/python/[email protected]/docling_core/types/doc/page.py:1391
        filename.write_text(json.dumps(out, indent=indent), encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #30abbd1817f97a7d Filesystem access.
pkgs/python/[email protected]/docling_core/types/doc/page.py:1405
        return cls.model_validate_json(filename.read_text(encoding="utf-8"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9237b6aecca11f64 Filesystem access.
pkgs/python/[email protected]/docling_core/types/doc/page.py:1450
        filename.write_text(json.dumps(out, indent=indent), encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #63a0f00e21f3e167 Filesystem access.
pkgs/python/[email protected]/docling_core/types/doc/page.py:1464
        return cls.model_validate_json(filename.read_text(encoding="utf-8"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #552e232187c37ee3 Filesystem access.
pkgs/python/[email protected]/docling_core/types/doc/utils.py:124
            with zf.open(member) as src, open(target, "wb") as dst:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c16f9eebbe079164 Filesystem access.
pkgs/python/[email protected]/docling_core/utils/file.py:242
            stream = BytesIO(local_path.read_bytes())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cba58872bac1144e Filesystem access.
pkgs/python/[email protected]/docling_core/utils/generate_docs.py:48
        output_file.write_text(json.dumps(json_schema, ensure_ascii=False, indent=2), encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

exa-py

python dependency
expand_more 5 low-confidence finding(s)
low env_fs dependency Excluded from app score #166114e591ef5e5b Environment-variable access.
pkgs/python/[email protected]/exa_py/api.py:50
is_beta = os.getenv("IS_BETA") == "True"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f6e703f9e308d70d Environment-variable access.
pkgs/python/[email protected]/exa_py/api.py:1440
            api_key = os.environ.get("EXA_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0165903613b7b8e1 Filesystem access.
pkgs/python/[email protected]/exa_py/utils.py:185
            with open(pyproject_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bc413e11831f0ec1 Filesystem access.
pkgs/python/[email protected]/exa_py/websets/imports/client.py:54
                with open(csv_data, 'r', encoding='utf-8') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8f7fa262a0887d94 Filesystem access.
pkgs/python/[email protected]/exa_py/websets/imports/client.py:217
                with open(csv_data, 'r', encoding='utf-8') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

gitpython

python dependency
expand_more 55 low-confidence finding(s)
low env_fs dependency Excluded from app score #2492faec0ff0e108 Filesystem access.
pkgs/python/[email protected]/doc/source/conf.py:50
with open(os.path.join(os.path.dirname(__file__), "..", "..", "VERSION")) as fd:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0b53000efdace3a0 Environment-variable access.
pkgs/python/[email protected]/git/cmd.py:663
    GIT_PYTHON_TRACE = os.environ.get("GIT_PYTHON_TRACE", False)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7e29ec80c3d308a4 Environment-variable access.
pkgs/python/[email protected]/git/cmd.py:779
            new_git = os.environ.get(cls._git_exec_env_var, cls.git_exec_name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e329ccdb71f9d49c Environment-variable access.
pkgs/python/[email protected]/git/cmd.py:828
                mode = os.environ.get(cls._refresh_env_var, "raise").lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0978b2d1df4c7376 Environment-variable access.
pkgs/python/[email protected]/git/cmd.py:1256
        env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e1aecb67a7210bf9 Filesystem access.
pkgs/python/[email protected]/git/cmd.py:1278
        stdout_sink = PIPE if with_stdout else getattr(subprocess, "DEVNULL", None) or open(os.devnull, "wb")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #26c1c21269059672 Environment-variable access.
pkgs/python/[email protected]/git/config.py:259
        config_home = os.environ.get("XDG_CONFIG_HOME") or osp.join(os.environ.get("HOME", "~"), ".config")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #af3a192cd0f1aa7c Filesystem access.
pkgs/python/[email protected]/git/config.py:650
                    with open(file_path, "rb") as fp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ad8bfd1d8f1351d8 Filesystem access.
pkgs/python/[email protected]/git/config.py:768
            with open(fp, "wb") as fp_open:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d5338ed422a6dc8d Filesystem access.
pkgs/python/[email protected]/git/index/base.py:705
                return open(filepath, "rb")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6c4d1cc9c7bc84f9 Filesystem access.
pkgs/python/[email protected]/git/index/base.py:1180
        with open(self._commit_editmsg_filepath(), "wb") as commit_editmsg_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #24b729cf6eb63af6 Filesystem access.
pkgs/python/[email protected]/git/index/base.py:1187
        with open(self._commit_editmsg_filepath(), "rb") as commit_editmsg_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f17c189acf40ab18 Environment-variable access.
pkgs/python/[email protected]/git/index/fun.py:89
    env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ba5a86d6a16fe5bd Environment-variable access.
pkgs/python/[email protected]/git/objects/commit.py:664
        env = os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #224cb9585d9b3b63 Filesystem access.
pkgs/python/[email protected]/git/objects/submodule/base.py:428
        with open(git_file, "wb") as fp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3741413ec3e46c38 Filesystem access.
pkgs/python/[email protected]/git/refs/log.py:267
        with open(filepath, "rb") as fp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #35e0ee1e14dc9f06 Filesystem access.
pkgs/python/[email protected]/git/refs/log.py:363
            fd = open(filepath, "ab")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f39bd0c42d307d5e Filesystem access.
pkgs/python/[email protected]/git/refs/symbolic.py:152
            with open(cls._get_packed_refs_path(repo), "rt", encoding="UTF-8") as fp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1bb0c897d04fd826 Filesystem access.
pkgs/python/[email protected]/git/refs/symbolic.py:265
            with open(os.path.join(repodir, ref_path), "rt", encoding="UTF-8") as fp:  # type: ignore[arg-type]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a5474224b31b55fb Filesystem access.
pkgs/python/[email protected]/git/refs/symbolic.py:668
                with open(pack_file_path, "rb") as reader:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4436fd3b2f29daee Filesystem access.
pkgs/python/[email protected]/git/refs/symbolic.py:696
                    with open(pack_file_path, "wb") as fd:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0315184f384e55cf Filesystem access.
pkgs/python/[email protected]/git/refs/symbolic.py:738
            with open(abs_ref_path, "rb") as fd:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #956f2f12a1f7466c Filesystem access.
pkgs/python/[email protected]/git/refs/symbolic.py:822
                with open(new_abs_path, "rb") as fd1:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f64bc5dbf801ed5e Filesystem access.
pkgs/python/[email protected]/git/refs/symbolic.py:824
                with open(cur_abs_path, "rb") as fd2:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8b7b186d109d78eb Filesystem access.
pkgs/python/[email protected]/git/remote.py:915
        with open(fetch_head.abspath, "rb") as fp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f2e370466a68d0b2 Environment-variable access.
repo/base.py:216
        epath = path or os.getenv("GIT_DIR")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #97580ec6f84e75da Environment-variable access.
repo/base.py:252
                if "GIT_WORK_TREE" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c0fa448b0d9059d1 Environment-variable access.
repo/base.py:253
                    self._working_tree_dir = os.getenv("GIT_WORK_TREE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5c018434832ea30d Filesystem access.
repo/base.py:257
                    with open(osp.join(git_dir, "gitdir")) as fp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3c139ce9718f2ffc Environment-variable access.
repo/base.py:280
                if os.environ.get("GIT_COMMON_DIR") is None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f383c9d36842c871 Environment-variable access.
repo/base.py:284
                if "GIT_WORK_TREE" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #608ef1657870db3e Environment-variable access.
repo/base.py:285
                    self._working_tree_dir = os.getenv("GIT_WORK_TREE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a2303096d91fa460 Filesystem access.
repo/base.py:321
            common_dir = (Path(self.git_dir) / "commondir").read_text().splitlines()[0].strip()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bbd92f5b117ea075 Filesystem access.
repo/base.py:382
        with open(filename, "rb") as fp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #049aed1de01f3eda Filesystem access.
repo/base.py:388
        with open(filename, "wb") as fp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1f04f7b9922c143b Environment-variable access.
repo/base.py:663
            config_home = os.environ.get("XDG_CONFIG_HOME") or osp.join(os.environ.get("HOME", "~"), ".config")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #00ad6a3f11b74fe9 Filesystem access.
repo/base.py:922
            with open(alternates_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #21b857d891dc5b81 Filesystem access.
repo/base.py:945
            with open(alternates_path, "wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4ff97e6f78fb64af Filesystem access.
repo/base.py:1661
        with open(rebase_head_file, "rt") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #37cc323bca9e4324 Filesystem access.
repo/fun.py:55
    with open(filename, "ab"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1bab33f9a221b5b8 Environment-variable access.
repo/fun.py:69
        if (osp.isdir(osp.join(d, "objects")) or "GIT_OBJECT_DIRECTORY" in os.environ) and osp.isdir(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3f9fdf151a8098c7 Filesystem access.
repo/fun.py:93
        lines = Path(dotgit).read_text().splitlines()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f3664c87c9b48f2c Filesystem access.
repo/fun.py:108
        with open(d) as fp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b6d2c4670b1ee4c8 Environment-variable access.
pkgs/python/[email protected]/git/util.py:122
        value = os.environ[name]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #580630e097b5be0a Environment-variable access.
pkgs/python/[email protected]/git/util.py:201
    old_value = os.getenv(name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5bebf01b85f9b0f5 Environment-variable access.
pkgs/python/[email protected]/git/util.py:202
    os.environ[name] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #293505f74099f273 Environment-variable access.
pkgs/python/[email protected]/git/util.py:207
            del os.environ[name]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a6a68c2990d8915b Environment-variable access.
pkgs/python/[email protected]/git/util.py:209
            os.environ[name] = old_value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f3f10aff316b4276 Environment-variable access.
pkgs/python/[email protected]/git/util.py:338
    PATHEXT = os.environ.get("PATHEXT", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #176a2a745f645fe7 Environment-variable access.
pkgs/python/[email protected]/git/util.py:374
        path = os.environ["PATH"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1c769927fd174c1c Environment-variable access.
pkgs/python/[email protected]/git/util.py:865
                val = os.environ[evar]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #42a864b98aa2c6a5 Filesystem access.
pkgs/python/[email protected]/git/util.py:1051
            with open(lock_file, mode="w"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4987244f034114cf Filesystem access.
pkgs/python/[email protected]/setup.py:14
    return (Path(__file__).parent / path).read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0c8a2481f80c996f Filesystem access.
pkgs/python/[email protected]/setup.py:49
        with open(filename) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c6ae454a2842cc06 Filesystem access.
pkgs/python/[email protected]/setup.py:59
        with open(filename, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

google-genai

python dependency
expand_more 37 low-confidence finding(s)
low env_fs dependency Excluded from app score #3d81415d2df208c2 Environment-variable access.
pkgs/python/[email protected]/google/genai/_api_client.py:110
  env_google_api_key = os.environ.get('GOOGLE_API_KEY', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6a94c371dde2d252 Environment-variable access.
pkgs/python/[email protected]/google/genai/_api_client.py:111
  env_gemini_api_key = os.environ.get('GEMINI_API_KEY', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a7978d9a6ba1850f Environment-variable access.
pkgs/python/[email protected]/google/genai/_api_client.py:616
      env_enterprise_str = os.environ.get('GOOGLE_GENAI_USE_ENTERPRISE', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7df5687246f2640a Environment-variable access.
pkgs/python/[email protected]/google/genai/_api_client.py:617
      env_vertexai_str = os.environ.get('GOOGLE_GENAI_USE_VERTEXAI', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c8a2a790b75bd864 Environment-variable access.
pkgs/python/[email protected]/google/genai/_api_client.py:677
    env_project = os.environ.get('GOOGLE_CLOUD_PROJECT', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6fdf61cf7ed5fc56 Environment-variable access.
pkgs/python/[email protected]/google/genai/_api_client.py:678
    env_location = os.environ.get('GOOGLE_CLOUD_LOCATION', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e941ad5c3dca1231 Environment-variable access.
pkgs/python/[email protected]/google/genai/_api_client.py:1046
          cafile=os.environ.get('SSL_CERT_FILE', certifi.where()),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #13ae74ef509e7fc9 Environment-variable access.
pkgs/python/[email protected]/google/genai/_api_client.py:1047
          capath=os.environ.get('SSL_CERT_DIR'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f5d9e9b8b851fd31 Environment-variable access.
pkgs/python/[email protected]/google/genai/_api_client.py:1100
          cafile=os.environ.get('SSL_CERT_FILE', certifi.where()),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #107bcc82f8980329 Environment-variable access.
pkgs/python/[email protected]/google/genai/_api_client.py:1101
          capath=os.environ.get('SSL_CERT_DIR'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9455e630319c088b Environment-variable access.
pkgs/python/[email protected]/google/genai/_api_client.py:1158
          cafile=os.environ.get('SSL_CERT_FILE', certifi.where()),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #13a0e3f6890b3a21 Environment-variable access.
pkgs/python/[email protected]/google/genai/_api_client.py:1159
          capath=os.environ.get('SSL_CERT_DIR'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0064772d3e6e9b2a Filesystem access.
pkgs/python/[email protected]/google/genai/_api_client.py:1764
      with open(file_path, 'rb') as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7193d1b8c78404af Environment-variable access.
pkgs/python/[email protected]/google/genai/_base_url.py:48
    return _default_base_vertex_url or os.getenv('GOOGLE_VERTEX_BASE_URL')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a5ee117cfdf01c25 Environment-variable access.
pkgs/python/[email protected]/google/genai/_base_url.py:50
    return _default_base_gemini_url or os.getenv('GOOGLE_GEMINI_BASE_URL')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #352ad4be8a44b88b Filesystem access.
pkgs/python/[email protected]/google/genai/_gaos/types/base64fileinput.py:39
            with open(value, "rb") as fh:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #39ec98770c7e2e7a Environment-variable access.
pkgs/python/[email protected]/google/genai/_gaos/utils/logger.py:40
    if os.getenv("GOOGLE_GENAI_DEBUG"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fd87f291dd1ad039 Environment-variable access.
pkgs/python/[email protected]/google/genai/_gaos/utils/security.py:95
    if os.getenv("GOOGLE_GENAI_API_KEY"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #be74a5da6be52766 Environment-variable access.
pkgs/python/[email protected]/google/genai/_gaos/utils/security.py:96
        security_dict["api_key"] = os.getenv("GOOGLE_GENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f8a111c9e678598c Environment-variable access.
pkgs/python/[email protected]/google/genai/_gaos/utils/security.py:98
    if os.getenv("GOOGLE_GENAI_ACCESS_TOKEN"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #37dcc694874d4f24 Environment-variable access.
pkgs/python/[email protected]/google/genai/_gaos/utils/security.py:99
        security_dict["access_token"] = os.getenv("GOOGLE_GENAI_ACCESS_TOKEN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7293ef519eff500a Environment-variable access.
pkgs/python/[email protected]/google/genai/_gaos/utils/security.py:101
    if os.getenv("GOOGLE_GENAI_DEFAULT_HEADERS"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6d35108ca8579b65 Environment-variable access.
pkgs/python/[email protected]/google/genai/_gaos/utils/security.py:102
        security_dict["default_headers"] = os.getenv("GOOGLE_GENAI_DEFAULT_HEADERS")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c750425df26a2ad7 Environment-variable access.
pkgs/python/[email protected]/google/genai/_gaos/utils/values.py:79
    env_value = os.getenv(env_key)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b431cd8d5aa33bc9 Filesystem access.
pkgs/python/[email protected]/google/genai/_local_tokenizer_loader.py:111
  with open(file_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6350f872728d18d0 Filesystem access.
pkgs/python/[email protected]/google/genai/_local_tokenizer_loader.py:128
    with open(tmp_path, "wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8f873ce58051ee60 Environment-variable access.
pkgs/python/[email protected]/google/genai/_replay_api_client.py:223
      os.environ.get('PYTEST_CURRENT_TEST'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #59c794d41ab30761 Environment-variable access.
pkgs/python/[email protected]/google/genai/_replay_api_client.py:315
      self.replays_directory = os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #74f39a2ef41d1ff8 Environment-variable access.
pkgs/python/[email protected]/google/genai/_replay_api_client.py:315
      self.replays_directory = os.environ.get(
          'GOOGLE_GENAI_REPLAYS_DIRECTORY', None
      )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7363f9374a7fc8fc Filesystem access.
pkgs/python/[email protected]/google/genai/_replay_api_client.py:359
      with open(replay_file_path, 'r') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c92065e10f8f64c4 Filesystem access.
pkgs/python/[email protected]/google/genai/_replay_api_client.py:386
    with open(replay_file_path, 'w') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #68db9bef6cbb50aa Environment-variable access.
pkgs/python/[email protected]/google/genai/client.py:197
      default_factory=lambda: os.getenv('GOOGLE_GENAI_CLIENT_MODE', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7349b3c12f6404f2 Environment-variable access.
pkgs/python/[email protected]/google/genai/client.py:201
      default_factory=lambda: os.getenv('GOOGLE_GENAI_REPLAYS_DIRECTORY', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #19b89b5fd113694a Environment-variable access.
pkgs/python/[email protected]/google/genai/client.py:205
      default_factory=lambda: os.getenv('GOOGLE_GENAI_REPLAY_ID', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2ce9ebc4265d1278 Filesystem access.
pkgs/python/[email protected]/google/genai/types.py:9036
    image_bytes = pathlib.Path(location).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0fd47277ae9a8903 Filesystem access.
pkgs/python/[email protected]/google/genai/types.py:11421
    video_bytes = pathlib.Path(location).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2302dbcfc982efb8 Filesystem access.
pkgs/python/[email protected]/google/genai/types.py:22491
    with open(file_path, 'w', encoding='utf-8') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

httpx

python dependency
expand_more 4 low-confidence finding(s)
low env_fs dependency Excluded from app score #73ad9e4de7477691 Environment-variable access.
pkgs/python/[email protected]/httpx/_config.py:34
        if trust_env and os.environ.get("SSL_CERT_FILE"):  # pragma: nocover

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f57ed6f7e0bcc059 Environment-variable access.
pkgs/python/[email protected]/httpx/_config.py:35
            ctx = ssl.create_default_context(cafile=os.environ["SSL_CERT_FILE"])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2e8b41b04cad74e3 Environment-variable access.
pkgs/python/[email protected]/httpx/_config.py:36
        elif trust_env and os.environ.get("SSL_CERT_DIR"):  # pragma: nocover

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #08a1083917c9f408 Environment-variable access.
pkgs/python/[email protected]/httpx/_config.py:37
            ctx = ssl.create_default_context(capath=os.environ["SSL_CERT_DIR"])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

hyperbrowser

python dependency
expand_more 11 low-confidence finding(s)
low env_fs dependency Excluded from app score #2dbe596a8efecc17 Environment-variable access.
pkgs/python/[email protected]/hyperbrowser/client/base.py:25
                    else os.environ.get("HYPERBROWSER_API_KEY", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #28f1463d49af3d12 Environment-variable access.
pkgs/python/[email protected]/hyperbrowser/client/base.py:30
                    else os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #98aef4d22842734b Environment-variable access.
pkgs/python/[email protected]/hyperbrowser/client/base.py:30
                    else os.environ.get(
                        "HYPERBROWSER_BASE_URL", "https://api.hyperbrowser.ai"
                    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #276a186d22aa2ebd Filesystem access.
pkgs/python/[email protected]/hyperbrowser/client/managers/async_manager/extension.py:27
            files={"file": open(file_path, "rb")},

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bd809425d1543af3 Filesystem access.
pkgs/python/[email protected]/hyperbrowser/client/managers/async_manager/session.py:142
            with open(file_input, "rb") as file_obj:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d93671cfc8759648 Filesystem access.
pkgs/python/[email protected]/hyperbrowser/client/managers/sandboxes/image_build.py:150
    with open(artifact_path, "rb") as artifact:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a2dd59beef22f6ad Filesystem access.
pkgs/python/[email protected]/hyperbrowser/client/managers/sync_manager/extension.py:27
            files={"file": open(file_path, "rb")},

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ee5825dfa05bcc07 Filesystem access.
pkgs/python/[email protected]/hyperbrowser/client/managers/sync_manager/session.py:137
            with open(file_input, "rb") as file_obj:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #040a1fdedb1f3516 Environment-variable access.
pkgs/python/[email protected]/hyperbrowser/config.py:16
        api_key = os.environ.get("HYPERBROWSER_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6fff7ea35a54c875 Environment-variable access.
pkgs/python/[email protected]/hyperbrowser/config.py:20
        base_url = os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #25ec1445d0a32084 Environment-variable access.
pkgs/python/[email protected]/hyperbrowser/config.py:20
        base_url = os.environ.get(
            "HYPERBROWSER_BASE_URL", "https://api.hyperbrowser.ai"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

ibm-watsonx-ai

python dependency
expand_more 149 low-confidence finding(s)
low env_fs tooling reachable #58a0306fa74d263b Environment-variable access.
pkgs/python/[email protected]/docs/utils.py:62
    Version.from_tag(os.environ["DOCUMENTATION_MAX_TAG"])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #8884e410fb787de8 Environment-variable access.
pkgs/python/[email protected]/docs/utils.py:63
    if "DOCUMENTATION_MAX_TAG" in os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #a6c90c0cb75c31c9 Filesystem access.
pkgs/python/[email protected]/docs/write_redirects.py:51
        source_file_path.write_text(
            REDIRECT_HTML.format(target=target), encoding="utf-8"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2344129c08d01869 Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/_wrappers/httpx/global_httpx_settings.py:24
        match os.environ.get("WX_CLIENT_VERIFY_REQUESTS"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a21078254450e252 Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/_wrappers/httpx_wrapper.py:316
    elif (env_max_retries := os.environ.get("WATSONX_MAX_RETRIES")) is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #091e250222f84b5f Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/_wrappers/httpx_wrapper.py:328
    elif (env_delay_time := os.environ.get("WATSONX_DELAY_TIME")) is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8dc562d02c0ef9d1 Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/_wrappers/httpx_wrapper.py:344
                    os.environ.get("WATSONX_RETRY_STATUS_CODES", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6e58ca71033401f0 Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/_wrappers/httpx_wrapper.py:349
            if os.environ.get("WATSONX_RETRY_STATUS_CODES")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #68dddcb74cdf9582 Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/ai_services.py:1428
            filename.write_text(code, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ef5c6585f723d4ca Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/client.py:410
            os.environ["DEPLOYMENT_PLATFORM"] = "private"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e7ff6f4ce0971076 Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/client.py:473
                os.environ["DEPLOYMENT_PRIVATE"] = "icp4d"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9b31df86d9d36d34 Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/client.py:879
            return (path / file_name).read_text().strip()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b29a5bb5c1f84578 Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/client.py:967
        if client_headers_env := os.environ.get("IBM_SDK_API_CLIENT_HEADERS"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4329d4a938108d74 Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/credentials.py:186
            return Path(filename).read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a02882630a9e3807 Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/credentials.py:207
                f(os.environ[k])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4ee660da7819bb85 Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/credentials.py:209
                if os.environ.get(k) is not None and os.environ.get(k) != ""

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e95d730fe8d5fae8 Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/credentials.py:222
                os.environ[env_key] = str(self.__dict__[property_key])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cf5aef9052344013 Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/data_loaders/datasets/base_documents.py:330
            get_max_sample_size_limit() if os.getenv("MEM", False) else None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #24f8920ba80e8469 Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/data_loaders/datasets/tabular.py:431
            get_max_sample_size_limit() if os.getenv("MEM", False) else None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d44a9c2ac9f44529 Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/deployment/base_deployment.py:719
            with redirect_stdout(open(os.devnull, "w")):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c9f4a2dd7557a5fc Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/deployment/base_deployment.py:734
                    with redirect_stdout(open(os.devnull, "w")):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f7b866fe021665c6 Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/experiment/autoai/autoai.py:1131
                and environ.get("ENABLE_AUTOAI", "false").lower() == "false"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eabd00c4df3c83d4 Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/experiment/autoai/optimizers/local_auto_pipelines.py:140
            with redirect_stdout(open(os.devnull, "w")):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #398537e346d9ba8a Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/experiment/autoai/optimizers/local_auto_pipelines.py:552
            with redirect_stdout(open(os.devnull, "w")):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cd7a8ce12e08bba3 Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/experiment/autoai/optimizers/local_auto_pipelines.py:683
        with redirect_stdout(open(os.devnull, "w")):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1936e5097c2e5b30 Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/experiment/autoai/optimizers/local_auto_pipelines.py:732
        if "CPU" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6b2114951cadc0a9 Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/experiment/autoai/optimizers/local_auto_pipelines.py:735
                    f"train_id: {train_id} --- Using {os.environ.get('CPU', 1)} CPUs"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #866369611ae2ef42 Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/experiment/autoai/optimizers/local_auto_pipelines.py:739
                    self.params.get("cpus_available", os.environ.get("CPU", 1))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8e264e45bdb99d8d Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/experiment/autoai/optimizers/local_auto_pipelines.py:753
        with redirect_stdout(open(os.devnull, "w")):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #01ce24a9fcdecdc3 Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/experiment/autoai/optimizers/remote_auto_pipelines.py:882
            content = json.loads(path.read_text())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6c74a5de82ca12e4 Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/foundation_models/embeddings/embeddings.py:644
            "verify": os.environ.get("WML_CLIENT_VERIFY_REQUESTS"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #16a6fbdc1f58fa17 Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/foundation_models/extensions/rag/pattern/pattern.py:1014
            with open(CONFIG_PATH, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #21c0ac3fffad797b Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/functions.py:1445
            filename.write_text(file_content, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5b1b2d2043bceb87 Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/helpers/connections/base_data_connection.py:490
                os.environ.get("USER_ACCESS_TOKEN") is None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5124544a4dc0de06 Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/helpers/connections/base_data_connection.py:491
                and os.environ.get("RUNTIME_ENV_ACCESS_TOKEN_FILE") is None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7054a7c5f86fd1b4 Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/helpers/connections/base_data_connection.py:575
                os.environ.get("USER_ACCESS_TOKEN") is None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f700499448369e2b Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/helpers/connections/base_data_connection.py:576
                and os.environ.get("RUNTIME_ENV_ACCESS_TOKEN_FILE") is None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c1e7bb8ed4132964 Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/helpers/connections/base_data_connection.py:760
                os.environ.get("USER_ACCESS_TOKEN") is None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1892c9d336a9c38b Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/helpers/connections/base_data_connection.py:761
                and os.environ.get("RUNTIME_ENV_ACCESS_TOKEN_FILE") is None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c46d57f63076e672 Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/helpers/connections/base_data_connection.py:1051
            with open(self.location.path, "rb") as data_buffer:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #97a0137a504dddec Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/helpers/connections/base_data_connection.py:1093
            with open(location_path, "rb") as data_buffer:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #30de06640bd91661 Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/helpers/connections/base_data_connection.py:1137
            if os.environ.get("TRAINING_NFS_PATH"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #35e315f624b6cc35 Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/helpers/connections/base_data_connection.py:1139
                base_path = Path(os.environ.get("TRAINING_NFS_PATH", ".")) / "0"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #21642e2a514e4073 Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/helpers/connections/base_data_connection.py:1143
                buffer = io.BytesIO(data_path.read_bytes())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f41423b881560b7a Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/helpers/connections/base_data_connection.py:1724
        if os.environ.get("RUNTIME_ENV_ACCESS_TOKEN_FILE"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3e16e810771f500e Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/helpers/connections/base_data_connection.py:1725
            with open(os.environ.get("RUNTIME_ENV_ACCESS_TOKEN_FILE"), "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a5e0cfd44ac34b8e Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/helpers/connections/base_data_connection.py:1725
            with open(os.environ.get("RUNTIME_ENV_ACCESS_TOKEN_FILE"), "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e9a8cb4fb4641fee Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/helpers/connections/base_data_connection.py:1728
            token = os.environ.get("USER_ACCESS_TOKEN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1e45c6234e15495b Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/helpers/connections/base_data_connection.py:1763
            elif not os.environ.get("MEM", False):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d8ab91d37b279dd3 Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/helpers/connections/connections.py:1099
                    or "USER_ACCESS_TOKEN" in os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f78c1ab485807fe6 Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/helpers/connections/connections.py:1100
                    or "RUNTIME_ENV_ACCESS_TOKEN_FILE" in os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3e2082aed597e3e7 Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/helpers/connections/connections.py:1415
                        os.environ.get("USER_ACCESS_TOKEN") is None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #97c8001bce16ff17 Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/helpers/connections/connections.py:1416
                        and os.environ.get("RUNTIME_ENV_ACCESS_TOKEN_FILE") is None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #adf6ab84fc900590 Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/helpers/connections/connections.py:1515
                        os.environ.get("USER_ACCESS_TOKEN") is None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ecc105ffacc248a9 Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/helpers/connections/connections.py:1516
                        and os.environ.get("RUNTIME_ENV_ACCESS_TOKEN_FILE") is None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6892a31f04d7863e Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/helpers/connections/connections.py:1644
                or "USER_ACCESS_TOKEN" in os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #55e5b41ac1c8458c Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/helpers/connections/connections.py:1645
                or "RUNTIME_ENV_ACCESS_TOKEN_FILE" in os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a6da3564a48ca91b Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/helpers/connections/flight_service.py:81
            not os.getenv("FLIGHT_SERVICE_LOCATION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9f47e761ef2496fe Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/helpers/connections/flight_service.py:100
                os.getenv("FLIGHT_SERVICE_LOCATION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #09f3e89b9bb5faaf Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/helpers/connections/flight_service.py:101
                or os.getenv("ASSET_API_SERVICE_HOST")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2743464d23393abc Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/helpers/connections/flight_service.py:102
                or os.getenv("CATALOG_API_SERVICE_HOST")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #89ff3b2b55514c53 Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/helpers/connections/flight_service.py:104
            flight_port = os.getenv("FLIGHT_SERVICE_PORT", "443")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d4b1433288baadf1 Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/helpers/connections/flight_service.py:108
                runtime_flight_service_url = os.getenv("RUNTIME_FLIGHT_SERVICE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #974bcf55a049ee34 Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/helpers/connections/flight_service.py:377
        if os.environ.get("TLS_ROOT_CERTS_PATH"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2eb332ab8457e4b0 Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/helpers/connections/flight_service.py:378
            self.additional_connection_args["tls_root_certs"] = os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0e1caadfb856e1cc Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/helpers/connections/flight_service.py:378
            self.additional_connection_args["tls_root_certs"] = os.environ.get(
                "TLS_ROOT_CERTS_PATH"
            )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #80fa89c3d2f9eb63 Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/helpers/connections/flight_sql_service.py:92
        if os.environ.get("TLS_ROOT_CERTS_PATH"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #87e0e411308b460e Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/helpers/connections/flight_sql_service.py:93
            self.additional_connection_args["tls_root_certs"] = os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1f02cb8ed9246218 Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/helpers/connections/flight_sql_service.py:93
            self.additional_connection_args["tls_root_certs"] = os.environ.get(
                "TLS_ROOT_CERTS_PATH"
            )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0bf6328bed732f34 Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/helpers/helpers.py:87
    with open(script_name, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f114422cc65776c8 Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/href_definitions.py:531
                    os.getenv("WATSONX_USE_PRIVATE_TOKEN_URL", "").lower().strip()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f720fc3508d4fb1a Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/href_definitions.py:547
                    os.getenv("WATSONX_USE_PRIVATE_TOKEN_URL", "").lower().strip()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #61d66f782fe3b7cd Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/import_assets.py:71
        data = file_path.read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3b76faf7aa9c9c38 Filesystem access.
repo/TestRepoSaveLoad.py:45
        output_f = open(filepath, 'wb+')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a0f6c303aadbd0e2 Filesystem access.
repo/TestRepoSaveLoad.py:66
        modelArcFile = open(gz_file_name, "wb")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5682e82deadf2a08 Environment-variable access.
repo/ml_api_client.py:42
        if 'DEPLOYMENT_PLATFORM' in os.environ and os.environ['DEPLOYMENT_PLATFORM'] == 'private':

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #038168ef998aef5a Environment-variable access.
repo/ml_api_client.py:71
        if 'DEPLOYMENT_PLATFORM' in os.environ and os.environ['DEPLOYMENT_PLATFORM'] == 'private':

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #918224356fba97ac Environment-variable access.
repo/mlrepository/artifact.py:65
                        if 'DEPLOYMENT_PRIVATE' in os.environ and os.environ['DEPLOYMENT_PRIVATE'] == 'icp4d':

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #361949430a30eec2 Environment-variable access.
repo/mlrepository/artifact.py:70
                        if 'DEPLOYMENT_PRIVATE' in os.environ and os.environ['DEPLOYMENT_PRIVATE'] == 'icp4d':

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6fd4f1da758a0d55 Filesystem access.
repo/mlrepositoryartifact/function_artifact_loader.py:30
            gz_f = open(file_name, 'wb+')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dd1e1048e21ccf57 Filesystem access.
repo/mlrepositoryartifact/function_artifact_reader.py:26
        return open(self.archive_path, 'rb')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6de1af914cea1ad3 Filesystem access.
repo/mlrepositoryartifact/generic_archive_pipeline_model_artifact.py:126
            with open(os.path.join(path, expected_file_name)) as data_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e9f34cc0bad66745 Filesystem access.
repo/mlrepositoryartifact/generic_file_artifact_loader.py:31
            gz_f = open(file_name, 'wb+')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #578231a8120a4746 Filesystem access.
repo/mlrepositoryartifact/generic_file_reader.py:32
        return open(self.archive_path, 'rb')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ac723f1d8acbbb8e Filesystem access.
repo/mlrepositoryartifact/hybrid_artifact_loader.py:47
            gz_f = open(gz_file_name, 'wb+')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #87a2f6908c4db459 Filesystem access.
repo/mlrepositoryartifact/hybrid_artifact_loader.py:80
            gz_f = open(output_file_name, 'wb+')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #75f02c37b244f4cf Filesystem access.
repo/mlrepositoryartifact/hybrid_pipeline_model_reader.py:56
        return open(self.archive_path, 'rb')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e3795edc57ed5ba6 Filesystem access.
repo/mlrepositoryartifact/libraries_artifact_loader.py:35
            gz_f = open(file_name, 'wb+')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #927ab4374f88854f Filesystem access.
repo/mlrepositoryartifact/libraries_artifact_reader.py:26
        return open(self.library, 'rb')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d677945a88a5781b Filesystem access.
repo/mlrepositoryartifact/ml_repository_artifact.py:162
                sys.stderr = open(devnull, 'w')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ba1de923fdda4e6e Filesystem access.
repo/mlrepositoryartifact/runtimes_artifact_loader.py:35
            gz_f = open(file_name, 'wb+')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #61d66c194be87f96 Filesystem access.
repo/mlrepositoryartifact/runtimes_artifact_reader.py:26
        return open(self.runtimespec_path, 'rt')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #edfe8e74d71649cd Filesystem access.
repo/mlrepositoryartifact/scikit_artifact_loader.py:41
            gz_f = open(gz_file_name, 'wb+')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a5a0e195a3b88851 Filesystem access.
repo/mlrepositoryartifact/scikit_pipeline_model_artifact.py:29
        sys.stderr = open(os.devnull, 'w')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0de8db0c87946191 Filesystem access.
repo/mlrepositoryartifact/scikit_pipeline_reader.py:67
        return open(self.archive_path, 'rb')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0bce3806dfdc0d69 Filesystem access.
repo/mlrepositoryartifact/spark_artifact_loader.py:33
            gz_f = open(gz_file_name, 'wb+')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5713848a9d0ff1e0 Environment-variable access.
repo/mlrepositoryartifact/spark_pipeline_reader.py:20
        self.hummingbird_env = os.getenv('HB_RUNTIME_PROVIDER', "").upper()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #14e380c0bb2b2883 Filesystem access.
repo/mlrepositoryartifact/spark_pipeline_reader.py:57
        return open(self.archive_path, 'rb')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #96a27f17efeb1feb Filesystem access.
repo/mlrepositoryartifact/tensorflow_artifact_loader.py:32
            gz_f = open(gz_file_name, 'wb+')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1b516d8fceb80bd0 Filesystem access.
repo/mlrepositoryartifact/tensorflow_pipeline_reader.py:67
        return open(self.archive_path, 'rb')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bedca2fec157e1e7 Filesystem access.
repo/mlrepositoryartifact/xgboost_model_reader.py:55
        return open(self.archive_path, 'rb')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ef2ffec778b11d02 Environment-variable access.
repo/mlrepositoryclient/ml_repository_api.py:39
        os.environ["DEPLOYMENT_PLATFORM"] = "private"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #92170446a9b205a4 Environment-variable access.
repo/mlrepositoryclient/ml_repository_api.py:40
        if 'DEPLOYMENT_PLATFORM' in os.environ and os.environ['DEPLOYMENT_PLATFORM'] == 'private':

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c02ba35b53d63415 Environment-variable access.
repo/mlrepositoryclient/ml_repository_api.py:73
        if 'DEPLOYMENT_PLATFORM' in os.environ and os.environ['DEPLOYMENT_PLATFORM'] == 'private':

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #690896476890b9dc Environment-variable access.
repo/mlrepositoryclient/ml_repository_api.py:210
        os.environ["DEPLOYMENT_PLATFORM"] = "private"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f94e2f019e787b5c Environment-variable access.
repo/mlrepositoryclient/ml_repository_api.py:211
        if 'DEPLOYMENT_PLATFORM' in os.environ and os.environ['DEPLOYMENT_PLATFORM'] == 'private':

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e081f22c3274d634 Environment-variable access.
repo/mlrepositoryclient/ml_repository_api.py:238
        if 'DEPLOYMENT_PLATFORM' in os.environ and os.environ['DEPLOYMENT_PLATFORM'] == 'private':

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3fb0b621faf2aaa9 Environment-variable access.
repo/mlrepositoryclient/ml_repository_api.py:264
        if 'DEPLOYMENT_PLATFORM' in os.environ and os.environ['DEPLOYMENT_PLATFORM'] == 'private':

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8725ba397edcc7de Environment-variable access.
repo/mlrepositoryclient/model_collection.py:688
                if "DEPLOYMENT_PLATFORM" in os.environ and os.environ["DEPLOYMENT_PLATFORM"] == "private":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cd1985752bf04d70 Filesystem access.
repo/swagger_client/api_client.py:441
                    with open(n, 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c67fcee57e2c81c1 Filesystem access.
repo/swagger_client/api_client.py:532
        with open(path, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5b2ba226a96f0f9b Environment-variable access.
repo/swagger_client/rest.py:76
        if 'DEPLOYMENT_PLATFORM' in os.environ and os.environ['DEPLOYMENT_PLATFORM'] == 'private':

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d14ac733f4576be0 Filesystem access.
repo/util/compression_util.py:24
        with open(filepath, 'rb') as f_in, gzip.open(gzip_filepath, 'wb+') as f_out:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eb0f4615dc9648ce Filesystem access.
repo/util/compression_util.py:31
            output_f = open(filepath, 'wb+')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0468645054db9c99 Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/messages/messages.py:22
        messages = json.loads((path / file_name).read_text())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ce128353cd874ea6 Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/models.py:1032
            with open("request.json", "r", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #575c378451157f21 Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/models.py:1199
                with open("request.json", "r", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #743d54edb14f714d Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/models.py:1351
            with open(t1, "rb") as f2:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ea5a4274386676ad Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/models.py:1370
            with open(t1, "rb") as f2:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #96ca2f8c9a23aacc Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/models.py:1390
                with open(t2, "rb") as f1:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #287cc18811e9ae32 Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/models.py:1503
            with open(t1, "rb") as f2:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #05cfa00b3145f328 Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/models.py:2342
                json.loads(model.read_bytes())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c2102be59adcda10 Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/models.py:2489
                json.loads(model.read_bytes())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3d4ec2e01a734d76 Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/utils/autoai/connection.py:193
    size_mem = int(findall(r"[0-9]+", environ.get("MEM", "32"))[0])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cec10e5f7cb6460d Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/utils/autoai/utils.py:373
            with redirect_stdout(open(os.devnull, "w")):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b219bb6c34e80e30 Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/utils/autoai/utils.py:387
                with open(local_model_path + ".onnx", "wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cb61b6943d548860 Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/utils/autoai/utils.py:499
                with redirect_stdout(open(os.devnull, "w")):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5c4f176851ed4090 Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/utils/autoai/utils.py:1087
        with open("request.json", "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #845a678cc7db941b Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/utils/autoai/utils.py:1091
            with open(
                "request.json", "r", encoding=auto_pipelines_parameters.get("encoding")
            ) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #01c01e3f25493710 Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/utils/autoai/utils.py:1105
            with open("request.json", "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2086d6193186f9cf Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/utils/autoai/utils.py:1109
                with open(
                    "request.json",
                    "r",
                    encoding=auto_pipelines_parameters.get("encoding"),
                ) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #16e7983998f362b2 Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/utils/autoai/utils.py:1350
        with open(pipeline_definition_name, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c34e89713aa70c51 Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/utils/autoai/utils.py:1369
        with open("schema.json", "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a2d787851e8905f0 Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/utils/autoai/utils.py:1475
        with open(pipeline_definition_name, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6d2ab711a4b722d2 Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/utils/autoai/utils.py:1494
        with open("schema.json", "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dfa75b73ee02a2bb Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/utils/autoai/utils.py:1539
    with open(data_location, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ba4525594e1984c4 Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/utils/autoai/utils.py:1546
    with open(data_location, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #48e1ccc648072711 Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/utils/autoai/utils.py:2115
        with open(tmp_file, "wb") as out:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0df859f80efe8353 Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/utils/autoai/utils.py:3170
            with open("request.json", "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9082c5789f0dfe1a Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/utils/autoai/utils.py:3174
                with open(
                    "request.json",
                    "r",
                    encoding=auto_pipelines_parameters.get("encoding"),
                ) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d935b2b512149f73 Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/utils/autoai/utils.py:3189
                with open("request.json", "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c8e04e7b9d67bcbe Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/utils/autoai/utils.py:3193
                    with open(
                        "request.json",
                        "r",
                        encoding=auto_pipelines_parameters.get("encoding"),
                    ) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0b98f27c441c9b06 Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/utils/autoai/utils.py:3286
            with open("request.json", "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b06624e3d8e88b46 Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/utils/autoai/utils.py:3290
                with open(
                    "request.json",
                    "r",
                    encoding=auto_pipelines_parameters.get("encoding"),
                ) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0d372ffcbe1072bd Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/utils/autoai/utils.py:3305
                with open("request.json", "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #77f2f1ac7fc4b0d2 Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/utils/autoai/utils.py:3309
                    with open(
                        "request.json",
                        "r",
                        encoding=auto_pipelines_parameters.get("encoding"),
                    ) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5917581357f9fff8 Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/utils/utils.py:555
    f = open(filename, "wb")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #91f61ab4137e3af0 Filesystem access.
pkgs/python/[email protected]/ibm_watsonx_ai/utils/utils.py:694
        b_model = file_path.read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4adf7d9f3a4604b0 Environment-variable access.
pkgs/python/[email protected]/ibm_watsonx_ai/utils/utils.py:1305
        if os.environ.get(gov_env_var_name) != "True":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

json5

python dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #6c3321ca9ea325f4 Filesystem access.
pkgs/python/[email protected]/json5/host.py:48
        with open(path, 'rb') as fp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #16dbe04c6efe6753 Filesystem access.
pkgs/python/[email protected]/json5/host.py:52
        with open(path, 'wb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

langchain-apify

python dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #66d051e571443b11 Environment-variable access.
pkgs/python/[email protected]/langchain_apify/document_loaders.py:87
        apify_api_token = apify_api_token or os.getenv('APIFY_TOKEN', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #be97ca36eb4c246d Environment-variable access.
pkgs/python/[email protected]/langchain_apify/tools.py:77
        apify_api_token = apify_api_token or os.getenv('APIFY_API_TOKEN')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

linkup-sdk

python dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #592bb47707e72457 Environment-variable access.
pkgs/python/[email protected]/src/linkup/_client.py:92
                api_key = os.getenv("LINKUP_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

lxml

python dependency
expand_more 49 low-confidence finding(s)
low env_fs tooling reachable #9f9fd8778aaddee5 Filesystem access.
pkgs/python/[email protected]/benchmark/benchbase.py:577
        with open("callgrind.cmd", 'w') as cmd:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #a913e776fe3688fc Environment-variable access.
pkgs/python/[email protected]/benchmark/run_benchmarks.py:43
        env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #e21227c2b5582b30 Environment-variable access.
pkgs/python/[email protected]/benchmark/run_benchmarks.py:46
        env = env or os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #906de2a27b728afa Filesystem access.
pkgs/python/[email protected]/benchmark/run_benchmarks.py:102
        with open(profile_input) as data_file_in:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #542debf7d5e53298 Filesystem access.
pkgs/python/[email protected]/benchmark/run_benchmarks.py:103
            with open(data_file_name, mode='w') as data_file_out:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #d19706eaa122a373 Environment-variable access.
pkgs/python/[email protected]/benchmark/run_benchmarks.py:170
    logging.info(f"CFLAGS={os.environ.get('CFLAGS', DISTUTILS_CFLAGS)}")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #972d7907f5528a0b Filesystem access.
pkgs/python/[email protected]/buildlibxml.py:41
    with open(file, 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #24859b63e6efd1c1 Environment-variable access.
pkgs/python/[email protected]/buildlibxml.py:54
    if platform.machine() == 'ARM64' or os.getenv('VSCMD_ARG_TGT_ARCH') == 'arm64':

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1656d1d2889a005a Environment-variable access.
pkgs/python/[email protected]/buildlibxml.py:70
            github_api_token=os.environ.get("GITHUB_API_TOKEN"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3f77bfc981f9b9e6 Environment-variable access.
pkgs/python/[email protected]/buildlibxml.py:541
        env_default.update(os.environ)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0e09ad289ff05cd4 Filesystem access.
pkgs/python/[email protected]/buildlibxml.py:693
    with open(os.path.join(libxslt_dir, "configure"), 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0d77d82c68547900 Filesystem access.
pkgs/python/[email protected]/buildlibxml.py:697
        with open(os.path.join(libxslt_dir, "configure"), 'wb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dfd8a3a6cfc7428e Environment-variable access.
pkgs/python/[email protected]/buildlibxml.py:741
    get_env = os.environ.get

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3be9ab6c48a1a572 Filesystem access.
pkgs/python/[email protected]/doc/mkhtml.py:173
    f = open_file(os.path.join(lxml_path, 'CHANGES.txt'), 'r', encoding='utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2f7f605c969a42de Filesystem access.
pkgs/python/[email protected]/doc/mkhtml.py:189
    out_file = open(changelog_file_path, 'wb')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2562355fc805089a Filesystem access.
pkgs/python/[email protected]/doc/mklatex.py:91
    with open(filename, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #340ff0d15c151b04 Filesystem access.
pkgs/python/[email protected]/doc/mklatex.py:96
    doc = open(src, 'r')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5f19f713fa8f6834 Filesystem access.
pkgs/python/[email protected]/doc/mklatex.py:97
    out = open(dest, "w")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5a2c26c9dba0f50f Filesystem access.
pkgs/python/[email protected]/doc/mklatex.py:145
    with open(src_path) as src:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3d2526993af4a64e Filesystem access.
pkgs/python/[email protected]/doc/mklatex.py:148
    dest = open(dest_path, "w")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bbbb99c874fc7740 Filesystem access.
pkgs/python/[email protected]/doc/mklatex.py:286
    master = open( os.path.join(dirname, TARGET_FILE), "w")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7bbba9b766cb00f5 Filesystem access.
pkgs/python/[email protected]/doc/update_performance_results.py:14
        with open(file_path) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9f282479a2850f8a Filesystem access.
pkgs/python/[email protected]/doc/update_performance_results.py:26
    with open(text_file) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #03b2eee6aef1a4bd Filesystem access.
pkgs/python/[email protected]/doc/update_performance_results.py:51
    with open(doc_file, 'w') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4344712099a8c40b Environment-variable access.
pkgs/python/[email protected]/setup.py:26
    return [x.strip() for x in os.environ.get(name, "").split(separator) if x.strip()]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2c28c9e185586b0d Filesystem access.
pkgs/python/[email protected]/setup.py:52
with open("requirements.txt", "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a84713b2b687e139 Filesystem access.
pkgs/python/[email protected]/setup.py:183
                with open(os.path.join(root_path, package_filename), 'wb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2bfac4f7f00a7527 Environment-variable access.
pkgs/python/[email protected]/setupinfo.py:46
    value = os.getenv(name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a23ad17e0f5c4163 Filesystem access.
pkgs/python/[email protected]/setupinfo.py:191
        with io.open(src_file, 'r', encoding='iso8859-1') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d17fe97605f93512 Filesystem access.
pkgs/python/[email protected]/setupinfo.py:195
        with io.open(dst_file, 'w', encoding='iso8859-1') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #324c928f02286ac1 Environment-variable access.
pkgs/python/[email protected]/setupinfo.py:417
    PKG_CONFIG = os.getenv('PKG_CONFIG', 'pkg-config')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2816a8bb6dd37be5 Environment-variable access.
pkgs/python/[email protected]/setupinfo.py:425
    XML2_CONFIG = os.getenv('XML2_CONFIG', 'xml2-config')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #498106216d1fb15b Environment-variable access.
pkgs/python/[email protected]/setupinfo.py:428
        XSLT_CONFIG = os.getenv('XSLT_CONFIG', 'xslt-config')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7460dabe16e73f01 Environment-variable access.
pkgs/python/[email protected]/setupinfo.py:497
    env_val = os.getenv(name.upper().replace('-', '_'), 'false').lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #30481cb0529478ca Environment-variable access.
pkgs/python/[email protected]/setupinfo.py:521
    env_val = os.getenv(env_name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6f97dc2dffc049ee Environment-variable access.
pkgs/python/[email protected]/setupinfo.py:531
staticbuild = bool(os.environ.get('STATICBUILD', ''))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #87fe09f070bc7862 Filesystem access.
pkgs/python/[email protected]/src/lxml/ElementInclude.py:97
    file = open(href, 'rb')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0d8a042bc21879bf Filesystem access.
pkgs/python/[email protected]/src/lxml/ElementInclude.py:120
            f = open(href, 'rb')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #27da5e36a0aea0ab Filesystem access.
pkgs/python/[email protected]/src/lxml/html/_diffcommand.py:52
        with open(options.output, 'wb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #375c266a74eba826 Filesystem access.
pkgs/python/[email protected]/src/lxml/html/_diffcommand.py:62
        with open(filename, 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9375cefd571c5342 Filesystem access.
pkgs/python/[email protected]/src/lxml/html/html5parser.py:235
        fp = open(filename_url_or_file, 'rb')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4d46f871d70853f9 Filesystem access.
pkgs/python/[email protected]/src/lxml/html/soupparser.py:46
        file = open(file)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #f8c5bcfeaf437eb3 Filesystem access.
pkgs/python/[email protected]/tools/xpathgrep.py:135
        with open(input, 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2b9c9e1a44a49e75 Filesystem access.
pkgs/python/[email protected]/update-error-constants.py:59
    with open(filename, 'r', encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6c1748a379801329 Filesystem access.
pkgs/python/[email protected]/update-error-constants.py:67
    with open(filename, 'w', encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c8c4f7fe389549e2 Filesystem access.
pkgs/python/[email protected]/versioninfo.py:12
        with open(os.path.join(get_base_dir(), 'src', 'lxml', '__init__.py')) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0ffc181fa1302b12 Filesystem access.
pkgs/python/[email protected]/versioninfo.py:41
    with io.open(os.path.join(get_base_dir(), "CHANGES.txt"), 'r', encoding='utf8') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #daa75e23726a6500 Filesystem access.
pkgs/python/[email protected]/versioninfo.py:68
        with open(file_path, 'r') as version_h:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b1989d89d32bab93 Filesystem access.
pkgs/python/[email protected]/versioninfo.py:72
    with open(file_path, 'w') as version_h:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

mcpadapt

python dependency
expand_more 13 low-confidence finding(s)
low env_fs tooling reachable #0c7f506f8b1ee381 Environment-variable access.
pkgs/python/[email protected]/examples/crewai_pubmed.py:16
if not os.environ.get("OPENAI_API_KEY"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #8abfcb533cd9ea34 Environment-variable access.
pkgs/python/[email protected]/examples/crewai_pubmed.py:25
        env={"UV_PYTHON": "3.12", **os.environ},

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #f407000e4e480f84 Environment-variable access.
pkgs/python/[email protected]/examples/google_genai.py:27
    api_key=os.getenv("GEMINI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #7bde718da8db52c6 Environment-variable access.
pkgs/python/[email protected]/examples/langchain_pubmed.py:20
if not os.environ.get("ANTHROPIC_API_KEY"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #2ac12b5e287a25b2 Environment-variable access.
pkgs/python/[email protected]/examples/langchain_pubmed.py:34
            env={"UV_PYTHON": "3.12", **os.environ},

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #842d0bbdafa86f5d Environment-variable access.
pkgs/python/[email protected]/examples/langchain_pubmed.py:75
            env={"UV_PYTHON": "3.12", **os.environ},

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #ea2ed013d9df616d Environment-variable access.
pkgs/python/[email protected]/examples/smolagents_pubmed.py:25
        env={"UV_PYTHON": "3.12", **os.environ},

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #9483f493981b47a6 Environment-variable access.
pkgs/python/[email protected]/examples/smolagents_structured_output.py:63
        model = InferenceClientModel(token=os.getenv("HF_TOKEN"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #112d1e52a6883fb2 Environment-variable access.
pkgs/python/[email protected]/examples/smolagents_structured_output.py:85
        model = InferenceClientModel(token=os.getenv("HF_TOKEN"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #bc2370106083a89c Filesystem access.
pkgs/python/[email protected]/scripts/bump_version.py:21
    content = init_file.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #1af94d8a1d7582b7 Filesystem access.
pkgs/python/[email protected]/scripts/bump_version.py:40
    init_file.write_text(new_content)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #70ac700e8d53321a Environment-variable access.
pkgs/python/[email protected]/src/mcpadapt/google_genai_adapter.py:114
            env={"UV_PYTHON": "3.12", **os.environ},

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #049c64f06cae152a Environment-variable access.
pkgs/python/[email protected]/src/mcpadapt/smolagents_adapter.py:265
            env={"UV_PYTHON": "3.12", **os.environ},

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

multion

python dependency
expand_more 6 low-confidence finding(s)
low env_fs dependency Excluded from app score #90a33f33c4d51e67 Environment-variable access.
pkgs/python/[email protected]/src/multion/base_client.py:76
        api_key: typing.Optional[str] = os.getenv("MULTION_API_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #903e693d550e9c5b Environment-variable access.
pkgs/python/[email protected]/src/multion/base_client.py:375
        api_key: typing.Optional[str] = os.getenv("MULTION_API_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #27233bf8ac0a30ef Environment-variable access.
pkgs/python/[email protected]/src/multion/client.py:51
        agentops_api_key: typing.Optional[str] = os.getenv("AGENTOPS_API_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #64df19f7a5e4bf8b Environment-variable access.
pkgs/python/[email protected]/src/multion/client.py:64
                parent_key=os.getenv("AGENTOPS_PARENT_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #433ddaa96987df95 Environment-variable access.
pkgs/python/[email protected]/src/multion/client.py:130
        agentops_api_key: typing.Optional[str] = os.getenv("AGENTOPS_API_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2ac6a14eea3a1269 Environment-variable access.
pkgs/python/[email protected]/src/multion/client.py:140
                parent_key=os.getenv("AGENTOPS_PARENT_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

openpyxl

python dependency
expand_more 4 low-confidence finding(s)
low env_fs dependency Excluded from app score #df1d4d21d74ed8de Filesystem access.
pkgs/python/[email protected]/openpyxl/worksheet/_writer.py:379
        with open(self.out, "rb") as src:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #924c11d688308aa5 Environment-variable access.
pkgs/python/[email protected]/openpyxl/xml/__init__.py:23
    return os.environ.get("OPENPYXL_LXML", "True") == "True"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #301b85c699d33412 Environment-variable access.
pkgs/python/[email protected]/openpyxl/xml/__init__.py:39
    return os.environ.get("OPENPYXL_DEFUSEDXML", "True") == "True"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4dd80d27a950fefc Filesystem access.
pkgs/python/[email protected]/setup.py:24
    with open(os.path.join(here, 'README.rst')) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

oxylabs

python dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #4d1ee220680c6887 Filesystem access.
pkgs/python/[email protected]/setup.py:5
    with open(rel_path, "r") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

packaging

python dependency
expand_more 3 low-confidence finding(s)
low env_fs tooling reachable #4b56cea0306ec5b3 Filesystem access.
pkgs/python/[email protected]/docs/conf.py:11
with open(os.path.join(_BASE_DIR, "src", "packaging", "__init__.py")) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #41483721e1ead952 Filesystem access.
pkgs/python/[email protected]/src/packaging/_manylinux.py:34
        with open(path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9b82cc557cc164e9 Filesystem access.
pkgs/python/[email protected]/src/packaging/_musllinux.py:46
        with open(executable, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

pandas

python dependency
expand_more 28 low-confidence finding(s)
low env_fs dependency Excluded from app score #b847680b155886b4 Filesystem access.
pkgs/python/[email protected]/generate_pxi.py:8
    with open(pxifile, encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1cd31508c9a9a451 Filesystem access.
pkgs/python/[email protected]/generate_pxi.py:12
    with open(outfile, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #da0cd3b4b18a4f1e Environment-variable access.
pkgs/python/[email protected]/generate_version.py:25
    if os.environ.get("MESON_DIST_ROOT"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0cfcf88611806bd0 Environment-variable access.
pkgs/python/[email protected]/generate_version.py:26
        path = os.path.join(os.environ.get("MESON_DIST_ROOT"), path)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3085c7e578f82669 Filesystem access.
pkgs/python/[email protected]/generate_version.py:27
    with open(path, "w", encoding="utf-8") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d785e131c9a441db Environment-variable access.
pkgs/python/[email protected]/pandas/_testing/contexts.py:76
                    del os.environ["TZ"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3e242dacb79cbd6a Environment-variable access.
pkgs/python/[email protected]/pandas/_testing/contexts.py:80
                os.environ["TZ"] = tz

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #56d8234b869c539e Environment-variable access.
pkgs/python/[email protected]/pandas/_testing/contexts.py:85
    orig_tz = os.environ.get("TZ")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #434358da5740d1f2 Filesystem access.
pkgs/python/[email protected]/pandas/_version.py:159
        with open(versionfile_abs, encoding="utf-8") as fobj:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e1c13e94535b212f Environment-variable access.
pkgs/python/[email protected]/pandas/_version.py:264
    env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #94112a5fdbed011f Environment-variable access.
pkgs/python/[email protected]/pandas/compat/__init__.py:154
    return os.environ.get("PANDAS_CI", "0") == "1"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cf72b42a5a6c5981 Environment-variable access.
pkgs/python/[email protected]/pandas/core/config_init.py:425
        if os.environ.get("PANDAS_COPY_ON_WRITE", "0") == "warn"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f1ecca38114c7d38 Environment-variable access.
pkgs/python/[email protected]/pandas/core/config_init.py:426
        else os.environ.get("PANDAS_COPY_ON_WRITE", "1") == "1",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #212289c4950aa6a9 Environment-variable access.
pkgs/python/[email protected]/pandas/core/config_init.py:878
        False if os.environ.get("PANDAS_FUTURE_INFER_STRING", "1") == "0" else True,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4278c15b355bc621 Environment-variable access.
pkgs/python/[email protected]/pandas/core/config_init.py:895
        os.environ.get("PANDAS_FUTURE_DISTINGUISH_NAN_AND_NA", "0") == "1",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9521b6ce22c22f0b Environment-variable access.
pkgs/python/[email protected]/pandas/core/config_init.py:906
        False if os.environ.get("PANDAS_FUTURE_PYTHON_SCALARS", "0") == "0" else True,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8be92cc3de5ad514 Filesystem access.
pkgs/python/[email protected]/pandas/core/series.py:1573
            with open(buf, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d7e2fdeb9de72213 Environment-variable access.
pkgs/python/[email protected]/pandas/io/clipboard/__init__.py:74
HAS_DISPLAY = os.getenv("DISPLAY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #202640c33edab0d1 Filesystem access.
pkgs/python/[email protected]/pandas/io/clipboard/__init__.py:302
        with open("/dev/clipboard", "w", encoding="utf-8") as fd:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3ba28abb137957dc Filesystem access.
pkgs/python/[email protected]/pandas/io/clipboard/__init__.py:306
        with open("/dev/clipboard", encoding="utf-8") as fd:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5edf0ce38198aa6b Environment-variable access.
pkgs/python/[email protected]/pandas/io/clipboard/__init__.py:569
        if os.environ.get("WAYLAND_DISPLAY") and _executable_exists("wl-copy"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b5ca5e9eb942388b Filesystem access.
pkgs/python/[email protected]/pandas/io/common.py:930
            handle = open(
                handle,
                ioargs.mode,
                encoding=ioargs.encoding,
                errors=errors,
                newline="",
            )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5bc904d00cd37c30 Filesystem access.
pkgs/python/[email protected]/pandas/io/common.py:939
            handle = open(handle, ioargs.mode)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bbc7819736172722 Filesystem access.
pkgs/python/[email protected]/pandas/io/common.py:1192
        handle = open(handle, "rb")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #99dd1ff33ac8bf1e Filesystem access.
pkgs/python/[email protected]/pandas/io/formats/format.py:1076
        with open(buf, "w", encoding=encoding, newline="") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4b75cd92043961dd Environment-variable access.
pkgs/python/[email protected]/pandas/util/_print_versions.py:57
        "LC_ALL": os.environ.get("LC_ALL"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a523c50c20ad967d Environment-variable access.
pkgs/python/[email protected]/pandas/util/_print_versions.py:58
        "LANG": os.environ.get("LANG"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1f38dfc94e5604b3 Filesystem access.
pkgs/python/[email protected]/pandas/util/_print_versions.py:148
            with open(as_json, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

pdfplumber

python dependency
expand_more 3 low-confidence finding(s)
low env_fs dependency Excluded from app score #7a01616125f09054 Filesystem access.
pkgs/python/[email protected]/pdfplumber/pdf.py:98
            stream = open(path_or_fp, "rb")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a105cf3dbdb4ef0f Filesystem access.
pkgs/python/[email protected]/pdfplumber/repair.py:72
        with open(outfile, "wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7d1b2d9c64d8d71a Filesystem access.
pkgs/python/[email protected]/setup.py:13
    return open(path, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

portalocker

python dependency
expand_more 17 low-confidence finding(s)
low env_fs dependency Excluded from app score #34f0dd7879aa08d5 Filesystem access.
pkgs/python/[email protected]/portalocker/__main__.py:126
            (base_path / 'README.rst').read_text(encoding='ascii')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3c70de30803fe78d Filesystem access.
pkgs/python/[email protected]/portalocker/__main__.py:131
            (base_path / 'LICENSE').read_text(encoding='ascii')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7856f86ab9aa2de1 Filesystem access.
pkgs/python/[email protected]/portalocker/utils.py:329
            open(  # noqa: SIM115
                self.filename,
                self.mode,
                **self.file_open_kwargs,
            ),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9af5a32ce9f9cc1c Filesystem access.
pkgs/python/[email protected]/portalocker_tests/test_core_locking.py:16
    with open(tmpfile, 'a') as a, open(tmpfile, 'a') as b:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #817ef08b3746759e Filesystem access.
pkgs/python/[email protected]/portalocker_tests/test_core_locking.py:30
    with open(tmpfile, 'w') as fh:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #23320389072ae938 Filesystem access.
pkgs/python/[email protected]/portalocker_tests/test_core_locking.py:33
    with open(tmpfile, 'r+') as fh:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #767406029449dbe2 Filesystem access.
pkgs/python/[email protected]/portalocker_tests/test_core_locking.py:48
    with open(tmpfile, 'w') as fh:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a80477564c874ff3 Filesystem access.
pkgs/python/[email protected]/portalocker_tests/test_lock_flags.py:13
    with open(tmpfile, 'w') as fh:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b3b6bcda80f8dc42 Filesystem access.
pkgs/python/[email protected]/portalocker_tests/test_lock_flags.py:16
    with open(tmpfile) as fh:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #927f6a9fdd1ddda1 Filesystem access.
pkgs/python/[email protected]/portalocker_tests/test_lock_flags.py:22
            open(
                tmpfile,
                'r+',
            ) as fh2,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d00e480252ca25e2 Filesystem access.
pkgs/python/[email protected]/portalocker_tests/test_lock_flags.py:33
            open(
                tmpfile,
                'w+',
            ) as fh2,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3f2c19b64835b112 Filesystem access.
pkgs/python/[email protected]/portalocker_tests/test_lock_flags.py:47
    with open(tmpfile, 'w') as fh:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4ee6ce27c21760d9 Filesystem access.
pkgs/python/[email protected]/portalocker_tests/test_lock_flags.py:50
    with open(tmpfile) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0ac00cc3324f99e6 Filesystem access.
pkgs/python/[email protected]/portalocker_tests/test_lock_flags.py:54
        with open(tmpfile) as fh2:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5373158ec7dec104 Filesystem access.
pkgs/python/[email protected]/portalocker_tests/test_lock_flags.py:61
            open(
                tmpfile,
                'w+',
            ) as fh2,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #12c6726306479912 Filesystem access.
pkgs/python/[email protected]/portalocker_tests/test_lock_flags.py:95
    with open(tmpfile, 'w') as fh, pytest.raises(RuntimeError):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8485176be4751a47 Filesystem access.
pkgs/python/[email protected]/portalocker_tests/test_mechanisms.py:18
    with open(tmpfile, 'a+') as a, open(tmpfile, 'a+') as b:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

psycopg2-binary

python dependency
expand_more 12 low-confidence finding(s)
low env_fs tooling reachable #8aa327457d9ed2d0 Filesystem access.
pkgs/python/[email protected]/doc/src/tools/make_sqlstate_docs.py:16
    with open(clsfile) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #ec7c447c32297598 Filesystem access.
pkgs/python/[email protected]/scripts/make_errorcodes.py:40
    f = open(filename, "w")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #8e965fe2599ee6eb Filesystem access.
pkgs/python/[email protected]/scripts/make_errorcodes.py:49
    for line in open(filename):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #3268855ed66538e5 Filesystem access.
pkgs/python/[email protected]/scripts/make_errors.py:34
    f = open(filename, "w")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #8b26f13682be53c8 Filesystem access.
pkgs/python/[email protected]/scripts/refcounter.py:47
    f1 = open(f'debug-{(opt.nruns - 1):02}.txt').readlines()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #4e1723b74ffb93c9 Filesystem access.
pkgs/python/[email protected]/scripts/refcounter.py:48
    f2 = open(f'debug-{opt.nruns:02}.txt').readlines()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #33d513e7d7131dbb Filesystem access.
pkgs/python/[email protected]/scripts/refcounter.py:56
        f1 = open(f'objs-{(opt.nruns - 1):02}.txt').readlines()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #2d01af5c02a142ca Filesystem access.
pkgs/python/[email protected]/scripts/refcounter.py:57
        f2 = open(f'objs-{opt.nruns:02}.txt').readlines()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #132f09a21e0658ef Filesystem access.
pkgs/python/[email protected]/scripts/refcounter.py:88
        stream=open(f"debug-{i:02}.txt", "w"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #a81b83ef23d0a14c Filesystem access.
pkgs/python/[email protected]/scripts/refcounter.py:103
        pprint(co, stream=open(f"objs-{i:02}.txt", "w"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2f16bb661f041012 Environment-variable access.
pkgs/python/[email protected]/setup.py:125
            path_directories = os.environ['PATH'].split(os.pathsep)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f91abc949fe089eb Filesystem access.
pkgs/python/[email protected]/setup.py:511
    f = open("README.rst")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

pydantic

python dependency
expand_more 9 low-confidence finding(s)
low env_fs dependency Excluded from app score #3fd177d223f1a5e7 Filesystem access.
pkgs/python/[email protected]/pydantic/deprecated/parse.py:71
    b = path.read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c58939186ff2b5e6 Environment-variable access.
pkgs/python/[email protected]/pydantic/json_schema.py:344
                if os.getenv('PYDANTIC_PRIVATE_ALLOW_UNHANDLED_SCHEMA_TYPES'):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #254fdad0066a22b8 Filesystem access.
pkgs/python/[email protected]/pydantic/mypy.py:1411
    with open(config_file, 'rb') as rf:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b0e2e42df8458632 Environment-variable access.
pkgs/python/[email protected]/pydantic/plugin/_loader.py:27
    disabled_plugins = os.getenv('PYDANTIC_DISABLE_PLUGINS')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ceae59dd88f4d08e Environment-variable access.
pkgs/python/[email protected]/pydantic/v1/env_settings.py:173
            env_vars: Mapping[str, Optional[str]] = os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2facddb84bc7e15e Environment-variable access.
pkgs/python/[email protected]/pydantic/v1/env_settings.py:175
            env_vars = {k.lower(): v for k, v in os.environ.items()}

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5f752b491bfab486 Filesystem access.
pkgs/python/[email protected]/pydantic/v1/env_settings.py:307
                    secret_value = path.read_text().strip()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e92f164eaf7aebba Filesystem access.
pkgs/python/[email protected]/pydantic/v1/mypy.py:948
    with open(config_file, read_mode) as rf:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cd06b58f36a32ea7 Filesystem access.
pkgs/python/[email protected]/pydantic/v1/parse.py:57
    b = path.read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

pydantic-settings

python dependency
expand_more 3 low-confidence finding(s)
low env_fs dependency Excluded from app score #98bcc14075087eea Environment-variable access.
pkgs/python/[email protected]/pydantic_settings/sources/providers/env.py:75
        return parse_env_vars(os.environ, self.case_sensitive, self.env_ignore_empty, self.env_parse_none_str)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fa11f2c72b245193 Filesystem access.
pkgs/python/[email protected]/pydantic_settings/sources/providers/nested_secrets.py:203
        return {str(p.relative_to(path)): p.read_text().strip() for p in cls._iter_secret_files(path)}

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #42ab5a8800c27d6c Filesystem access.
pkgs/python/[email protected]/pydantic_settings/sources/providers/secrets.py:122
                    return path.read_text().strip(), field_key, value_is_complex

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

pygithub

python dependency
expand_more 36 low-confidence finding(s)
low env_fs dependency Excluded from app score #600646686c6765b1 Filesystem access.
pkgs/python/[email protected]/doc/conf.py:302
        with open(filename) as r:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cf25347731652438 Filesystem access.
pkgs/python/[email protected]/doc/conf.py:324
with open("github_objects.rst", "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3dcfa3a074d22b2c Filesystem access.
pkgs/python/[email protected]/doc/conf.py:335
    with open("github_objects/" + githubObjectClass + ".rst", "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c6c12794c785c053 Filesystem access.
pkgs/python/[email protected]/doc/conf.py:345
    with open("../" + module.replace(".", "/") + ".py") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #237019b44b6b1fd9 Filesystem access.
pkgs/python/[email protected]/doc/conf.py:387
with open("apis.rst", "w") as apis:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4f1fef8c776894dd Filesystem access.
pkgs/python/[email protected]/github/Requester.py:1016
        with open(path, "wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1df35f155ac16816 Filesystem access.
pkgs/python/[email protected]/github/Requester.py:1140
            f = open(local_path, "rb")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #50799b8a6c033f98 Filesystem access.
pkgs/python/[email protected]/scripts/fix_headers.py:173
        with open(filename, encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #60d61e56740d752b Filesystem access.
pkgs/python/[email protected]/scripts/fix_headers.py:178
            with open(filename, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #23d796aa99e868ba Filesystem access.
pkgs/python/[email protected]/scripts/openapi.py:1897
        with open(filename) as r:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #af0f2cedefd2ec71 Filesystem access.
pkgs/python/[email protected]/scripts/openapi.py:1963
        with open(filename) as r:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #73b48836637f4c80 Filesystem access.
pkgs/python/[email protected]/scripts/openapi.py:2075
        with open(filename) as r:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #23bc10c8797a6a25 Filesystem access.
pkgs/python/[email protected]/scripts/openapi.py:2094
                with open(filename, "w") as w:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #c7c4b7092a919403 Filesystem access.
pkgs/python/[email protected]/scripts/openapi.py:2109
        with open(spec_file) as r:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #3b94c1bcb7e79ec1 Filesystem access.
pkgs/python/[email protected]/scripts/openapi.py:2111
        with open(index_filename) as r:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #396c8f67be62bfcb Filesystem access.
pkgs/python/[email protected]/scripts/openapi.py:2205
                with open(clazz.filename) as r:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #f61ce82759d33ace Filesystem access.
pkgs/python/[email protected]/scripts/openapi.py:2216
                    with open(clazz.test_filename) as r:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #a3d69cd8c1afedd8 Filesystem access.
pkgs/python/[email protected]/scripts/openapi.py:2241
        with open(spec_file, "wb") as w:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #e6f976e72380b44d Filesystem access.
pkgs/python/[email protected]/scripts/openapi.py:2369
            with open(spec_file) as r:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #48c069119727eaca Filesystem access.
pkgs/python/[email protected]/scripts/openapi.py:2394
                with open(index_filename) as w:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #2d7ae8446d9d31a0 Filesystem access.
pkgs/python/[email protected]/scripts/openapi.py:2400
            with open(index_filename, "w") as w:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #c3595e9549880691 Filesystem access.
pkgs/python/[email protected]/scripts/openapi.py:2407
        with open(spec_file) as r:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #264d67079da8b1ac Filesystem access.
pkgs/python/[email protected]/scripts/openapi.py:2409
        with open(index_filename) as r:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #d54ccc7603636c0b Filesystem access.
pkgs/python/[email protected]/scripts/openapi.py:2573
        with open(spec_file) as r:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #7b6f378c487b2365 Filesystem access.
pkgs/python/[email protected]/scripts/openapi.py:2575
        with open(index_filename) as r:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #ffb3bb7d11e35704 Filesystem access.
pkgs/python/[email protected]/scripts/openapi.py:2843
        with open(index_filename) as r:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #4c59400f00e8687e Filesystem access.
pkgs/python/[email protected]/scripts/openapi.py:2998
                        with open(filename) as r:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #b3cc9bb87bf99eb3 Filesystem access.
pkgs/python/[email protected]/scripts/openapi.py:3045
        with open(index_filename) as r:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #22a80cf059eb9c07 Filesystem access.
pkgs/python/[email protected]/scripts/openapi.py:3064
        with open(spec_file) as r:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #fca0c8bf3887a85f Filesystem access.
pkgs/python/[email protected]/scripts/openapi.py:3066
        with open(index_filename) as r:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #a0dcdefa4adcb46a Filesystem access.
pkgs/python/[email protected]/scripts/openapi.py:3074
        with open(clazz.filename) as r:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #2b34dd379e744c20 Filesystem access.
pkgs/python/[email protected]/scripts/prepare-for-update-assertions.py:109
    with open(filename) as r:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #c40f9a04476d7a57 Filesystem access.
pkgs/python/[email protected]/scripts/prepare-for-update-assertions.py:125
            with open(filename, "w") as w:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #94c395629db33886 Filesystem access.
pkgs/python/[email protected]/scripts/sort_class.py:186
        with open(filename) as r:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #2ea3218b8070a1f9 Filesystem access.
pkgs/python/[email protected]/scripts/sort_class.py:203
                with open(filename, "w") as w:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #94d656bdd8d79a93 Filesystem access.
pkgs/python/[email protected]/scripts/sort_class.py:224
    with open(index_filename) as r:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

pyjwt

python dependency
expand_more 4 low-confidence finding(s)
low env_fs tooling reachable #52e731685b63429d Filesystem access.
pkgs/python/[email protected]/docs/conf.py:11
    with open(os.path.join(here, *parts), encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #38e4bab1c9b28bda Environment-variable access.
pkgs/python/[email protected]/docs/conf.py:97
os.environ["SPHINX_BUILD"] = "1"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0fdfdb2ff49ecba4 Environment-variable access.
pkgs/python/[email protected]/jwt/algorithms.py:102
    if TYPE_CHECKING or bool(os.getenv("SPHINX_BUILD", "")):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aeefe7db16f9f6ba Environment-variable access.
pkgs/python/[email protected]/jwt/api_jwt.py:25
if TYPE_CHECKING or bool(os.getenv("SPHINX_BUILD", "")):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

pymysql

python dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #52bf49969f9207fc Filesystem access.
pkgs/python/[email protected]/pymysql/connections.py:1460
            with open(self.filename, "rb") as open_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

pypdf

python dependency
expand_more 9 low-confidence finding(s)
low env_fs dependency Excluded from app score #a06c5ff6d26e6a9c Filesystem access.
pkgs/python/[email protected]/pypdf/_page.py:2033
            debug_path.joinpath("fonts.json").write_text(
                json.dumps(fonts, indent=2, default=asdict),
                "utf-8"
            )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e5a27873b61bb5f4 Filesystem access.
pkgs/python/[email protected]/pypdf/_reader.py:172
            with open(stream, "rb") as fh:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #10a62d2aff4b84f7 Filesystem access.
pkgs/python/[email protected]/pypdf/_text_extraction/_layout_mode/_fixed_width_page.py:285
        debug_path.joinpath("bt_groups.json").write_text(
            json.dumps(ty_groups, indent=2, default=str), "utf-8"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #92cdb41663477692 Filesystem access.
pkgs/python/[email protected]/pypdf/_text_extraction/_layout_mode/_fixed_width_page.py:351
        debug_path.joinpath("bts.json").write_text(
            json.dumps(bt_groups, indent=2, default=str), "utf-8"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2030f2143f7fb6cc Filesystem access.
pkgs/python/[email protected]/pypdf/_text_extraction/_layout_mode/_fixed_width_page.py:354
        debug_path.joinpath("tjs.json").write_text(
            json.dumps(
                tj_ops, indent=2, default=lambda x: getattr(x, "to_dict", str)(x)
            ),
            "utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5eb4d01c90438a42 Filesystem access.
pkgs/python/[email protected]/pypdf/_utils.py:391
    with open("pypdf_pdfLocation.txt", "wb") as output_fh:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ee3fb426639061a6 Filesystem access.
pkgs/python/[email protected]/pypdf/_writer.py:245
                with open(fileobj, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b668ef17aada2c36 Environment-variable access.
pkgs/python/[email protected]/pypdf/filters.py:752
            environment = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress dependency Excluded from app score #f7376ce8cefaf219 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/python/[email protected]/resources/afm_to_dataclass.py:24
        with urllib.request.urlopen(
            f"https://{FONT_LOC}"
        ) as connection, ZipFile(BytesIO(

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

python-docx

python dependency
expand_more 7 low-confidence finding(s)
low env_fs dependency Excluded from app score #4d2c6e92a6eb7524 Filesystem access.
pkgs/python/[email protected]/src/docx/image/image.py:41
            with open(path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f038ae4f310542a1 Filesystem access.
pkgs/python/[email protected]/src/docx/opc/phys_pkg.py:47
        with open(path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cc219b0c9bf33604 Filesystem access.
pkgs/python/[email protected]/src/docx/parts/comments.py:49
        with open(path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #83152fab49e83d17 Filesystem access.
pkgs/python/[email protected]/src/docx/parts/hdrftr.py:31
        with open(path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6776c39ce2d14c8a Filesystem access.
pkgs/python/[email protected]/src/docx/parts/hdrftr.py:51
        with open(path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #57a0595f1085453a Filesystem access.
pkgs/python/[email protected]/src/docx/parts/settings.py:48
        with open(path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3a713d09eb35ce53 Filesystem access.
pkgs/python/[email protected]/src/docx/parts/styles.py:40
        with open(path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

python-dotenv

python dependency
expand_more 11 low-confidence finding(s)
low env_fs dependency Excluded from app score #170091369ffb6724 Filesystem access.
pkgs/python/[email protected]/src/dotenv/cli.py:76
        with open(path) as stream:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #78223c74f9ae4aaa Environment-variable access.
pkgs/python/[email protected]/src/dotenv/cli.py:194
        if v is not None and (override or k not in os.environ)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #45483cc48b20b51d Environment-variable access.
pkgs/python/[email protected]/src/dotenv/cli.py:225
    cmd_env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7927513346c9b14a Environment-variable access.
pkgs/python/[email protected]/src/dotenv/main.py:26
    if "PYTHON_DOTENV_DISABLED" not in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ccfbc377c6180cea Environment-variable access.
pkgs/python/[email protected]/src/dotenv/main.py:28
    value = os.environ["PYTHON_DOTENV_DISABLED"].casefold()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e5b63ccf3d9f00c1 Filesystem access.
pkgs/python/[email protected]/src/dotenv/main.py:63
            with open(self.dotenv_path, encoding=self.encoding) as stream:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #544a3287dcfd0e10 Environment-variable access.
pkgs/python/[email protected]/src/dotenv/main.py:105
            if k in os.environ and not self.override:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9330c42dcdadabaa Environment-variable access.
pkgs/python/[email protected]/src/dotenv/main.py:108
                os.environ[k] = v

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #711d47ded7d5d7e1 Filesystem access.
pkgs/python/[email protected]/src/dotenv/main.py:148
        source: IO[str] = open(path, encoding=encoding)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ce43f5ed0ba778d9 Environment-variable access.
pkgs/python/[email protected]/src/dotenv/main.py:302
                env.update(os.environ)  # type: ignore

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #594eecb645742638 Environment-variable access.
pkgs/python/[email protected]/src/dotenv/main.py:306
                env.update(os.environ)  # type: ignore

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

python-magic

python dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #756c0b7fc32b24bd Filesystem access.
pkgs/python/[email protected]/setup.py:11
    with io.open(os.path.join(os.path.dirname(__file__), file_name),
                 encoding='utf-8') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

pytube

python dependency
expand_more 5 low-confidence finding(s)
low env_fs dependency Excluded from app score #d77a26830722cd1f Filesystem access.
pkgs/python/[email protected]/pytube/captions.py:154
        with open(file_path, "w", encoding="utf-8") as file_handle:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #11aeeb0d398e7f4a Filesystem access.
pkgs/python/[email protected]/pytube/innertube.py:249
                with open(_token_file) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #53313dce72966ca6 Filesystem access.
pkgs/python/[email protected]/pytube/innertube.py:268
        with open(_token_file, 'w') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3e49fff756fa8146 Filesystem access.
pkgs/python/[email protected]/pytube/streams.py:312
        with open(file_path, "wb") as fh:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bc725ce7e331943a Filesystem access.
pkgs/python/[email protected]/setup.py:13
with open(os.path.join(here, "pytube", "version.py")) as fp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

pyyaml

python dependency
expand_more 3 low-confidence finding(s)
low env_fs dependency Excluded from app score #c52ab17624757f9b Environment-variable access.
pkgs/python/[email protected]/setup.py:72
os.environ['SETUPTOOLS_USE_DISTUTILS'] = 'local'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1f329876cdc23900 Environment-variable access.
pkgs/python/[email protected]/setup.py:81
if 'sdist' in sys.argv or os.environ.get('PYYAML_FORCE_CYTHON') == '1':

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #249bd9bf89fe3e3c Environment-variable access.
pkgs/python/[email protected]/setup.py:160
            with_ext = getattr(self, ext.attr_name) or os.environ.get('PYYAML_FORCE_{0}'.format(ext.feature_name.upper()))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

qdrant-client

python dependency
expand_more 12 low-confidence finding(s)
low env_fs dependency Excluded from app score #27d925c2f35855dc Filesystem access.
pkgs/python/[email protected]/qdrant_client/embed/schema_parser.py:298
        with open(output_path, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #957940f8be362dfe Filesystem access.
pkgs/python/[email protected]/qdrant_client/embed/utils.py:76
    with open(path, "rb") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #756f85a22c116730 Filesystem access.
pkgs/python/[email protected]/qdrant_client/local/async_qdrant_local.py:99
            with open(meta_path, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b6e038a4bde87da7 Filesystem access.
pkgs/python/[email protected]/qdrant_client/local/async_qdrant_local.py:102
            with open(meta_path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7f0b343a4294ee56 Filesystem access.
pkgs/python/[email protected]/qdrant_client/local/async_qdrant_local.py:125
            with open(lock_file_path, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1269c9ba7ee2574a Filesystem access.
pkgs/python/[email protected]/qdrant_client/local/async_qdrant_local.py:127
        self._flock_file = open(lock_file_path, "r+")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f03cc9a707820515 Filesystem access.
pkgs/python/[email protected]/qdrant_client/local/async_qdrant_local.py:146
        with open(meta_path, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ef77f403d2119f65 Filesystem access.
pkgs/python/[email protected]/qdrant_client/local/qdrant_local.py:102
            with open(meta_path, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b2d7dacf62631df6 Filesystem access.
pkgs/python/[email protected]/qdrant_client/local/qdrant_local.py:105
            with open(meta_path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1bcbb031e9688c3d Filesystem access.
pkgs/python/[email protected]/qdrant_client/local/qdrant_local.py:136
            with open(lock_file_path, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c9431f206b445ddf Filesystem access.
pkgs/python/[email protected]/qdrant_client/local/qdrant_local.py:138
        self._flock_file = open(lock_file_path, "r+")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #88c3548c3e24a3eb Filesystem access.
pkgs/python/[email protected]/qdrant_client/local/qdrant_local.py:162
        with open(meta_path, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

regex

python dependency
expand_more 3 low-confidence finding(s)
low env_fs tooling reachable #5d20502c08b47c87 Filesystem access.
pkgs/python/[email protected]/tools/build_regex_unicode.py:680
    with open(path, 'w', encoding='ascii') as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #072511a32976c3d8 Filesystem access.
pkgs/python/[email protected]/tools/build_regex_unicode.py:1454
    with open(c_path, 'w', newline='\n', encoding='ascii') as c_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #1687b242776caf63 Filesystem access.
pkgs/python/[email protected]/tools/build_regex_unicode.py:1577
    with open(h_path, 'w', newline='\n', encoding='ascii') as h_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

requests

python dependency
expand_more 8 low-confidence finding(s)
low env_fs dependency Excluded from app score #d280f065e1ecca3e Environment-variable access.
pkgs/python/[email protected]/src/requests/sessions.py:857
                    os.environ.get("REQUESTS_CA_BUNDLE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3d13b222d0c7d3ea Environment-variable access.
pkgs/python/[email protected]/src/requests/sessions.py:858
                    or os.environ.get("CURL_CA_BUNDLE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #27f2383ac1117ea2 Environment-variable access.
pkgs/python/[email protected]/src/requests/utils.py:239
    netrc_file = os.environ.get("NETRC")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #edceadfa59187128 Environment-variable access.
pkgs/python/[email protected]/src/requests/utils.py:798
        old_value = os.environ.get(env_name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #331b3c35a79963f7 Environment-variable access.
pkgs/python/[email protected]/src/requests/utils.py:799
        os.environ[env_name] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e6051b16006333b8 Environment-variable access.
pkgs/python/[email protected]/src/requests/utils.py:805
                del os.environ[env_name]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a35c8bc95c29823a Environment-variable access.
pkgs/python/[email protected]/src/requests/utils.py:807
                os.environ[env_name] = old_value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f5fe5876b5597c02 Environment-variable access.
pkgs/python/[email protected]/src/requests/utils.py:820
        return os.environ.get(key) or os.environ.get(key.upper())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

scrapegraph-py

python dependency
expand_more 3 low-confidence finding(s)
low env_fs dependency Excluded from app score #cc4dcecc9ffb528f Environment-variable access.
pkgs/python/[email protected]/src/scrapegraph_py/env.py:9
        return os.environ.get("SGAI_DEBUG") == "1"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3d1e1bce4c109d9b Environment-variable access.
pkgs/python/[email protected]/src/scrapegraph_py/env.py:13
        val = os.environ.get("SGAI_TIMEOUT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3cf2443bd9f70bc1 Environment-variable access.
pkgs/python/[email protected]/src/scrapegraph_py/env.py:18
        return os.environ.get("SGAI_API_URL") or "https://v2-api.scrapegraphai.com/api"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

selenium

python dependency
expand_more 29 low-confidence finding(s)
low env_fs dependency Excluded from app score #f1f59594b3cd67f6 Environment-variable access.
pkgs/python/[email protected]/selenium/webdriver/__init__.py:23
if os.environ.get("SE_DEBUG"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fec3205f3fee6453 Filesystem access.
pkgs/python/[email protected]/selenium/webdriver/chromium/options.py:83
            with open(extension, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #42ae10b8822a7989 Environment-variable access.
pkgs/python/[email protected]/selenium/webdriver/chromium/service.py:58
        if os.environ.get("SE_DEBUG"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fe1fe70d2941baa5 Filesystem access.
pkgs/python/[email protected]/selenium/webdriver/common/api_request_context.py:568
                    with open(file_path) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #10759ed70c4299ba Filesystem access.
pkgs/python/[email protected]/selenium/webdriver/common/api_request_context.py:601
                with open(file_path, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #76bb8806a0198dae Environment-variable access.
pkgs/python/[email protected]/selenium/webdriver/common/bidi/cdp.py:48
    return int(os.environ.get("SE_CDP_MAX_WS_MESSAGE_SIZE", MAX_WS_MESSAGE_SIZE))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a2da3a0bdd590558 Environment-variable access.
pkgs/python/[email protected]/selenium/webdriver/common/selenium_manager.py:81
        if (env_path := os.getenv("SE_MANAGER_PATH")) is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c47004b97f182659 Filesystem access.
pkgs/python/[email protected]/selenium/webdriver/common/service.py:64
            self.log_output = open(log_output, "a+", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #14f7444fba2880bd Environment-variable access.
pkgs/python/[email protected]/selenium/webdriver/common/service.py:77
        self.env = env or os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #094c3ab521161cf8 Environment-variable access.
pkgs/python/[email protected]/selenium/webdriver/common/service.py:261
            return os.getenv(self.DRIVER_PATH_ENV_KEY, None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fbf5faaa89ace00f Filesystem access.
pkgs/python/[email protected]/selenium/webdriver/firefox/firefox_profile.py:67
                with open(
                    os.path.join(os.path.dirname(__file__), WEBDRIVER_PREFERENCES), encoding="utf-8"
                ) as default_prefs:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6c8486e304a856b1 Filesystem access.
pkgs/python/[email protected]/selenium/webdriver/firefox/firefox_profile.py:91
        with open(user_prefs, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7bf3ef9db87d1b3a Filesystem access.
pkgs/python/[email protected]/selenium/webdriver/firefox/firefox_profile.py:165
        with open(userjs, encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1b4fc83f348e45b1 Filesystem access.
pkgs/python/[email protected]/selenium/webdriver/firefox/firefox_profile.py:196
                    with open(os.path.join(tmpdir, name), "wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fa2ae593473bb650 Filesystem access.
pkgs/python/[email protected]/selenium/webdriver/firefox/firefox_profile.py:287
                    with open(manifest_json_filename, encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7227069ea2703e07 Filesystem access.
pkgs/python/[email protected]/selenium/webdriver/firefox/firefox_profile.py:290
                with open(os.path.join(addon_path, "install.rdf"), encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #89dfe4dc0d8bdb8a Environment-variable access.
pkgs/python/[email protected]/selenium/webdriver/firefox/service.py:52
        if os.environ.get("SE_DEBUG"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6a6cb4265070a6ff Filesystem access.
pkgs/python/[email protected]/selenium/webdriver/firefox/webdriver.py:134
            with open(path, "rb") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e93e24e90634f813 Filesystem access.
pkgs/python/[email protected]/selenium/webdriver/firefox/webdriver.py:171
            with open(filename, "wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c8b7bbbbcd2bf943 Environment-variable access.
pkgs/python/[email protected]/selenium/webdriver/ie/service.py:61
        if os.environ.get("SE_DEBUG"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f3f9554a422467c5 Environment-variable access.
pkgs/python/[email protected]/selenium/webdriver/remote/client_config.py:121
            (os.getenv("REQUESTS_CA_BUNDLE") if "REQUESTS_CA_BUNDLE" in os.environ else certifi.where())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5529c087615e20ed Environment-variable access.
pkgs/python/[email protected]/selenium/webdriver/remote/client_config.py:137
            _no_proxy = os.environ.get("no_proxy", os.environ.get("NO_PROXY"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e4a7b04a5aae2e8a Environment-variable access.
pkgs/python/[email protected]/selenium/webdriver/remote/client_config.py:147
            return os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #15d22093b2bc24d6 Environment-variable access.
pkgs/python/[email protected]/selenium/webdriver/remote/client_config.py:147
            return os.environ.get(
                "https_proxy" if self.remote_server_addr.startswith("https://") else "http_proxy",
                os.environ.get("HTTPS_PROXY" if self.remote_server_addr.startswith("https://") else "HTTP_PROXY"),
            )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7b093357ff41ef91 Environment-variable access.
pkgs/python/[email protected]/selenium/webdriver/remote/client_config.py:149
                os.environ.get("HTTPS_PROXY" if self.remote_server_addr.startswith("https://") else "HTTP_PROXY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #73647e1f62b74e25 Environment-variable access.
pkgs/python/[email protected]/selenium/webdriver/remote/remote_connection.py:156
    _ca_certs = os.getenv("REQUESTS_CA_BUNDLE") if "REQUESTS_CA_BUNDLE" in os.environ else certifi.where()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #019b35d53366d081 Filesystem access.
pkgs/python/[email protected]/selenium/webdriver/remote/webdriver.py:958
            with open(filename, "wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6833123159165c87 Filesystem access.
pkgs/python/[email protected]/selenium/webdriver/remote/webdriver.py:1573
            with open(zip_file, "wb") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #062f4bf9772025b6 Filesystem access.
pkgs/python/[email protected]/selenium/webdriver/remote/webelement.py:457
            with open(filename, "wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

serpapi

python dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #166fe3b4f32ddeb3 Environment-variable access.
pkgs/python/[email protected]/serpapi/utils.py:5
    return os.getenv("SERP_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

snowflake-sqlalchemy

python dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #305e34894cde903b Filesystem access.
pkgs/python/[email protected]/snyk/update_requirements.py:7
    pyproject = tomlkit.loads(Path("pyproject.toml").read_text())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #13de8b31e647cc5d Environment-variable access.
pkgs/python/[email protected]/src/snowflake/sqlalchemy/util.py:206
    value = os.environ.get(SNOWFLAKE_SQLALCHEMY_LEGACY_URL_PARAMS, "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

sqlalchemy

python dependency
expand_more 28 low-confidence finding(s)
low env_fs dependency Excluded from app score #f4c407cb1d429e1a Filesystem access.
pkgs/python/[email protected]/lib/sqlalchemy/testing/fixtures/mypy.py:42
            with open(
                Path(cachedir) / "sqla_mypy_config.cfg", "w"
            ) as config_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cd8ae3120cb50929 Filesystem access.
pkgs/python/[email protected]/lib/sqlalchemy/testing/fixtures/mypy.py:56
            with open(
                Path(cachedir) / "plain_mypy_config.cfg", "w"
            ) as config_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cd6fa976e7d8c194 Environment-variable access.
pkgs/python/[email protected]/lib/sqlalchemy/testing/fixtures/mypy.py:106
            os.environ.pop("MYPY_FORCE_COLOR", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3f51f1ae19f827aa Filesystem access.
pkgs/python/[email protected]/lib/sqlalchemy/testing/fixtures/mypy.py:146
        with open(path) as file_:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2b515129e611df3a Environment-variable access.
pkgs/python/[email protected]/lib/sqlalchemy/testing/plugin/plugin_base.py:398
    if os.environ.get("REQUIRE_SQLALCHEMY_CEXT", "0") == "1":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5badb52cdcc0e036 Filesystem access.
pkgs/python/[email protected]/lib/sqlalchemy/testing/plugin/plugin_base.py:455
            with open(options.write_idents, "a") as file_:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f2abc8683a5f94e8 Environment-variable access.
pkgs/python/[email protected]/lib/sqlalchemy/testing/plugin/pytestplugin.py:880
        return os.environ.get("PYTEST_CURRENT_TEST")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c5a78cf1d80a7cb1 Filesystem access.
pkgs/python/[email protected]/lib/sqlalchemy/testing/profiling.py:200
            profile_f = open(self.fname)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #14e8038792e9ad03 Filesystem access.
pkgs/python/[email protected]/lib/sqlalchemy/testing/profiling.py:219
        profile_f = open(self.fname, "w")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0ec5d32f3e6ff0c4 Filesystem access.
pkgs/python/[email protected]/lib/sqlalchemy/testing/provision.py:453
    with open(idents_file) as file_:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8f743619c589a011 Environment-variable access.
pkgs/python/[email protected]/lib/sqlalchemy/util/_has_cy.py:27
    if os.environ.get("DISABLE_SQLALCHEMY_CEXT_RUNTIME"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #69c0cc636f64adcb Filesystem access.
pkgs/python/[email protected]/lib/sqlalchemy/util/tool_support.py:134
            Path(destination_path).write_text(
                text, encoding="utf-8", newline="\n"
            )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6c1a9b776f6e1308 Filesystem access.
pkgs/python/[email protected]/lib/sqlalchemy/util/tool_support.py:146
            with open(tempfile) as tf:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #78668711c6aaccdb Filesystem access.
pkgs/python/[email protected]/lib/sqlalchemy/util/tool_support.py:162
            with open(source_file, encoding="utf-8") as tf:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #de8e9a41fb5e92d8 Filesystem access.
pkgs/python/[email protected]/lib/sqlalchemy/util/tool_support.py:169
        with open(destination_path, encoding="utf-8") as dp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #071926975c6b1a1b Environment-variable access.
pkgs/python/[email protected]/noxfile.py:95
    cmd.extend(os.environ.get(dburl_env, default_dburl).split())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #49ac0befabe70f40 Environment-variable access.
pkgs/python/[email protected]/noxfile.py:106
    env_dbdrivers = os.environ.get(extra_driver_env, None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #57e9b3d992d9cd54 Environment-variable access.
pkgs/python/[email protected]/noxfile.py:269
    cmd.extend(os.environ.get("TOX_WORKERS", "-n4").split())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e8132ab6eaf5d080 Environment-variable access.
pkgs/python/[email protected]/setup.py:23
DISABLE_EXTENSION = bool(os.environ.get("DISABLE_SQLALCHEMY_CEXT"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e8945ab624033d79 Environment-variable access.
pkgs/python/[email protected]/setup.py:24
REQUIRE_EXTENSION = bool(os.environ.get("REQUIRE_SQLALCHEMY_CEXT"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #6e44e2c5ccad1d15 Filesystem access.
pkgs/python/[email protected]/tools/format_docs_code.py:155
    original = file.read_text("utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #5c4e9acaa59dc772 Filesystem access.
pkgs/python/[email protected]/tools/format_docs_code.py:313
                file.write_text(updated, "utf-8", newline="\n")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #530f24ba86b6221f Filesystem access.
pkgs/python/[email protected]/tools/generate_proxy_methods.py:145
    with open(fn.__code__.co_filename) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #738625dd13deeaa4 Filesystem access.
pkgs/python/[email protected]/tools/generate_proxy_methods.py:373
        open(filename) as orig_py,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #d25437a370cb24d3 Filesystem access.
pkgs/python/[email protected]/tools/generate_sql_functions.py:38
        open(filename) as orig_py,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #440b1feef650b0f9 Filesystem access.
pkgs/python/[email protected]/tools/generate_tuple_map_overloads.py:53
        open(filename) as orig_py,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #cd71c90e16896e43 Filesystem access.
pkgs/python/[email protected]/tools/normalize_file_headers.py:27
    content = file.read_text("utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #00c0afd6e2a380b9 Filesystem access.
pkgs/python/[email protected]/tools/sync_test_files.py:35
    source_data = Path(source).read_text().replace(remove_str, "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

stagehand

python dependency
expand_more 58 low-confidence finding(s)
low env_fs tooling reachable #0b13d63c8debdb5c Environment-variable access.
pkgs/python/[email protected]/examples/act_example.py:49
        browserbase_api_key=os.environ.get("BROWSERBASE_API_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #880c09433a0a7352 Environment-variable access.
pkgs/python/[email protected]/examples/act_example.py:50
        model_api_key=os.environ.get("MODEL_API_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #731bedf1a894c907 Environment-variable access.
pkgs/python/[email protected]/examples/agent_execute.py:46
    model_name = os.environ.get("STAGEHAND_MODEL", "anthropic/claude-sonnet-4-6")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #a82be3e82d5ed7a7 Environment-variable access.
pkgs/python/[email protected]/examples/byob_example.py:53
        browserbase_api_key=os.environ.get("BROWSERBASE_API_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #4b7a502320df44e9 Environment-variable access.
pkgs/python/[email protected]/examples/byob_example.py:54
        model_api_key=os.environ.get("MODEL_API_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #4827c4f89d7cd7a5 Filesystem access.
pkgs/python/[email protected]/examples/env.py:28
    for line in env_path.read_text().splitlines():

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #ae93ceafe27a8266 Environment-variable access.
pkgs/python/[email protected]/examples/env.py:35
        os.environ[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #2c3c5a593fec5fb8 Environment-variable access.
pkgs/python/[email protected]/examples/env.py:37
    missing = [key for key in sorted(REQUIRED_KEYS) if not os.environ.get(key)]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #4bd89cbdcff391bb Environment-variable access.
pkgs/python/[email protected]/examples/env.py:48
        os.environ.setdefault("STAGEHAND_SEA_BINARY", str(sea_binary))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #6d26fc418a8489b7 Environment-variable access.
pkgs/python/[email protected]/examples/full_example.py:51
        browserbase_api_key=os.environ.get("BROWSERBASE_API_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #6dbce30589be3bdf Environment-variable access.
pkgs/python/[email protected]/examples/full_example.py:52
        model_api_key=os.environ.get("MODEL_API_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #8ede7fba935d83b8 Environment-variable access.
pkgs/python/[email protected]/examples/full_example.py:143
                        "api_key": os.environ.get("MODEL_API_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #0e71b0adc2b6742c Environment-variable access.
pkgs/python/[email protected]/examples/local_browser_playwright_example.py:79
    model_api_key = os.environ.get("MODEL_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #e27ec51eba8c5345 Environment-variable access.
pkgs/python/[email protected]/examples/local_browser_playwright_example.py:83
    bb_api_key = os.environ.get("BROWSERBASE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #736724f821ef8ae6 Environment-variable access.
pkgs/python/[email protected]/examples/local_example.py:48
    model_key = os.environ.get("MODEL_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #eeba5003eb232ea4 Environment-variable access.
pkgs/python/[email protected]/examples/local_server_multiregion_browser_example.py:50
    model_api_key = os.environ.get("MODEL_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #16098b4e3137b327 Environment-variable access.
pkgs/python/[email protected]/examples/local_server_multiregion_browser_example.py:54
    bb_api_key = os.environ.get("BROWSERBASE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #eb6dd964601375cc Environment-variable access.
pkgs/python/[email protected]/examples/logging_example.py:24
        browserbase_api_key=os.environ.get("BROWSERBASE_API_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #79e6ed769bc2e9fd Environment-variable access.
pkgs/python/[email protected]/examples/logging_example.py:25
        model_api_key=os.environ.get("MODEL_API_KEY"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #baab8d96b08f15fa Environment-variable access.
pkgs/python/[email protected]/examples/playwright_page_example.py:49
    model_api_key = os.environ.get("MODEL_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #be50d3d1f23d9f87 Environment-variable access.
pkgs/python/[email protected]/examples/playwright_page_example.py:53
    bb_api_key = os.environ.get("BROWSERBASE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #e5946854ee74deaf Environment-variable access.
pkgs/python/[email protected]/examples/pydoll_tab_example.py:118
    model_api_key = os.environ.get("MODEL_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #12e398e9edb7521b Environment-variable access.
pkgs/python/[email protected]/examples/pydoll_tab_example.py:122
    bb_api_key = os.environ.get("BROWSERBASE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #ce62fb075a91a2a4 Environment-variable access.
pkgs/python/[email protected]/examples/remote_browser_playwright_example.py:51
    model_api_key = os.environ.get("MODEL_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #63d19a06bfca9a3e Environment-variable access.
pkgs/python/[email protected]/examples/remote_browser_playwright_example.py:55
    bb_api_key = os.environ.get("BROWSERBASE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #96b6fb92545d0225 Filesystem access.
pkgs/python/[email protected]/examples/vertex_auth_example.py:43
    for line in env_path.read_text().splitlines():

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #273fef3b56b0de0f Environment-variable access.
pkgs/python/[email protected]/examples/vertex_auth_example.py:48
        os.environ.setdefault(key, value)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #707b0df543f95510 Environment-variable access.
pkgs/python/[email protected]/examples/vertex_auth_example.py:52
    inline_json = os.environ.get("VERTEX_SERVICE_ACCOUNT_JSON")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #d72a6d12695ae445 Environment-variable access.
pkgs/python/[email protected]/examples/vertex_auth_example.py:56
        credentials_path = os.environ.get("GOOGLE_APPLICATION_CREDENTIALS")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #ae5a60b8dc789280 Filesystem access.
pkgs/python/[email protected]/examples/vertex_auth_example.py:62
        credentials = json.loads(Path(credentials_path).expanduser().read_text())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #0a984cf48dcac8b3 Environment-variable access.
pkgs/python/[email protected]/examples/vertex_auth_example.py:78
    project = os.environ.get("VERTEX_PROJECT") or credentials.get("project_id")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #275b4ea0309c9cf6 Environment-variable access.
pkgs/python/[email protected]/examples/vertex_auth_example.py:82
    location = os.environ.get("VERTEX_LOCATION", "us-central1")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #9a47d375f04b3d90 Environment-variable access.
pkgs/python/[email protected]/examples/vertex_auth_example.py:83
    model_name = os.environ.get("VERTEX_MODEL", "vertex/gemini-2.5-flash")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #f9f95b62952ba35f Environment-variable access.
pkgs/python/[email protected]/examples/vertex_auth_example.py:104
    browserbase_api_key = os.environ.get("BROWSERBASE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #416de759a2d1e5fe Environment-variable access.
pkgs/python/[email protected]/examples/vertex_auth_example.py:125
    bootstrap_model = os.environ.get("STAGEHAND_BOOTSTRAP_MODEL", "openai/gpt-4.1-mini")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6c9f0970da6ca288 Environment-variable access.
pkgs/python/[email protected]/hatch_build.py:45
        wheel_tag = os.environ.get("STAGEHAND_WHEEL_TAG", "").strip()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3f6ec121758302ed Environment-variable access.
pkgs/python/[email protected]/src/stagehand/_client.py:141
            browserbase_api_key = os.environ.get("BROWSERBASE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1c0b34ecfa2b9a72 Environment-variable access.
pkgs/python/[email protected]/src/stagehand/_client.py:165
        custom_headers_env = os.environ.get("STAGEHAND_CUSTOM_HEADERS")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #513a93d6375aa18d Environment-variable access.
pkgs/python/[email protected]/src/stagehand/_client.py:432
            browserbase_api_key = os.environ.get("BROWSERBASE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a95ac4d77aea3a2b Environment-variable access.
pkgs/python/[email protected]/src/stagehand/_client.py:456
        custom_headers_env = os.environ.get("STAGEHAND_CUSTOM_HEADERS")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a13f1d2cfa4afa90 Environment-variable access.
pkgs/python/[email protected]/src/stagehand/_custom/sea_binary.py:32
        root = Path(os.environ.get("LOCALAPPDATA", str(Path.home() / "AppData" / "Local")))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ba417859868cee59 Environment-variable access.
pkgs/python/[email protected]/src/stagehand/_custom/sea_binary.py:34
        root = Path(os.environ.get("XDG_CACHE_HOME", str(Path.home() / ".cache")))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2b5e2e5cbe08be16 Filesystem access.
pkgs/python/[email protected]/src/stagehand/_custom/sea_binary.py:73
    data = src.read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d9c917bb269d7b9e Environment-variable access.
pkgs/python/[email protected]/src/stagehand/_custom/sea_binary.py:91
    env = os.environ.get("STAGEHAND_SEA_BINARY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #09a91f2f9c731425 Environment-variable access.
pkgs/python/[email protected]/src/stagehand/_custom/sea_binary.py:104
            version = os.environ.get("STAGEHAND_VERSION") or __version__

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bf1c683f98b00640 Environment-variable access.
pkgs/python/[email protected]/src/stagehand/_custom/sea_server.py:149
        proc_env = dict(os.environ)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1c52b89639077692 Environment-variable access.
pkgs/python/[email protected]/src/stagehand/_custom/sea_server.py:332
        base_url = os.environ.get("STAGEHAND_API_URL") or os.environ.get("STAGEHAND_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #20a1288a5209875b Filesystem access.
pkgs/python/[email protected]/src/stagehand/_files.py:69
            return (path.name, path.read_bytes())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d7a81833c34f8ff9 Filesystem access.
pkgs/python/[email protected]/src/stagehand/_files.py:81
        return pathlib.Path(file).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0b3b86df26ec0a27 Filesystem access.
pkgs/python/[email protected]/src/stagehand/_files.py:111
            return (path.name, await path.read_bytes())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f81c0928615057d2 Filesystem access.
pkgs/python/[email protected]/src/stagehand/_files.py:123
        return await anyio.Path(file).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1a3f25957ace75d7 Environment-variable access.
pkgs/python/[email protected]/src/stagehand/_models.py:120
            extra="allow", defer_build=coerce_boolean(os.environ.get("DEFER_PYDANTIC_BUILD", "true"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9251781534205e02 Filesystem access.
pkgs/python/[email protected]/src/stagehand/_response.py:495
        with open(file, mode="wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1367cee29d5db20c Filesystem access.
pkgs/python/[email protected]/src/stagehand/_response.py:537
        with open(file, mode="wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #941e2125c9f19654 Environment-variable access.
pkgs/python/[email protected]/src/stagehand/_utils/_logs.py:17
    env = os.environ.get("STAGEHAND_LOG")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #63e92a2d797194cb Filesystem access.
pkgs/python/[email protected]/src/stagehand/_utils/_transform.py:248
            binary = data.read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fd6074933fb04c1c Filesystem access.
pkgs/python/[email protected]/src/stagehand/_utils/_transform.py:414
            binary = await anyio.Path(data).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #685d5eb4ffd133a0 Filesystem access.
pkgs/python/[email protected]/src/stagehand/_utils/_utils.py:379
    contents = Path(path).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

textual

python dependency
expand_more 27 low-confidence finding(s)
low env_fs tooling reachable #47a13bff424556a0 Filesystem access.
pkgs/python/[email protected]/docs/examples/guide/content/renderables.py:27
        with open(__file__) as self_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #ee5b78339a8f9996 Filesystem access.
pkgs/python/[email protected]/docs/examples/widgets/text_area_custom_language.py:9
java_highlight_query = (Path(__file__).parent / "java_highlights.scm").read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e4dbd08e84c2e75c Filesystem access.
pkgs/python/[email protected]/src/textual/__init__.py:93
            with open(constants.LOG_FILE, "a", encoding="utf-8") as log_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0eae692969449823 Filesystem access.
pkgs/python/[email protected]/src/textual/_doc.py:108
            with open(path, "rb") as source_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e0fb0070ceb49a14 Filesystem access.
pkgs/python/[email protected]/src/textual/_doc.py:120
            return screenshot_path.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e7caae0d3ef2d194 Filesystem access.
pkgs/python/[email protected]/src/textual/_doc.py:152
        screenshot_path.write_text(svg)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5fd1822c5211cc91 Environment-variable access.
pkgs/python/[email protected]/src/textual/_xterm_parser.py:50
    os.environ.get("LC_TERMINAL", "") == "iTerm2"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #db6005a125a02483 Environment-variable access.
pkgs/python/[email protected]/src/textual/_xterm_parser.py:51
    or os.environ.get("TERM_PROGRAM", "") == "iTerm.app"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #272955b7e5576065 Filesystem access.
pkgs/python/[email protected]/src/textual/_xterm_parser.py:71
        self._debug_log_file = open("keys.log", "at") if debug else None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d899390e2bdb751c Environment-variable access.
pkgs/python/[email protected]/src/textual/app.py:596
        self.features: frozenset[FeatureFlag] = parse_features(os.getenv("TEXTUAL", ""))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6bf167066f34fd5c Environment-variable access.
pkgs/python/[email protected]/src/textual/app.py:613
        environ = dict(os.environ)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c13b347f537a78d6 Filesystem access.
pkgs/python/[email protected]/src/textual/app.py:1914
        with open(svg_path, "w", encoding="utf-8") as svg_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c9008b554942b6e3 Environment-variable access.
pkgs/python/[email protected]/src/textual/constants.py:14
get_environ = os.environ.get

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d31448ba752d56f3 Environment-variable access.
pkgs/python/[email protected]/src/textual/constants.py:46
        value = int(os.environ[name])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9e7cabd7608a748f Environment-variable access.
pkgs/python/[email protected]/src/textual/constants.py:73
        value = int(os.environ[name])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c693b522623e201d Filesystem access.
pkgs/python/[email protected]/src/textual/css/stylesheet.py:300
            with open(filename, "rt", encoding="utf-8") as css_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #dded7bb302dc36e0 Filesystem access.
pkgs/python/[email protected]/src/textual/demo/_project_stargazer_updater.py:42
    with open(
        os.path.join(os.path.dirname(__file__), "_project_stars.py"), "w"
    ) as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #b221410fbe028fb9 Filesystem access.
pkgs/python/[email protected]/src/textual/demo/page.py:71
            with open(source_file, "rt", encoding="utf-8") as file_:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #427fed222ea8389e Filesystem access.
pkgs/python/[email protected]/src/textual/driver.py:244
                with open(
                    save_path, mode, encoding=encoding or "utf-8"
                ) as destination_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c8925f087a578460 Environment-variable access.
pkgs/python/[email protected]/src/textual/drivers/linux_driver.py:322
        if os.environ.get("TERM_PROGRAM", "") != "Apple_Terminal":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1449faf17132140c Environment-variable access.
pkgs/python/[email protected]/src/textual/drivers/linux_driver.py:338
        ISIG = 0 if os.environ.get("TEXTUAL_ALLOW_SIGNALS") else termios.ISIG

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e2c3ed3251d361a0 Environment-variable access.
pkgs/python/[email protected]/src/textual/drivers/linux_inline_driver.py:251
        if os.environ.get("TERM_PROGRAM", "") != "Apple_Terminal":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b62bebc3c5f5cb1e Environment-variable access.
pkgs/python/[email protected]/src/textual/drivers/linux_inline_driver.py:267
        ISIG = 0 if os.environ.get("TEXTUAL_ALLOW_SIGNALS") else termios.ISIG

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #94c171fe7d67b962 Environment-variable access.
pkgs/python/[email protected]/src/textual/drivers/web_driver.py:54
                width = int(os.environ.get("COLUMNS", 80))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8bf599529415eb92 Environment-variable access.
pkgs/python/[email protected]/src/textual/drivers/web_driver.py:55
                height = int(os.environ.get("ROWS", 24))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7e06959cd5c525ae Environment-variable access.
pkgs/python/[email protected]/src/textual/geometry.py:1483
if not TYPE_CHECKING and os.environ.get("TEXTUAL_SPEEDUPS", "1") == "1":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #46bd08254b9ce9d7 Filesystem access.
pkgs/python/[email protected]/src/textual/widgets/_text_area.py:789
            highlight_query = highlight_query_path.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

tiktoken

python dependency
expand_more 13 low-confidence finding(s)
low env_fs tooling reachable #1a4c5c07e73b1c1b Environment-variable access.
pkgs/python/[email protected]/scripts/benchmark.py:16
    num_threads = int(os.environ["RAYON_NUM_THREADS"])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #60eccf5cd68f9a74 Filesystem access.
pkgs/python/[email protected]/scripts/redact.py:11
    text = path.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #c671b7533d2b6cb6 Filesystem access.
pkgs/python/[email protected]/scripts/redact.py:35
            path.write_text(redacted_text)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #f31fc2594e3efb32 Filesystem access.
pkgs/python/[email protected]/scripts/wheel_download.py:35
        with open(temp_zip, "wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b3c60879616009d4 Filesystem access.
pkgs/python/[email protected]/tiktoken/_educational.py:212
    with open(__file__) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #85cbe255363fa88a Filesystem access.
pkgs/python/[email protected]/tiktoken/load.py:10
        with open(blobpath, "rb", buffering=0) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b04a7b459d070929 Filesystem access.
pkgs/python/[email protected]/tiktoken/load.py:27
    return blobfile.read_bytes(blobpath)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #680a0f793b3a385b Environment-variable access.
pkgs/python/[email protected]/tiktoken/load.py:37
    if "TIKTOKEN_CACHE_DIR" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6b6fb3bbd5b625fc Environment-variable access.
pkgs/python/[email protected]/tiktoken/load.py:38
        cache_dir = os.environ["TIKTOKEN_CACHE_DIR"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2ef760adb28f3407 Environment-variable access.
pkgs/python/[email protected]/tiktoken/load.py:39
    elif "DATA_GYM_CACHE_DIR" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e166cd3903449365 Environment-variable access.
pkgs/python/[email protected]/tiktoken/load.py:40
        cache_dir = os.environ["DATA_GYM_CACHE_DIR"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6b6cde9480b7b382 Filesystem access.
pkgs/python/[email protected]/tiktoken/load.py:55
        with open(cache_path, "rb", buffering=0) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #16148795d57733ac Filesystem access.
pkgs/python/[email protected]/tiktoken/load.py:78
        with open(tmp_filename, "wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

tinytag

python dependency
expand_more 3 low-confidence finding(s)
low env_fs dependency Excluded from app score #412169cbb01f5b88 Filesystem access.
pkgs/python/[email protected]/tinytag/__main__.py:104
                    with open(actual_image_path, 'wb') as file_handle:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #131265df848800f9 Environment-variable access.
pkgs/python/[email protected]/tinytag/tinytag.py:52
_DEBUG = bool(environ.get('TINYTAG_DEBUG'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #545162f0e4ca26e4 Filesystem access.
pkgs/python/[email protected]/tinytag/tinytag.py:129
                file_obj = open(filename, 'rb')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

tokenizers

python dependency
expand_more 11 low-confidence finding(s)
low env_fs dependency Excluded from app score #fdef86c0fba6d37c Environment-variable access.
pkgs/python/[email protected]/bindings/python/benches/test_tiktoken.py:29
    os.environ["RAYON_NUM_THREADS"] = str(num_threads)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #db1a69ba9e745879 Filesystem access.
pkgs/python/[email protected]/bindings/python/examples/example.py:29
    with open(args.file, "r") as fp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #33adb4e920d14480 Filesystem access.
pkgs/python/[email protected]/bindings/python/scripts/convert.py:52
    m.ParseFromString(open(filename, "rb").read())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #87f4730ebef940cb Filesystem access.
pkgs/python/[email protected]/bindings/python/scripts/convert.py:342
    with open(filename, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #780bc14b27281b42 Filesystem access.
pkgs/python/[email protected]/bindings/python/scripts/sentencepiece_extractor.py:61
        with open(self._model, "r") as model_f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #160adb2b30f34485 Filesystem access.
pkgs/python/[email protected]/bindings/python/scripts/sentencepiece_extractor.py:134
        with open(args.vocab_output_path, "w") as vocab_f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #d490553ff1442236 Filesystem access.
pkgs/python/[email protected]/bindings/python/scripts/sentencepiece_extractor.py:135
            with open(args.merges_output_path, "w") as merges_f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #ee8deb794df18823 Filesystem access.
pkgs/python/[email protected]/bindings/python/scripts/spm_parity_check.py:99
    with open(args.input_file, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #e9b8645a807d0652 Filesystem access.
pkgs/python/[email protected]/bindings/python/scripts/spm_parity_check.py:226
    with open(args.input_file, "r", encoding="utf-8-sig") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8ec0d8256e6288db Filesystem access.
pkgs/python/[email protected]/py_src/tokenizers/implementations/sentencepiece_unigram.py:160
        m.ParseFromString(open(filename, "rb").read())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #443c0546a0a65aa3 Filesystem access.
pkgs/python/[email protected]/py_src/tokenizers/tools/visualizer.py:12
with open(css_filename) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

tomlkit

python dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #a9d2666ccf90be2a Filesystem access.
pkgs/python/[email protected]/tomlkit/toml_file.py:31
        with open(self._path, encoding="utf-8", newline="") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #908f1b03936f84b0 Filesystem access.
pkgs/python/[email protected]/tomlkit/toml_file.py:58
        with open(self._path, "w", encoding="utf-8", newline="") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

unstructured

python dependency
expand_more 79 low-confidence finding(s)
low env_fs dependency Excluded from app score #163c010578b25a63 Environment-variable access.
pkgs/python/[email protected]/unstructured/embed/mixedbreadai.py:35
        default_factory=lambda: SecretStr(os.environ.get("MXBAI_API_KEY")),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #68c325272bf4edca Environment-variable access.
pkgs/python/[email protected]/unstructured/embed/vertexai.py:28
        os.environ["GOOGLE_APPLICATION_CREDENTIALS"] = application_credentials_path

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5454b1edd64235fc Filesystem access.
pkgs/python/[email protected]/unstructured/file_utils/encoding.py:67
        with open(filename, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #82bc9e5d4b7559a1 Filesystem access.
pkgs/python/[email protected]/unstructured/file_utils/encoding.py:83
                    with open(filename, encoding=enc) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d10f228056c0cf0b Filesystem access.
pkgs/python/[email protected]/unstructured/file_utils/encoding.py:127
            with open(filename, encoding=formatted_encoding) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #99091a52494a4d3d Filesystem access.
pkgs/python/[email protected]/unstructured/file_utils/file_conversion.py:72
            with open(tmp_file_path, "wb") as tmp_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #663f2763ccce83cb Filesystem access.
pkgs/python/[email protected]/unstructured/file_utils/filetype.py:528
            with open(self.file_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e0dac40fc787c9c1 Filesystem access.
pkgs/python/[email protected]/unstructured/file_utils/filetype.py:592
            with open(file_path, encoding=self.encoding) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aad96674c0429f34 Filesystem access.
pkgs/python/[email protected]/unstructured/file_utils/filetype.py:596
            with open(file_path, encoding=encoding) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e852f765c7c4af84 Filesystem access.
pkgs/python/[email protected]/unstructured/file_utils/filetype.py:615
            with open(file_path, encoding=self.encoding) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4ac357f06cb48d62 Filesystem access.
pkgs/python/[email protected]/unstructured/file_utils/filetype.py:621
            with open(file_path, encoding=encoding) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bf74bb8bcee325c4 Environment-variable access.
pkgs/python/[email protected]/unstructured/metrics/evaluate.py:163
        max_processors = int(os.environ.get("MAX_PROCESSES", os.cpu_count()))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #93aa931a8b4e4e35 Filesystem access.
pkgs/python/[email protected]/unstructured/metrics/evaluate.py:847
            with open(gt_file_path) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bf1320dfc9922574 Filesystem access.
pkgs/python/[email protected]/unstructured/metrics/object_detection.py:101
        with open(prediction_file_path) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6b049eeb68de247b Filesystem access.
pkgs/python/[email protected]/unstructured/metrics/object_detection.py:103
        with open(ground_truth_file_path) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3a845239ad325c6c Filesystem access.
pkgs/python/[email protected]/unstructured/metrics/table/table_eval.py:216
        with open(prediction_file) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3844ace9024a4a91 Filesystem access.
pkgs/python/[email protected]/unstructured/metrics/table/table_eval.py:218
        with open(ground_truth_file) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6bede09a9aee19ae Filesystem access.
pkgs/python/[email protected]/unstructured/metrics/utils.py:243
        with open(path, errors="ignore") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bf040f00f869584e Filesystem access.
pkgs/python/[email protected]/unstructured/nlp/english_words.py:12
with open(ENGLISH_WORDS_FILE) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #28a2983be95d69a5 Filesystem access.
pkgs/python/[email protected]/unstructured/nlp/tokenize.py:43
            with open(dest, "wb") as out:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e07d02aacc1f0e7b Filesystem access.
pkgs/python/[email protected]/unstructured/nlp/tokenize.py:64
        with open(whl_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #412ad654e696e75c Filesystem access.
pkgs/python/[email protected]/unstructured/partition/api.py:100
        with open(filename, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e9250a520a100268 Filesystem access.
pkgs/python/[email protected]/unstructured/partition/api.py:290
            files = [stack.enter_context(open(f, "rb")) for f in filenames]  # type: ignore

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ca17b6ddd8fc8a95 Filesystem access.
pkgs/python/[email protected]/unstructured/partition/common/common.py:389
        with open(file.name, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b5361e3735889d21 Filesystem access.
pkgs/python/[email protected]/unstructured/partition/csv.py:173
            with open(self._file_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f7e80c716dc13719 Filesystem access.
pkgs/python/[email protected]/unstructured/partition/doc.py:69
            with open(source_file_path, "wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3b5a69df4ac95593 Filesystem access.
pkgs/python/[email protected]/unstructured/partition/email.py:228
            with open(self._file_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #96ea3b04ce340693 Filesystem access.
pkgs/python/[email protected]/unstructured/partition/json.py:58
        with open(filename, encoding="utf8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #167ead6902845cb8 Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/model_init.py:11
    supported_model = os.environ.get("UNSTRUCTURED_HI_RES_SUPPORTED_MODEL", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bbd6bffcd2a55953 Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/model_init.py:16
    get_model(os.environ.get("UNSTRUCTURED_HI_RES_MODEL_NAME"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c6603d87fc4385ae Filesystem access.
pkgs/python/[email protected]/unstructured/partition/msg.py:260
            with open(detached_file_path, "wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c37bf9ade6c0a624 Filesystem access.
pkgs/python/[email protected]/unstructured/partition/ndjson.py:59
        with open(filename, encoding="utf8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #97570c5a5541a990 Filesystem access.
pkgs/python/[email protected]/unstructured/partition/odt.py:95
        with open(source_file_path, "wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #85040e1bd8884f1e Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/odt.py:117
        allow_no_sandbox = os.environ.get("ALLOW_PANDOC_NO_SANDBOX", "").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #648d42820dd8638a Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/pdf.py:122
    return os.environ.get("UNSTRUCTURED_HI_RES_MODEL_NAME", DEFAULT_MODEL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a8e13b973412cd11 Filesystem access.
pkgs/python/[email protected]/unstructured/partition/pdf_image/analysis/layout_dump.py:202
            with open(analysis_save_dir / f"{dumper.layout_source}.json", "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7eee85ad8c1980b9 Filesystem access.
pkgs/python/[email protected]/unstructured/partition/pdf_image/analysis/tools.py:159
        with open(analysis_dump_filename) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0db972bf9e164648 Filesystem access.
pkgs/python/[email protected]/unstructured/partition/pdf_image/ocr.py:83
        with open(tmp_file_path, "wb") as tmp_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6b685dc6af668e6a Filesystem access.
pkgs/python/[email protected]/unstructured/partition/pdf_image/pdf_image_utils.py:160
                with open(tmp_file_path, "wb") as tmp_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4a71bc5809caa0b3 Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/pdf_image/pdfminer_processing.py:873
    memory_cap_in_gb = float(os.getenv("UNST_MATMUL_MEMORY_CAP_IN_GB", 1))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #566a20d70af8373b Filesystem access.
pkgs/python/[email protected]/unstructured/partition/pdf_image/pdfminer_utils.py:522
                    page = next(PDFPage.get_pages(open(tmp_file_path, "rb")))  # noqa: SIM115

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ebf46c55f18b4794 Filesystem access.
pkgs/python/[email protected]/unstructured/partition/pdf_image/pdfminer_utils.py:532
            pages = PDFPage.get_pages(open(tmp_file_path, "rb"))  # noqa: SIM115

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #26d251eccaa56fe0 Filesystem access.
pkgs/python/[email protected]/unstructured/partition/ppt.py:50
            with open(tmp_file_path, "wb") as tmp_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dccaa341d2232365 Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/text_type.py:54
    _language_checks = os.environ.get("UNSTRUCTURED_LANGUAGE_CHECKS")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #be0d0fa383dd8c07 Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/text_type.py:72
        os.environ.get("UNSTRUCTURED_NARRATIVE_TEXT_CAP_THRESHOLD", cap_threshold),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6eee44ae0b5a40ce Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/text_type.py:79
        os.environ.get("UNSTRUCTURED_NARRATIVE_TEXT_NON_ALPHA_THRESHOLD", non_alpha_threshold),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #87e01e467191ffa5 Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/text_type.py:117
    _language_checks = os.environ.get("UNSTRUCTURED_LANGUAGE_CHECKS")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ba251ad657cc762f Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/text_type.py:129
        os.environ.get("UNSTRUCTURED_TITLE_MAX_WORD_LENGTH", title_max_word_length),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #19360053012c4e46 Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/text_type.py:137
        os.environ.get("UNSTRUCTURED_TITLE_NON_ALPHA_THRESHOLD", non_alpha_threshold),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ee24069b0a66e6e3 Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/utils/config.py:36
        return os.environ.get(var, default_value)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a3fdafae4654e36e Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/utils/config.py:157
        if "WHISPER_FP16" not in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fa91fece0b531e6e Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/utils/constants.py:37
OCR_AGENT_MODULES_WHITELIST = os.getenv(
    "OCR_AGENT_MODULES_WHITELIST",
    "unstructured.partition.utils.ocr_models.tesseract_ocr,"
    "unstructured.partition.utils.ocr_models.paddle_ocr,"
    "unstructured.partition.utils.ocr_models.google_vision_ocr",
).split(",")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #543facc8dce7a1fa Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/utils/constants.py:48
STT_AGENT_MODULES_WHITELIST = os.getenv(
    "STT_AGENT_MODULES_WHITELIST",
    "unstructured.partition.utils.speech_to_text.whisper_stt",
).split(",")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2130cbcf5a0d3bdf Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/utils/constants.py:53
UNSTRUCTURED_INCLUDE_DEBUG_METADATA = os.getenv("UNSTRUCTURED_INCLUDE_DEBUG_METADATA", False)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5978bab6ec622cb9 Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/utils/ocr_models/tesseract_ocr.py:32
if "OMP_THREAD_LIMIT" not in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a14fa148cf94d20f Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/utils/ocr_models/tesseract_ocr.py:33
    os.environ["OMP_THREAD_LIMIT"] = "1"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bac117d81ea72c0a Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/utils/sorting.py:125
        os.environ.get("UNSTRUCTURED_XY_CUT_BBOX_SHRINK_FACTOR", shrink_factor),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c921e4d321bf6d15 Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/utils/sorting.py:128
    xy_cut_primary_direction = os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #55a2e7c22aa14849 Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/utils/sorting.py:128
    xy_cut_primary_direction = os.environ.get(
        "UNSTRUCTURED_XY_CUT_PRIMARY_DIRECTION",
        xy_cut_primary_direction,
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #841663d2ec218c47 Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/utils/sorting.py:245
            os.environ.get("UNSTRUCTURED_XY_CUT_BBOX_SHRINK_FACTOR", shrink_factor),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5151e109882e1ed5 Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/utils/sorting.py:248
        xy_cut_primary_direction = os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6be30d93d48b82c3 Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/utils/sorting.py:248
        xy_cut_primary_direction = os.environ.get(
            "UNSTRUCTURED_XY_CUT_PRIMARY_DIRECTION",
            xy_cut_primary_direction,
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d745d5877c17128c Filesystem access.
pkgs/python/[email protected]/unstructured/partition/xlsx.py:210
            with open(self._file_path, "rb") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #020e77f18c5ecca6 Environment-variable access.
pkgs/python/[email protected]/unstructured/safe_http.py:68
    return os.environ.get(_ENV_VAR, "").strip().lower() in _TRUTHY_ENV_VALUES

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5e99c48e4c299b61 Filesystem access.
pkgs/python/[email protected]/unstructured/staging/base.py:230
        with open(filename, encoding=encoding) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eb21a6915ae8cca2 Filesystem access.
pkgs/python/[email protected]/unstructured/staging/base.py:347
        with open(filename, "w", encoding=encoding) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #44316ce0986c1f17 Filesystem access.
pkgs/python/[email protected]/unstructured/staging/base.py:423
            with open(filename, "w", encoding=encoding) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #174f5e3331647b58 Filesystem access.
pkgs/python/[email protected]/unstructured/staging/base.py:452
        with open(filename, "w", encoding=encoding) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aaf7d8b8d18b3270 Filesystem access.
pkgs/python/[email protected]/unstructured/staging/base.py:475
        with open(filename, "w", encoding=encoding) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6f863e0eca2163d7 Filesystem access.
pkgs/python/[email protected]/unstructured/staging/base.py:544
        with open(filename, "w", encoding=encoding) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2f5d833e34ff409c Filesystem access.
pkgs/python/[email protected]/unstructured/staging/label_box.py:85
        with open(output_filepath, "w+") as output_text_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #811b2f6bf614dc3a Filesystem access.
pkgs/python/[email protected]/unstructured/utils.py:71
    with open(filename, "w+") as output_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f086dd0723e3a902 Filesystem access.
pkgs/python/[email protected]/unstructured/utils.py:76
    with open(filename) as input_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #358dccbe861c7828 Environment-variable access.
pkgs/python/[email protected]/unstructured/utils.py:168
    return bool((os.getenv("DO_NOT_TRACK") or "").strip()) or bool(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b7c3ef4fe5daecf7 Environment-variable access.
pkgs/python/[email protected]/unstructured/utils.py:169
        (os.getenv("SCARF_NO_ANALYTICS") or "").strip()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eaabd100553d20b7 Environment-variable access.
pkgs/python/[email protected]/unstructured/utils.py:175
    return (os.getenv("UNSTRUCTURED_TELEMETRY_ENABLED") or "").strip().lower() in (

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress dependency Excluded from app score #5aae7dc89b2c6347 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/python/[email protected]/unstructured/utils.py:199
        requests.get(
            "https://packages.unstructured.io/python-telemetry",
            params={
                "version": __version__,
                "platform": platform.system(),
                "python": python_version,
                "arch": platform.machine(),
                "gpu": str(gpu_present),
                "dev": str("dev" in __version__).lower(),
            },
            timeout=10,
        )

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs dependency Excluded from app score #79e88c51f5a19231 Filesystem access.
pkgs/python/[email protected]/unstructured/utils.py:696
            with open(self.file_path) as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0f6216d6150f1418 Filesystem access.
pkgs/python/[email protected]/unstructured/utils.py:702
            with open(self.file_path, "w") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

voyageai

python dependency
expand_more 9 low-confidence finding(s)
low env_fs dependency Excluded from app score #4b0445a448c51c13 Filesystem access.
pkgs/python/[email protected]/voyageai/_base.py:33
        with open(config_path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b6bbaf803cd75c77 Environment-variable access.
pkgs/python/[email protected]/voyageai/util.py:12
VOYAGE_LOG = os.environ.get("VOYAGE_LOG")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c87134e7ed881e37 Environment-variable access.
pkgs/python/[email protected]/voyageai/util.py:78
    api_key_path = voyageai.api_key_path or os.environ.get("VOYAGE_API_KEY_PATH")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dee1995c7a6041a3 Environment-variable access.
pkgs/python/[email protected]/voyageai/util.py:79
    api_key = voyageai.api_key or os.environ.get("VOYAGE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e6c452c8af6213ac Filesystem access.
pkgs/python/[email protected]/voyageai/util.py:83
        with open(api_key_path, "rt") as k:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ba4b3e53c84c6c4b Filesystem access.
pkgs/python/[email protected]/voyageai/video_utils.py:76
        with open(path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #739bd0f8eb217bd7 Filesystem access.
pkgs/python/[email protected]/voyageai/video_utils.py:164
        with open(path, "wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f12f5a3fd535dfd9 Filesystem access.
pkgs/python/[email protected]/voyageai/video_utils.py:176
        with open(video, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9c216084db6fd43d Filesystem access.
pkgs/python/[email protected]/voyageai/video_utils.py:603
        with open(out_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

weaviate-client

python dependency
expand_more 32 low-confidence finding(s)
low env_fs dependency Excluded from app score #fa46dd12ee54ab6d Environment-variable access.
pkgs/python/[email protected]/integration/conftest.py:358
        api_key = os.environ.get("OPENAI_APIKEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4cab4312175e1cd9 Environment-variable access.
pkgs/python/[email protected]/integration/conftest.py:405
        api_key = os.environ.get("OPENAI_APIKEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bc115f253c84de06 Environment-variable access.
pkgs/python/[email protected]/integration/test_auth.py:47
    client_secret = os.environ.get(env_variable_name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f4f39d499eef104c Environment-variable access.
pkgs/python/[email protected]/integration/test_auth.py:101
    pw = os.environ.get(env_variable_name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #804be60fc7be7916 Environment-variable access.
pkgs/python/[email protected]/integration/test_auth.py:188
    pw = os.environ.get(env_variable_name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8480970c41dbd146 Environment-variable access.
pkgs/python/[email protected]/integration/test_auth.py:207
    pw = os.environ.get("OKTA_DUMMY_CI_PW")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b5b5a0e747fab086 Environment-variable access.
pkgs/python/[email protected]/integration/test_client.py:700
    with mock.patch.dict(os.environ, {"PYPI_PACKAGE_URL": "http://does-not-exist"}):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #756abd93e4551cad Environment-variable access.
pkgs/python/[email protected]/integration/test_client.py:707
    with mock.patch.dict(os.environ, {"PYPI_PACKAGE_URL": "http://does-not-exist"}):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aac6f2373b18bd5f Environment-variable access.
pkgs/python/[email protected]/integration/test_collection_openai.py:584
    api_key = os.environ.get("COHERE_APIKEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #76ad5d9bb42dbe2f Environment-variable access.
pkgs/python/[email protected]/integration/test_collection_openai.py:750
    api_key = os.environ.get("CONTEXTUAL_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #959356901392af76 Environment-variable access.
pkgs/python/[email protected]/integration/test_collection_openai.py:794
    api_key = os.environ.get("CONTEXTUAL_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0326f98a822325c3 Environment-variable access.
pkgs/python/[email protected]/integration/test_collection_openai.py:837
    contextual_api_key = os.environ.get("CONTEXTUAL_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #415616a5a7d1db40 Environment-variable access.
pkgs/python/[email protected]/integration/test_collection_rerank.py:31
    api_key = os.environ.get("COHERE_APIKEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e26829e1efa9e8ad Environment-variable access.
pkgs/python/[email protected]/integration/test_collection_rerank.py:85
    api_key = os.environ.get("COHERE_APIKEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5926798c3c79cce1 Environment-variable access.
pkgs/python/[email protected]/integration/test_collection_rerank.py:145
    api_key = os.environ.get("CONTEXTUAL_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #187a19dd686cc9a4 Environment-variable access.
pkgs/python/[email protected]/integration/test_vectors.py:866
    api_key = os.environ.get("JINAAI_APIKEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f77f93d2463e6ec0 Filesystem access.
pkgs/python/[email protected]/profiling/test_shutdown.py:48
    with open("uuids.json", "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c3204ce18baf695e Filesystem access.
pkgs/python/[email protected]/profiling/test_sphere.py:33
        with open(sphere_file) as jsonl_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #97b7a936187ea093 Filesystem access.
pkgs/python/[email protected]/profiling/test_sphere.py:82
        with open(sphere_file) as jsonl_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #68b7e557951ba231 Filesystem access.
pkgs/python/[email protected]/tools/stubs.py:177
            with open(file, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1a97ac1347642e06 Environment-variable access.
pkgs/python/[email protected]/weaviate/__init__.py:50
os.environ["GRPC_VERBOSITY"] = "ERROR"  # https://github.com/danielmiessler/fabric/discussions/754

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2ea0db41e977be14 Environment-variable access.
pkgs/python/[email protected]/weaviate/collections/batch/base.py:61
    os.getenv("WEAVIATE_BATCH_MAX_RETRIES", "9.299")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ff8d10642bc7f262 Environment-variable access.
pkgs/python/[email protected]/weaviate/connect/base.py:202
    http_proxy = (os.environ.get("HTTP_PROXY"), os.environ.get("http_proxy"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c97c0ab22f5379f7 Environment-variable access.
pkgs/python/[email protected]/weaviate/connect/base.py:203
    https_proxy = (os.environ.get("HTTPS_PROXY"), os.environ.get("https_proxy"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ef9dfd53751b7930 Environment-variable access.
pkgs/python/[email protected]/weaviate/connect/base.py:204
    grpc_proxy = (os.environ.get("GRPC_PROXY"), os.environ.get("grpc_proxy"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f376488198af3765 Environment-variable access.
pkgs/python/[email protected]/weaviate/embedded.py:38
    persistence_data_path: str = os.environ.get("XDG_DATA_HOME", DEFAULT_PERSISTENCE_DATA_PATH)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #33daed4dde43359e Environment-variable access.
pkgs/python/[email protected]/weaviate/embedded.py:39
    binary_path: str = os.environ.get("XDG_CACHE_HOME", DEFAULT_BINARY_PATH)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress dependency Excluded from app score #dcf93f555b0ccf2c Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/python/[email protected]/weaviate/embedded.py:91
            response = httpx.get("https://api.github.com/repos/weaviate/weaviate/releases/latest")

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs dependency Excluded from app score #962658ef92356ada Environment-variable access.
pkgs/python/[email protected]/weaviate/embedded.py:205
        my_env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #21b83a4e95b4c9ee Environment-variable access.
pkgs/python/[email protected]/weaviate/logger.py:5
logger.setLevel(os.getenv("WEAVIATE_LOG_LEVEL", "INFO"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a1f3b48debad9e22 Filesystem access.
pkgs/python/[email protected]/weaviate/util.py:83
        with open(image_or_image_path, "br") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8b97817a6197fd6d Filesystem access.
pkgs/python/[email protected]/weaviate/util.py:126
            file = open(file_or_file_path, "br")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

Skipped dependencies

Production

  • instructor prod — sdist exceeds byte cap
  • lancedb prod — no sdist (wheels only)
  • docling prod — no python source in sdist
  • qdrant-edge-py prod — no sdist (wheels only)
  • pymupdf prod — sdist exceeds byte cap
  • spider-client prod — no sdist (wheels only)
  • playwright prod — no sdist (wheels only)
  • Pillow prod — sdist exceeds byte cap