Close Open Privacy Scan

bolt Snapshot: commit 2e254ac
science engine v1.21
schedule 2026-07-17T13:12:12.402929+00:00

verified_user No application data leak found

No high-confidence exfiltration was found in application code.

smart_toy MCP server detected: @ai-sdk/anthropic, @ai-sdk/openai, @modelcontextprotocol/sdk, ai — detected in dependencies, not a safety judgment.

App Privacy Score

100 /100
Low privacy risk

Low risk · 36 finding(s)

Dependency score: 82 (Low risk)

bar_chart Score Breakdown

No category deductions recorded.

list Scan Summary

0 high 0 medium 36 low
First-party packages: 0
Dependency packages: 1
Ecosystem: python

swap_horiz External domains

aistudio.google.comapi-inference.huggingface.coapi.anthropic.comapi.bitbucket.orgapi.cerebras.aiapi.cohere.comapi.deepseek.comapi.fireworks.aiapi.github.comapi.groq.comapi.hyperbolic.xyzapi.keygen.shapi.mistral.aiapi.moonshot.aiapi.netlify.comapi.openai.comapi.perplexity.aiapi.supabase.comapi.together.xyzapi.vercel.comapi.x.aiapi.z.aiapp.hyperbolic.xyzapp.netlify.comapp.supabase.comcdn.jsdelivr.netcdn.simpleicons.orgcircumicons.comcloud.cerebras.aiconsole.anthropic.comconsole.aws.amazon.comconsole.groq.comconsole.mistral.aicreativecommons.orgdashboard.cohere.comdate-fns.orgdeveloper.mozilla.orgdocs.python.orgdocs.x.aierikflowers.github.iofeathericons.comfireworks.aifontawesome.comfonts.google.comfonts.googleapis.comfonts.gstatic.comgame-icons.netgenerativelanguage.googleapis.comgithub.comgitlab.comgoogle.github.iohuggingface.coicons.radix-ui.comicons8.comionicons.comjson-schema.orglmstudio.ailocalai.iolucide.devmcp.deepwiki.commodelcontextprotocol.iomodels.github.aiocticons.github.comollama.comopen.bigmodel.cnopenrouter.aiopensource.orgplatform.deepseek.complatform.moonshot.aiplatform.openai.compypi.orgraw.githubusercontent.comreact-dnd.github.ioreact.devreactjs.orgs-ings.comscripts.sil.orgsimpleicons.orgsquidfunk.github.iostackblitz-labs.github.iostackblitz.comstuk.github.iosupabase.comsupport.bolt.newt.lythesabbir.github.iounpkg.comupload.wikimedia.orgvercel.comvorillaz.github.iowww.apache.orgwww.perplexity.aiwww.w3.orgyour-gitlab-instance.com

</> Dependencies

mkdocs-material

python dependency
expand_more 36 low-confidence finding(s)
low env_fs dependency Excluded from app score #02d55ac9d072ce06 Filesystem access.
pkgs/python/[email protected]/material/extensions/emoji.py:67
    with open(file, encoding = "utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6f8aed79f71a9792 Filesystem access.
pkgs/python/[email protected]/material/plugins/blog/plugin.py:494
        with open(file, encoding = "utf-8-sig") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cffa4329e470effc Filesystem access.
pkgs/python/[email protected]/material/plugins/blog/plugin.py:1034
        with open(path, "w", encoding = "utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8bd8428a254a7ce8 Filesystem access.
pkgs/python/[email protected]/material/plugins/blog/structure/__init__.py:61
        with open(file.abs_src_path, encoding = "utf-8-sig") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress dependency Excluded from app score #fa8ae349722e6084 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/python/[email protected]/material/plugins/info/plugin.py:84
        res = requests.get(url, allow_redirects = False)

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs dependency Excluded from app score #6b4e138442b0fc92 Environment-variable access.
pkgs/python/[email protected]/material/plugins/info/plugin.py:309
                        "env:$PYTHONPATH": os.getenv("PYTHONPATH", ""),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a8512f369f983218 Environment-variable access.
pkgs/python/[email protected]/material/plugins/info/plugin.py:310
                        "env:$VIRTUAL_ENV": os.getenv("VIRTUAL_ENV", ""),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #05f5dce87ab2a776 Filesystem access.
pkgs/python/[email protected]/material/plugins/info/plugin.py:331
        with open(f"{example}.zip", "wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fab087c895c1f67d Filesystem access.
pkgs/python/[email protected]/material/plugins/info/plugin.py:490
    with open(abs_src_path, encoding ="utf-8-sig") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #614a8bbfc6a48f9a Filesystem access.
pkgs/python/[email protected]/material/plugins/info/plugin.py:532
    with open(project_config_file, encoding="utf-8-sig") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6f797a5dab76703a Filesystem access.
pkgs/python/[email protected]/material/plugins/meta/plugin.py:60
            with open(file.abs_src_path, encoding = "utf-8-sig") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #84697a1b852ea3ea Filesystem access.
pkgs/python/[email protected]/material/plugins/offline/plugin.py:63
        with open(file, encoding = "utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0b09dcacf297441f Filesystem access.
pkgs/python/[email protected]/material/plugins/offline/plugin.py:68
        with open(file, "w", encoding = "utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #75f5ed3b59b58e06 Filesystem access.
pkgs/python/[email protected]/material/plugins/optimize/plugin.py:101
                with open(self.manifest_file) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b5cc2339dcfbaa2d Filesystem access.
pkgs/python/[email protected]/material/plugins/optimize/plugin.py:155
            with open(self.manifest_file, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1277a161bfa01ae9 Filesystem access.
pkgs/python/[email protected]/material/plugins/optimize/plugin.py:209
            with open(self.manifest_file, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #58ba9d3049c89a2c Filesystem access.
pkgs/python/[email protected]/material/plugins/optimize/plugin.py:255
        with open(file.abs_src_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b3d30b060341e66f Filesystem access.
pkgs/python/[email protected]/material/plugins/privacy/plugin.py:336
        with open(initiator.abs_src_path, encoding = "utf-8-sig") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress dependency Excluded from app score #a3f9773b2c15f94e Outbound request to a variable or assembled URL on a network client. Review what data is sent to this destination.
pkgs/python/[email protected]/material/plugins/privacy/plugin.py:492
                res = requests.get(
                    file.url,
                    headers = {
                        # Set user agent explicitly, so Google Fonts gives us
                        # *.woff2 files, which according to caniuse.com is the
                        # only format we need to download as it covers the range
                        # range of browsers we're officially supporting.
                        "User-Agent": " ".join(
                            [
                                "Mozilla/5.0 (Windows NT 10.0; Win64; x64)",
                                "AppleWebKit/537.36 (KHTML, like Gecko)",
                                "Chrome/98.0.4758.102 Safari/537.36",
                            ]
                        )
                    },
                    timeout=DEFAULT_TIMEOUT_IN_SECS,
                )

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs dependency Excluded from app score #21b1ac35bd330d27 Filesystem access.
pkgs/python/[email protected]/material/plugins/privacy/plugin.py:570
        with open(initiator.abs_src_path, encoding = "utf-8-sig") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c3f8588037847c19 Filesystem access.
pkgs/python/[email protected]/material/plugins/privacy/plugin.py:659
        with open(path, "wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #899f31c8da93560f Filesystem access.
pkgs/python/[email protected]/material/plugins/projects/plugin.py:105
                with open(self.manifest_file) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #beb4b9e290b7d1dd Filesystem access.
pkgs/python/[email protected]/material/plugins/projects/plugin.py:126
            with open(self.manifest_file, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0d62876ed2678a66 Filesystem access.
pkgs/python/[email protected]/material/plugins/projects/structure/__init__.py:152
        with open(file, encoding = "utf-8-sig") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a00679a989f31bc3 Filesystem access.
pkgs/python/[email protected]/material/plugins/social/plugin.py:141
                with open(self.manifest_file) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b5d9cf6c0d5f827e Filesystem access.
pkgs/python/[email protected]/material/plugins/social/plugin.py:281
            with open(self.manifest_file, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9ca1ffdd09ffaa11 Filesystem access.
pkgs/python/[email protected]/material/plugins/social/plugin.py:307
            with open(self.manifest_file, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c5ee918bc23f84e3 Filesystem access.
pkgs/python/[email protected]/material/plugins/social/plugin.py:490
            with open(background.image, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f33a3787e5cb15cf Filesystem access.
pkgs/python/[email protected]/material/plugins/social/plugin.py:756
            with open(path, encoding = "utf-8-sig") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5df0fddce611d2bb Filesystem access.
pkgs/python/[email protected]/material/plugins/social/plugin.py:819
            with open(path, encoding = "utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress dependency Excluded from app score #01acab60ddb394e9 Outbound request to a variable or assembled URL on a network client. Review what data is sent to this destination.
pkgs/python/[email protected]/material/plugins/social/plugin.py:886
        res = requests.get(url)

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress dependency Excluded from app score #fc65d55da4a47d3e Outbound request to a variable or assembled URL on a network client. Review what data is sent to this destination.
pkgs/python/[email protected]/material/plugins/social/plugin.py:899
            with requests.get(match) as res:

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs dependency Excluded from app score #db549639b732ab17 Filesystem access.
pkgs/python/[email protected]/material/plugins/tags/structure/mapping/storage/__init__.py:76
        with open(path, "w", encoding = "utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6483fa7349dea8d9 Filesystem access.
pkgs/python/[email protected]/material/plugins/tags/structure/mapping/storage/__init__.py:90
        with open(path, "r", encoding = "utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7547a973930db75e Environment-variable access.
pkgs/python/[email protected]/material/templates/__init__.py:37
if is_mkdocs() and not os.getenv("NO_MKDOCS_2_WARNING"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f0b87ff076f4e6b9 Environment-variable access.
pkgs/python/[email protected]/material/templates/__init__.py:59
os.environ["NO_MKDOCS_2_WARNING"] = "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

Skipped dependencies

Production

  • @codemirror/autocomplete prod — dist-only: no readable source
  • @codemirror/commands prod — dist-only: no readable source
  • @codemirror/lang-markdown prod — dist-only: no readable source
  • @codemirror/language prod — dist-only: no readable source
  • @codemirror/search prod — dist-only: no readable source
  • @codemirror/view prod — dist-only: no readable source
  • @codemirror/state prod — dist-only: no readable source
  • @headlessui/react prod — dist-only: no readable source
  • @radix-ui/react-tabs prod — dist-only: no readable source
  • @radix-ui/react-tooltip prod — dist-only: no readable source
  • @remix-run/cloudflare prod — dist-only: no readable source
  • @remix-run/cloudflare-pages prod — dist-only: no readable source
  • @remix-run/react prod — dist-only: no readable source
  • @unocss/reset prod — no javascript source
  • ai prod — dist-only: no readable source
  • class-variance-authority prod — dist-only: no readable source
  • framer-motion prod — dist-only: no readable source
  • jose prod — dist-only: no readable source
  • ollama-ai-provider prod — dist-only: no readable source
  • react-chartjs-2 prod — dist-only: no readable source
  • react-hotkeys-hook prod — dist-only: no readable source
  • react-resizable-panels prod — dist-only: no readable source
  • react-window prod — dist-only: no readable source
  • shiki prod — dist-only: no readable source
  • use-debounce prod — dist-only: no readable source