Hey team,
A user recently scanned this repo using Qodo's AntiSlop Scanner. The analysis reviewed 10 recent PRs and found 46 issues, all confirmed to still exist on main.
Here's one example:
Remote auto_run enable via OpenAI-compatible endpoint
Severity: action_required | Category: security
The OpenAI-compatible endpoint accepts {AUTO_RUN_ON} and directly sets async_interpreter.auto_run = True, which suppresses confirmation gating and can enable automatic code execution. Because authentication is effectively disabled when INTERPRETER_REQUIRE_AUTH is not set, any client can toggle auto_run remotely.
How to validate: Start the server without INTERPRETER_REQUIRE_AUTH, then send a chat completion request containing {AUTO_RUN_ON} in the message content. Verify that auto_run is set to True and subsequent code blocks execute without confirmation.
Agent prompt to fix:
In the OpenAI-compatible chat completion handler, remove the ability to toggle auto_run via message content. If remote auto_run control is needed, gate it behind authenticated admin endpoints rather than parsing it from user message strings.
Other confirmed issues
| # |
Title |
Category |
PR |
| 1 |
Version name collision breaks --os mode startup |
correctness |
#1637 |
| 2 |
Kernel interrupted after stdin, kills long-running code |
correctness |
#1455 |
| 3 |
Headless flag unusable via property access |
correctness |
#1482 |
| 4 |
Non-string .lower() crash on multimodal requests |
correctness |
#1477 |
| 5 |
Blocking time.sleep() in async handler stalls all requests |
reliability |
#1465 |
| 6 |
Missing OpenAI key prompt for provider-prefixed model names |
reliability |
#1418 |
| 7 |
Overbroad multiline trigger traps users in input loop |
correctness |
#1048 |
38 additional findings (including suspected issues) are available in the full report.
Enjoy!
P.S. Qodo offers free tooling for open-source maintainers: https://www.qodo.ai/solutions/open-source/
cc @KillianLucas
Hey team,
A user recently scanned this repo using Qodo's AntiSlop Scanner. The analysis reviewed 10 recent PRs and found 46 issues, all confirmed to still exist on main.
Here's one example:
Remote auto_run enable via OpenAI-compatible endpoint
Severity: action_required | Category: security
The OpenAI-compatible endpoint accepts
{AUTO_RUN_ON}and directly setsasync_interpreter.auto_run = True, which suppresses confirmation gating and can enable automatic code execution. Because authentication is effectively disabled whenINTERPRETER_REQUIRE_AUTHis not set, any client can toggle auto_run remotely.How to validate: Start the server without
INTERPRETER_REQUIRE_AUTH, then send a chat completion request containing{AUTO_RUN_ON}in the message content. Verify thatauto_runis set to True and subsequent code blocks execute without confirmation.Agent prompt to fix:
Other confirmed issues
--osmode startup.lower()crash on multimodal requeststime.sleep()in async handler stalls all requests38 additional findings (including suspected issues) are available in the full report.
Enjoy!
P.S. Qodo offers free tooling for open-source maintainers: https://www.qodo.ai/solutions/open-source/
cc @KillianLucas