security_surface
Scan a Python repository to detect high-risk functions like subprocess or eval and potential hardcoded secrets using pure AST analysis, without LLM calls.
Instructions
Walk a Python repo and find functions that call dangerous primitives — pure AST analysis, zero LLM calls. Classifies calls as HIGH risk (subprocess/os.system/eval/exec/pickle/import/ctypes …) or MEDIUM risk (sockets/requests/httpx/urllib/paramiko/smtplib and write-mode open()). Also scans for potential secrets: hardcoded keys/tokens (AKIA…, sk-…, ghp_…, token=/password=/api_key= assignments), .env/environment loading, and high-entropy token-looking literals. Returns high_risk, medium_risk, secrets, clean files and a summary. Max depth 3; skips pycache, .git, venv, node_modules.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| repo_path | Yes | Repo path (relative to --root or absolute). |