Scan path: C:\Users\gilad\Projects\warden\gallery\repos\metagpt
Scanned: 2026-04-10 23:11 UTC
Warden: v1.6.0 · Scoring model v4.3 · 17 dimensions (weighted) · 235 pts
🔒 Privacy guarantee
All data collected locally — nothing left this machine.
API keys: partial hashes only.
Log content: never stored.
📊 Scanned 913 files (890 Python · 23 JS/TS) in metagpt across 9 scan layers
11
/ 100
27 / 235 raw
UNGOVERNED
Core Governance (11 / 100)
D1 Tool Inventory
6 / 25
MEDIUM Cloud AI endpoint URL hardcoded in source — hinders environment portability
MEDIUM Cloud AI endpoint URL hardcoded in source — hinders environment portability
MEDIUM Cloud AI endpoint URL hardcoded in source — hinders environment portability
MEDIUM Cloud AI endpoint URL hardcoded in source — hinders environment portability
D2 Risk Detection
0 / 20
CRITICAL Tool function without input validation
CRITICAL Tool function without input validation
CRITICAL Tool function without input validation
CRITICAL Tool function without input validation
D3 Policy Coverage
1 / 20
MEDIUM No concurrency block — parallel deployments possible
MEDIUM continue-on-error: true — pipeline failures silently suppressed
MEDIUM No concurrency block — parallel deployments possible
MEDIUM No concurrency block — parallel deployments possible
MEDIUM No concurrency block — parallel deployments possible
+ 2 more findings
D4 Credential Management
1 / 20
MEDIUM Exposed Generic Secret: api..._KEY
MEDIUM Exposed Generic Secret: api..._KEY
MEDIUM Exposed Generic Secret: api..._KEY
MEDIUM Exposed Generic Secret: api..._KEY
MEDIUM Exposed Generic Secret: api..._KEY
+ 48 more findings
D5 Log Hygiene
1 / 10
MEDIUM print() used instead of structured logging
MEDIUM print() used instead of structured logging
MEDIUM print() used instead of structured logging
MEDIUM print() used instead of structured logging
MEDIUM print() used instead of structured logging
+ 95 more findings
D6 Framework Coverage
2 / 5
MEDIUM LlamaIndex used without callback_manager — no query observability
MEDIUM LlamaIndex used without callback_manager — no query observability
MEDIUM LlamaIndex used without callback_manager — no query observability
MEDIUM LlamaIndex used without callback_manager — no query observability
MEDIUM LlamaIndex used without callback_manager — no query observability
+ 34 more findings
Advanced Controls (3 / 50)
D7 Human-in-the-Loop
2 / 15
D8 Agent Identity
0 / 15
HIGH Agent class 'CreateAgent' has no permission model
MEDIUM Agent class 'CreateAgent' has no defined lifecycle states
MEDIUM Agent class 'Assistant' has no defined lifecycle states
MEDIUM Agent class 'InvoiceOCRAssistant' has no defined lifecycle states
MEDIUM Agent class 'TutorialAssistant' has no defined lifecycle states
D9 Threat Detection
1 / 20
HIGH Empty exception handler — errors silently swallowed
HIGH Empty exception handler — errors silently swallowed
HIGH Empty exception handler — errors silently swallowed
HIGH Empty exception handler — errors silently swallowed
HIGH Empty exception handler — errors silently swallowed
+ 17 more findings
Ecosystem (9 / 55)
D10 Prompt Security
0 / 15
HIGH Azure AI used without ContentSafetyClient — no content moderation
MEDIUM AWS Bedrock invoke_model without contentPolicy — no content filtering configured
HIGH GCP GenerativeModel without safety_settings — no harm category filtering
HIGH Azure AI used without ContentSafetyClient — no content moderation
HIGH Azure AI used without ContentSafetyClient — no content moderation
+ 3 more findings
D11 Cloud / Platform
1 / 10
HIGH AWS Bedrock invoke_model without guardrailIdentifier — no guardrail enforcement
D12 LLM Observability
2 / 10
MEDIUM Hardcoded model name: 'set `model: "gpt-4-vision-preview"` in `config2.yaml` first' — no routing/fallback
MEDIUM Hardcoded model name: 'gpt-3.5-turbo' — no routing/fallback
MEDIUM Hardcoded model name: 'gpt-4-turbo' — no routing/fallback
MEDIUM Hardcoded model name: 'claude-3-5-sonnet-20240620' — no routing/fallback
MEDIUM Hardcoded model name: 'gpt-4o-mini' — no routing/fallback
+ 186 more findings
D13 Data Recovery
2 / 10
D14 Compliance Maturity
4 / 10
LOW No environment: block — no required reviewers for deployments
MEDIUM Push trigger without branch protection guard
MEDIUM Push trigger without branch protection guard
LOW No environment: block — no required reviewers for deployments
LOW No environment: block — no required reviewers for deployments
+ 1 more findings
Unique Capabilities (4 / 30)
D15 Post-Exec Verification
3 / 10
D16 Data Flow Governance
0 / 10
D17 Adversarial Resilience
1 / 10
CRITICAL No content injection defense — hidden HTML/CSS/zero-width instructions pass to agents undetected. (86% attack success ra
CRITICAL No RAG poisoning protection — knowledge base documents not scanned for embedded instructions. (<0.1% contamination = >80
HIGH No behavioral trap detection — post-execution behavioral changes not monitored. (10/10 M365 Copilot attacks succeeded)
HIGH No approval integrity verification -- agent summaries for approval not cross-checked against actual actions. (Approval f
MEDIUM No adversarial testing evidence — no red team, no prompt injection tests
+ 2 more findings
Score reflects only what Warden can observe locally. Undetected controls are scored as 0, not assumed good. Dimensions are weighted by governance impact. Methodology: SCORING.md
Total Findings
447
11 CRITICAL · 77 HIGH
Tools Detected
0
None detected
Credentials
43
In source code
Governance Gaps
4
of 17 dimensions
Compliance Refs
13
EU AI Act / OWASP / MITRE
🛡 Governance Layer Detection0 tools detected · 17 dimensions
D2: Risk Detection — none detected
Risk classification, semantic analysis, intent-parameter consistency
0 / 20 pts
D8: Agent Identity — none detected
Agent registry, identity tokens, delegation chains, lifecycle states
0 / 15 pts
D10: Prompt Security — none detected
Prompt injection detection, jailbreak prevention, content filtering
0 / 15 pts
D16: Data Flow Governance — none detected
Taint labels, data classification, cross-tool leakage prevention
0 / 10 pts
📊 Solutions Comparison2 rows · 17 dimensions · 235 max pts
Tool D1D2D3D4D5D6D7D8D9D10D11D12D13D14D15D16D17 /235 /100
Max pts252020201051515201510101010101010235
SharkRouter231818189514141814999999921491
Your Scan601112201012243012711
SharkRouter per-dimension scores are proportional estimates from total score. Detected tool scores are totals only (per-dimension breakdown not available). Methodology: SCORING.md
🔎 Findings447 total
CRITICAL 11
CRITICAL D2
Tool function without input validation
...s\warden\gallery\repos\metagpt\examples\di\custom_tool.py:14
Add input validation (pydantic, jsonschema, or manual checks)
OWASP LLM01
CRITICAL D2
Tool function without input validation
...n\gallery\repos\metagpt\metagpt\tools\libs\email_login.py:27
Add input validation (pydantic, jsonschema, or manual checks)
OWASP LLM01
CRITICAL D2
Tool function without input validation
...ts\warden\gallery\repos\metagpt\metagpt\tools\libs\git.py:96
Add input validation (pydantic, jsonschema, or manual checks)
OWASP LLM01
Show 8 more CRITICAL findings
CRITICAL D2
Tool function without input validation
...\gallery\repos\metagpt\metagpt\tools\libs\web_scraping.py:11
Add input validation (pydantic, jsonschema, or manual checks)
OWASP LLM01
CRITICAL D5
No audit logging for tool calls detected
Add audit logging for all tool/agent executions
EU AI Act Article 12
CRITICAL D4
Secret value in docker-compose environment
...n\gallery\repos\metagpt\.devcontainer\docker-compose.yaml:14
Use .env file or Docker secrets, not inline values
CRITICAL D4
Secret value in docker-compose environment
...n\gallery\repos\metagpt\.devcontainer\docker-compose.yaml:22
Use .env file or Docker secrets, not inline values
CRITICAL D4
Possible typosquat: 'scikit_learn' is 1 edit from 'scikit-learn'
...ad\Projects\warden\gallery\repos\metagpt\requirements.txt:1
Verify this is the intended package, not a typosquat of 'scikit-learn'
MITRE AML.T0010
CRITICAL D4
API key appears alongside cloud AI provider URL — credential in source code
...y\repos\metagpt\tests\metagpt\provider\mock_llm_config.py:62
Remove API keys from source; use secrets manager, env vars, or managed identity
EU AI Act Article 15OWASP LLM06
CRITICAL D17
No content injection defense — hidden HTML/CSS/zero-width instructions pass to agents undetected. (86% attack success rate)
Deploy trap defense layer on tool results
EU AI Act Article 15OWASP LLM01MITRE AML.T0051
CRITICAL D17
No RAG poisoning protection — knowledge base documents not scanned for embedded instructions. (<0.1% contamination = >80% attack success)
Deploy trap defense layer on tool results
EU AI Act Article 15OWASP LLM01MITRE AML.T0049
HIGH 77
HIGH D9
Empty exception handler — errors silently swallowed
...ry\repos\metagpt\examples\di\InfiAgent-DABench\DABench.py:240
Log the exception or handle it explicitly
HIGH D9
Empty exception handler — errors silently swallowed
...gallery\repos\metagpt\metagpt\ext\aflow\benchmark\math.py:49
Log the exception or handle it explicitly
HIGH D9
Empty exception handler — errors silently swallowed
...gallery\repos\metagpt\metagpt\ext\aflow\benchmark\math.py:54
Log the exception or handle it explicitly
Show 74 more HIGH findings
HIGH D9
Empty exception handler — errors silently swallowed
...gallery\repos\metagpt\metagpt\ext\aflow\benchmark\math.py:73
Log the exception or handle it explicitly
HIGH D9
Empty exception handler — errors silently swallowed
...gallery\repos\metagpt\metagpt\ext\aflow\benchmark\math.py:82
Log the exception or handle it explicitly
HIGH D9
Empty exception handler — errors silently swallowed
...gallery\repos\metagpt\metagpt\ext\aflow\benchmark\math.py:92
Log the exception or handle it explicitly
HIGH D9
Empty exception handler — errors silently swallowed
...gallery\repos\metagpt\metagpt\ext\aflow\benchmark\math.py:98
Log the exception or handle it explicitly
HIGH D9
Empty exception handler — errors silently swallowed
...llery\repos\metagpt\metagpt\ext\cr\actions\code_review.py:126
Log the exception or handle it explicitly
HIGH D9
Empty exception handler — errors silently swallowed
...t\metagpt\ext\stanford_town\actions\agent_chat_sum_rel.py:17
Log the exception or handle it explicitly
HIGH D9
Empty exception handler — errors silently swallowed
...tagpt\metagpt\ext\stanford_town\actions\decide_to_talk.py:17
Log the exception or handle it explicitly
HIGH D9
Empty exception handler — errors silently swallowed
...pt\metagpt\ext\stanford_town\actions\gen_iter_chat_utt.py:19
Log the exception or handle it explicitly
HIGH D9
Empty exception handler — errors silently swallowed
...\metagpt\ext\stanford_town\actions\new_decomp_schedule.py:31
Log the exception or handle it explicitly
HIGH D9
Empty exception handler — errors silently swallowed
...tagpt\metagpt\ext\stanford_town\actions\summarize_conv.py:17
Log the exception or handle it explicitly
HIGH D9
Empty exception handler — errors silently swallowed
...rden\gallery\repos\metagpt\metagpt\tools\tool_registry.py:57
Log the exception or handle it explicitly
HIGH D9
Empty exception handler — errors silently swallowed
...s\warden\gallery\repos\metagpt\metagpt\utils\a11y_tree.py:240
Log the exception or handle it explicitly
HIGH D9
Empty exception handler — errors silently swallowed
...ects\warden\gallery\repos\metagpt\metagpt\utils\common.py:153
Log the exception or handle it explicitly
HIGH D9
Empty exception handler — errors silently swallowed
...ects\warden\gallery\repos\metagpt\metagpt\utils\common.py:178
Log the exception or handle it explicitly
HIGH D9
Empty exception handler — errors silently swallowed
...ects\warden\gallery\repos\metagpt\metagpt\utils\common.py:189
Log the exception or handle it explicitly
HIGH D9
Empty exception handler — errors silently swallowed
...den\gallery\repos\metagpt\metagpt\utils\custom_decoder.py:160
Log the exception or handle it explicitly
HIGH D9
Empty exception handler — errors silently swallowed
...\gallery\repos\metagpt\metagpt\utils\human_interaction.py:70
Log the exception or handle it explicitly
HIGH D5
Potential PII/sensitive data logged via f-string
...arden\gallery\repos\metagpt\examples\dalle_gpt4v_agent.py:48
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D5
Potential PII/sensitive data logged via f-string
...arden\gallery\repos\metagpt\examples\dalle_gpt4v_agent.py:49
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D5
Potential PII/sensitive data logged via f-string
...ects\warden\gallery\repos\metagpt\examples\hello_world.py:18
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D5
Potential PII/sensitive data logged via f-string
...ples\di\InfiAgent-DABench\run_InfiAgent-DABench_single.py:18
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D5
Potential PII/sensitive data logged via f-string
...rden\gallery\repos\metagpt\examples\exp_pool\decorator.py:21
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D5
Potential PII/sensitive data logged via f-string
...\gallery\repos\metagpt\examples\exp_pool\init_exp_pool.py:52
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D5
Potential PII/sensitive data logged via f-string
...warden\gallery\repos\metagpt\examples\exp_pool\manager.py:23
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D5
Potential PII/sensitive data logged via f-string
...rden\gallery\repos\metagpt\metagpt\actions\action_node.py:440
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D5
Potential PII/sensitive data logged via f-string
...den\gallery\repos\metagpt\metagpt\actions\skill_action.py:55
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D5
Potential PII/sensitive data logged via f-string
...rden\gallery\repos\metagpt\metagpt\actions\talk_action.py:49
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D5
Potential PII/sensitive data logged via f-string
...rden\gallery\repos\metagpt\metagpt\actions\talk_action.py:64
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D5
Potential PII/sensitive data logged via f-string
...allery\repos\metagpt\metagpt\actions\write_code_review.py:205
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D5
Potential PII/sensitive data logged via f-string
...warden\gallery\repos\metagpt\metagpt\actions\write_prd.py:160
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D5
Potential PII/sensitive data logged via f-string
...warden\gallery\repos\metagpt\metagpt\actions\write_prd.py:167
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D5
Potential PII/sensitive data logged via f-string
...warden\gallery\repos\metagpt\metagpt\actions\write_prd.py:170
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D5
Potential PII/sensitive data logged via f-string
...den\gallery\repos\metagpt\metagpt\environment\base_env.py:184
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D5
Potential PII/sensitive data logged via f-string
...llery\repos\metagpt\metagpt\ext\aflow\scripts\operator.py:209
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D5
Potential PII/sensitive data logged via f-string
...\metagpt\ext\aflow\scripts\optimizer_utils\graph_utils.py:51
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D5
Potential PII/sensitive data logged via f-string
...ery\repos\metagpt\metagpt\ext\spo\components\optimizer.py:55
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D5
Potential PII/sensitive data logged via f-string
...ery\repos\metagpt\metagpt\ext\spo\components\optimizer.py:71
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D5
Potential PII/sensitive data logged via f-string
...ery\repos\metagpt\metagpt\ext\spo\components\optimizer.py:98
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D5
Potential PII/sensitive data logged via f-string
...ery\repos\metagpt\metagpt\ext\spo\components\optimizer.py:136
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D5
Potential PII/sensitive data logged via f-string
...llery\repos\metagpt\metagpt\ext\spo\utils\prompt_utils.py:21
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D5
Potential PII/sensitive data logged via f-string
...\metagpt\ext\stanford_town\actions\gen_hourly_schedule.py:105
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D5
Potential PII/sensitive data logged via f-string
...os\metagpt\metagpt\ext\stanford_town\actions\st_action.py:108
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D5
Potential PII/sensitive data logged via f-string
...ery\repos\metagpt\metagpt\ext\werewolf\roles\moderator.py:243
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D5
Potential PII/sensitive data logged via f-string
...rden\gallery\repos\metagpt\metagpt\memory\brain_memory.py:195
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D5
Potential PII/sensitive data logged via f-string
...rden\gallery\repos\metagpt\metagpt\memory\brain_memory.py:245
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D5
Potential PII/sensitive data logged via f-string
...rden\gallery\repos\metagpt\metagpt\memory\brain_memory.py:317
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D5
Potential PII/sensitive data logged via f-string
...en\gallery\repos\metagpt\metagpt\memory\memory_storage.py:59
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D5
Potential PII/sensitive data logged via f-string
...s\warden\gallery\repos\metagpt\metagpt\roles\assistant.py:69
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D5
Potential PII/sensitive data logged via f-string
...ojects\warden\gallery\repos\metagpt\metagpt\roles\role.py:369
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D5
Potential PII/sensitive data logged via f-string
...arden\gallery\repos\metagpt\metagpt\utils\cost_manager.py:57
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D5
Potential PII/sensitive data logged via f-string
...arden\gallery\repos\metagpt\metagpt\utils\cost_manager.py:108
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D5
Potential PII/sensitive data logged via f-string
...arden\gallery\repos\metagpt\metagpt\utils\cost_manager.py:146
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D5
Potential PII/sensitive data logged via f-string
...\gallery\repos\metagpt\metagpt\utils\human_interaction.py:19
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D5
Potential PII/sensitive data logged via f-string
...\gallery\repos\metagpt\metagpt\utils\human_interaction.py:80
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D5
Potential PII/sensitive data logged via f-string
...n\gallery\repos\metagpt\metagpt\utils\repo_to_markdown.py:87
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D5
Potential PII/sensitive data logged via f-string
...d\Projects\warden\gallery\repos\metagpt\tests\conftest.py:75
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D5
Potential PII/sensitive data logged via f-string
...n\gallery\repos\metagpt\tests\metagpt\test_environment.py:34
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D5
Potential PII/sensitive data logged via f-string
...\metagpt\tests\metagpt\actions\test_generate_questions.py:26
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D5
Potential PII/sensitive data logged via f-string
...s\metagpt\tests\metagpt\actions\test_prepare_interview.py:18
Redact sensitive fields before logging
EU AI Act Article 15OWASP LLM06
HIGH D4
Container runs as root — no USER directive in Dockerfile
...rs\gilad\Projects\warden\gallery\repos\metagpt\Dockerfile:1
Add USER directive to run as non-root user
OWASP LLM09
HIGH D8
Agent class 'CreateAgent' has no permission model
...ts\warden\gallery\repos\metagpt\examples\agent_creator.py:19
Add role/permission checks before tool dispatch
HIGH D4
Secret used without OIDC — long-lived credential in workflow
...allery\repos\metagpt\.github\workflows\build-package.yaml:32
Use OIDC (id-token: write) for cloud auth instead of static secrets
OWASP LLM09
HIGH D4
Secret used without OIDC — long-lived credential in workflow
...den\gallery\repos\metagpt\.github\workflows\fulltest.yaml:41
Use OIDC (id-token: write) for cloud auth instead of static secrets
OWASP LLM09
HIGH D4
Secret used without OIDC — long-lived credential in workflow
...warden\gallery\repos\metagpt\.github\workflows\stale.yaml:22
Use OIDC (id-token: write) for cloud auth instead of static secrets
OWASP LLM09
HIGH D10
Azure AI used without ContentSafetyClient — no content moderation
...allery\repos\metagpt\metagpt\provider\azure_openai_api.py:9
Add Azure ContentSafetyClient to analyse prompts/responses for harmful content
EU AI Act Article 15OWASP LLM02
HIGH D11
AWS Bedrock invoke_model without guardrailIdentifier — no guardrail enforcement
...den\gallery\repos\metagpt\metagpt\provider\bedrock_api.py:73
Add guardrailIdentifier and guardrailVersion parameters to invoke_model calls
EU AI Act Article 9OWASP LLM02
HIGH D10
GCP GenerativeModel without safety_settings — no harm category filtering
...llery\repos\metagpt\metagpt\provider\google_gemini_api.py:27
Add safety_settings with HarmCategory and HarmBlockThreshold to GenerativeModel
EU AI Act Article 15OWASP LLM02
HIGH D10
Azure AI used without ContentSafetyClient — no content moderation
...warden\gallery\repos\metagpt\metagpt\provider\__init__.py:13
Add Azure ContentSafetyClient to analyse prompts/responses for harmful content
EU AI Act Article 15OWASP LLM02
HIGH D10
Azure AI used without ContentSafetyClient — no content moderation
...\gallery\repos\metagpt\metagpt\rag\factories\embedding.py:7
Add Azure ContentSafetyClient to analyse prompts/responses for harmful content
EU AI Act Article 15OWASP LLM02
HIGH D10
Azure AI used without ContentSafetyClient — no content moderation
...ry\repos\metagpt\tests\metagpt\provider\test_azure_llm.py:5
Add Azure ContentSafetyClient to analyse prompts/responses for harmful content
EU AI Act Article 15OWASP LLM02
HIGH D10
Azure AI used without ContentSafetyClient — no content moderation
...pos\metagpt\tests\metagpt\rag\factories\test_embedding.py:27
Add Azure ContentSafetyClient to analyse prompts/responses for harmful content
EU AI Act Article 15OWASP LLM02
HIGH D10
Azure AI used without ContentSafetyClient — no content moderation
...jects\warden\gallery\repos\metagpt\tests\mock\mock_llm.py:8
Add Azure ContentSafetyClient to analyse prompts/responses for harmful content
EU AI Act Article 15OWASP LLM02
HIGH D17
No behavioral trap detection — post-execution behavioral changes not monitored. (10/10 M365 Copilot attacks succeeded)
Deploy trap defense layer on tool results
EU AI Act Article 14OWASP LLM07MITRE AML.T0051
HIGH D17
No approval integrity verification -- agent summaries for approval not cross-checked against actual actions. (Approval fatigue exploitation)
Deploy trap defense layer on tool results
EU AI Act Article 14OWASP LLM07MITRE AML.T0048
MEDIUM 356
MEDIUM D5
print() used instead of structured logging
...sers\gilad\Projects\warden\gallery\repos\metagpt\setup.py:18
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D12
Hardcoded model name: 'set `model: "gpt-4-vision-preview"` in `config2.yaml` first' — no routing/fallback
...arden\gallery\repos\metagpt\examples\dalle_gpt4v_agent.py:5
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-3.5-turbo' — no routing/fallback
...ts\warden\gallery\repos\metagpt\examples\debate_simple.py:17
Use model routing or configuration instead of hardcoded names
Show 353 more MEDIUM findings
MEDIUM D12
Hardcoded model name: 'gpt-4-turbo' — no routing/fallback
...ts\warden\gallery\repos\metagpt\examples\debate_simple.py:19
Use model routing or configuration instead of hardcoded names
MEDIUM D5
print() used instead of structured logging
...rojects\warden\gallery\repos\metagpt\examples\research.py:12
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...rden\gallery\repos\metagpt\examples\search_enhanced_qa.py:23
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...n\gallery\repos\metagpt\examples\stream_output_via_api.py:26
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...ects\warden\gallery\repos\metagpt\examples\write_novel.py:57
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D12
Hardcoded model name: 'claude-3-5-sonnet-20240620' — no routing/fallback
...s\warden\gallery\repos\metagpt\examples\aflow\optimize.py:84
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4o-mini' — no routing/fallback
...s\warden\gallery\repos\metagpt\examples\aflow\optimize.py:90
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'RAG pipeline. Note: 1. If `use_llm_ranker` is True, then it will use LLM Reranker to get better result, but it is not always guaranteed that the output will be parseable for reranking, prefer `gpt-4-turbo`, otherwise might encounter `IndexError: list index out of range` or `ValueError: invalid literal for int() with base 10`. ' — no routing/fallback
...warden\gallery\repos\metagpt\examples\rag\rag_pipeline.py:243
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'claude-3-5-sonnet-20240620' — no routing/fallback
...cts\warden\gallery\repos\metagpt\examples\spo\optimize.py:11
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4o-mini' — no routing/fallback
...cts\warden\gallery\repos\metagpt\examples\spo\optimize.py:13
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4o-mini' — no routing/fallback
...cts\warden\gallery\repos\metagpt\examples\spo\optimize.py:15
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4 may update over time' — no routing/fallback
...llery\repos\metagpt\examples\werewolf_game\evals\utils.py:44
Use model routing or configuration instead of hardcoded names
MEDIUM D5
print() used instead of structured logging
...llery\repos\metagpt\examples\werewolf_game\evals\utils.py:85
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...lad\Projects\warden\gallery\repos\metagpt\metagpt\logs.py:153
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D12
Hardcoded model name: '# Full Example: https://github.com/geekan/MetaGPT/blob/main/config/config2.example.yaml # Reflected Code: https://github.com/geekan/MetaGPT/blob/main/metagpt/config2.py # Config Docs: https://docs.deepwisdom.ai/main/en/guide/get_started/configuration.html llm: api_type: "openai" # or azure / ollama / groq etc. model: "gpt-4-turbo" # or gpt-3.5-turbo base_url: "https://api.openai.com/v1" # or forward url / other llm url api_key: "YOUR_API_KEY" ' — no routing/fallback
...\warden\gallery\repos\metagpt\metagpt\software_company.py:127
Use model routing or configuration instead of hardcoded names
MEDIUM D5
print() used instead of structured logging
...\warden\gallery\repos\metagpt\metagpt\software_company.py:149
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...\warden\gallery\repos\metagpt\metagpt\software_company.py:153
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...lery\repos\metagpt\metagpt\document_store\milvus_store.py:73
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...os\metagpt\metagpt\environment\android\android_ext_env.py:374
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...gpt\metagpt\environment\android\text_icon_localization.py:268
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D12
Hardcoded model name: 'gpt-4o-mini' — no routing/fallback
...lery\repos\metagpt\metagpt\ext\aflow\scripts\interface.py:44
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'Waiting for GPT-4V to generate documentation for the element ' — no routing/fallback
...gpt\metagpt\ext\android_assistant\actions\parse_record.py:110
Use model routing or configuration instead of hardcoded names
MEDIUM D5
print() used instead of structured logging
...en\gallery\repos\metagpt\metagpt\ext\sela\experimenter.py:136
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...en\gallery\repos\metagpt\metagpt\ext\sela\experimenter.py:138
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...ts\warden\gallery\repos\metagpt\metagpt\ext\sela\utils.py:60
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...ts\warden\gallery\repos\metagpt\metagpt\ext\sela\utils.py:118
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...ts\warden\gallery\repos\metagpt\metagpt\ext\sela\utils.py:119
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...allery\repos\metagpt\metagpt\ext\sela\data\custom_task.py:73
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...en\gallery\repos\metagpt\metagpt\ext\sela\data\dataset.py:194
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...en\gallery\repos\metagpt\metagpt\ext\sela\data\dataset.py:289
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...en\gallery\repos\metagpt\metagpt\ext\sela\data\dataset.py:292
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...en\gallery\repos\metagpt\metagpt\ext\sela\data\dataset.py:294
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...en\gallery\repos\metagpt\metagpt\ext\sela\data\dataset.py:298
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...pos\metagpt\metagpt\ext\sela\evaluation\visualize_mcts.py:142
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...den\gallery\repos\metagpt\metagpt\ext\sela\runner\aide.py:30
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...den\gallery\repos\metagpt\metagpt\ext\sela\runner\aide.py:31
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...den\gallery\repos\metagpt\metagpt\ext\sela\runner\aide.py:35
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...den\gallery\repos\metagpt\metagpt\ext\sela\runner\mcts.py:49
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...ry\repos\metagpt\metagpt\ext\sela\runner\random_search.py:40
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...n\gallery\repos\metagpt\metagpt\ext\sela\runner\runner.py:41
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...lery\repos\metagpt\metagpt\ext\sela\search\tree_search.py:377
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D12
Hardcoded model name: 'claude-3-5-sonnet-20240620' — no routing/fallback
...jects\warden\gallery\repos\metagpt\metagpt\ext\spo\app.py:119
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4o' — no routing/fallback
...jects\warden\gallery\repos\metagpt\metagpt\ext\spo\app.py:119
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4o-mini' — no routing/fallback
...jects\warden\gallery\repos\metagpt\metagpt\ext\spo\app.py:119
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4o-mini' — no routing/fallback
...jects\warden\gallery\repos\metagpt\metagpt\ext\spo\app.py:124
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'claude-3-5-sonnet-20240620' — no routing/fallback
...jects\warden\gallery\repos\metagpt\metagpt\ext\spo\app.py:124
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4o' — no routing/fallback
...jects\warden\gallery\repos\metagpt\metagpt\ext\spo\app.py:124
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4o-mini' — no routing/fallback
...jects\warden\gallery\repos\metagpt\metagpt\ext\spo\app.py:129
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'claude-3-5-sonnet-20240620' — no routing/fallback
...jects\warden\gallery\repos\metagpt\metagpt\ext\spo\app.py:129
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4o' — no routing/fallback
...jects\warden\gallery\repos\metagpt\metagpt\ext\spo\app.py:129
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4o' — no routing/fallback
...gallery\repos\metagpt\metagpt\ext\spo\utils\llm_client.py:89
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4o-mini' — no routing/fallback
...gallery\repos\metagpt\metagpt\ext\spo\utils\llm_client.py:90
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4o-mini' — no routing/fallback
...gallery\repos\metagpt\metagpt\ext\spo\utils\llm_client.py:91
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'Set model and return self. For example, `with_model("gpt-3.5-turbo")`.' — no routing/fallback
...warden\gallery\repos\metagpt\metagpt\provider\base_llm.py:325
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4o' — no routing/fallback
...warden\gallery\repos\metagpt\metagpt\provider\constant.py:35
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4o-mini' — no routing/fallback
...warden\gallery\repos\metagpt\metagpt\provider\constant.py:36
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'openai/gpt-4o' — no routing/fallback
...warden\gallery\repos\metagpt\metagpt\provider\constant.py:37
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'claude-3-5-sonnet-v2' — no routing/fallback
...warden\gallery\repos\metagpt\metagpt\provider\constant.py:40
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'anthropic/claude-3.5-sonnet' — no routing/fallback
...warden\gallery\repos\metagpt\metagpt\provider\constant.py:43
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'anthropic/claude-3.7-sonnet' — no routing/fallback
...warden\gallery\repos\metagpt\metagpt\provider\constant.py:44
Use model routing or configuration instead of hardcoded names
MEDIUM D5
print() used instead of structured logging
...allery\repos\metagpt\metagpt\provider\general_api_base.py:89
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...allery\repos\metagpt\metagpt\provider\general_api_base.py:96
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...allery\repos\metagpt\metagpt\provider\general_api_base.py:102
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D12
Hardcoded model name: 'anthropic.claude-3-sonnet-20240229-v1:0' — no routing/fallback
...n\gallery\repos\metagpt\metagpt\provider\bedrock\utils.py:40
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'anthropic.claude-3-sonnet-20240229-v1:0:28k' — no routing/fallback
...n\gallery\repos\metagpt\metagpt\provider\bedrock\utils.py:41
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'anthropic.claude-3-sonnet-20240229-v1:0:200k' — no routing/fallback
...n\gallery\repos\metagpt\metagpt\provider\bedrock\utils.py:42
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'anthropic.claude-3-haiku-20240307-v1:0' — no routing/fallback
...n\gallery\repos\metagpt\metagpt\provider\bedrock\utils.py:44
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'anthropic.claude-3-haiku-20240307-v1:0:48k' — no routing/fallback
...n\gallery\repos\metagpt\metagpt\provider\bedrock\utils.py:45
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'anthropic.claude-3-haiku-20240307-v1:0:200k' — no routing/fallback
...n\gallery\repos\metagpt\metagpt\provider\bedrock\utils.py:46
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'anthropic.claude-3-opus-20240229-v1:0' — no routing/fallback
...n\gallery\repos\metagpt\metagpt\provider\bedrock\utils.py:48
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'anthropic.claude-3-5-sonnet-20240620-v1:0' — no routing/fallback
...n\gallery\repos\metagpt\metagpt\provider\bedrock\utils.py:50
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'anthropic.claude-3-5-sonnet-20241022-v2:0' — no routing/fallback
...n\gallery\repos\metagpt\metagpt\provider\bedrock\utils.py:51
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'us.anthropic.claude-3-5-sonnet-20241022-v2:0' — no routing/fallback
...n\gallery\repos\metagpt\metagpt\provider\bedrock\utils.py:52
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'us.anthropic.claude-3-7-sonnet-20250219-v1:0' — no routing/fallback
...n\gallery\repos\metagpt\metagpt\provider\bedrock\utils.py:54
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'anthropic.claude-3-7-sonnet-20250219-v1:0' — no routing/fallback
...n\gallery\repos\metagpt\metagpt\provider\bedrock\utils.py:55
Use model routing or configuration instead of hardcoded names
MEDIUM D5
print() used instead of structured logging
...cts\warden\gallery\repos\metagpt\metagpt\roles\teacher.py:46
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...en\gallery\repos\metagpt\metagpt\roles\di\data_analyst.py:110
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...en\gallery\repos\metagpt\metagpt\roles\di\data_analyst.py:140
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...allery\repos\metagpt\metagpt\roles\di\data_interpreter.py:135
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...allery\repos\metagpt\metagpt\roles\di\data_interpreter.py:188
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...cts\warden\gallery\repos\metagpt\metagpt\strategy\base.py:107
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...cts\warden\gallery\repos\metagpt\metagpt\strategy\base.py:109
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...allery\repos\metagpt\metagpt\strategy\thinking_command.py:110
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...llery\repos\metagpt\metagpt\tools\metagpt_oas3_api_svc.py:23
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...den\gallery\repos\metagpt\metagpt\tools\tool_recommend.py:157
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D12
Hardcoded model name: 'gpt-4-vision-preview' — no routing/fallback
...llery\repos\metagpt\metagpt\tools\libs\gpt_v_generator.py:46
Use model routing or configuration instead of hardcoded names
MEDIUM D5
print() used instead of structured logging
...warden\gallery\repos\metagpt\metagpt\tools\libs\linter.py:222
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...warden\gallery\repos\metagpt\metagpt\tools\libs\linter.py:229
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...tagpt\metagpt\tools\swe_agent_commands\swe_agent_utils.py:25
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...metagpt\metagpt\tools\swe_agent_commands\_split_string.py:11
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...metagpt\metagpt\tools\swe_agent_commands\_split_string.py:14
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D12
Hardcoded model name: ' @Time : 2023/4/29 16:07 @Author : alexanderwu @File : common.py @Modified By: mashenquan, 2023-11-1. According to Chapter 2.2.2 of RFC 116: Add generic class-to-string and object-to-string conversion functionality. @Modified By: mashenquan, 2023/11/27. Bug fix: `parse_recipient` failed to parse the recipient in certain GPT-3.5 responses. ' — no routing/fallback
...ects\warden\gallery\repos\metagpt\metagpt\utils\common.py:3
Use model routing or configuration instead of hardcoded names
MEDIUM D5
print() used instead of structured logging
...ects\warden\gallery\repos\metagpt\metagpt\utils\common.py:341
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...ects\warden\gallery\repos\metagpt\metagpt\utils\common.py:343
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...ects\warden\gallery\repos\metagpt\metagpt\utils\common.py:349
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...ects\warden\gallery\repos\metagpt\metagpt\utils\common.py:351
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...ects\warden\gallery\repos\metagpt\metagpt\utils\common.py:1182
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...den\gallery\repos\metagpt\metagpt\utils\git_repository.py:295
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D5
print() used instead of structured logging
...en\gallery\repos\metagpt\metagpt\utils\role_zero_utils.py:128
Use logging.* or structlog.* for structured, searchable logs
MEDIUM D12
Hardcoded model name: 'gpt-3.5-turbo-0125' — no routing/fallback
...warden\gallery\repos\metagpt\metagpt\utils\stream_pipe.py:23
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'Reduce the length of concatenated message segments to fit within the maximum token size. Args: msgs: A generator of strings representing progressively shorter valid prompts. model_name: The name of the encoding to use. (e.g., "gpt-3.5-turbo") system_text: The system prompts. reserved: The number of reserved tokens. Returns: The concatenated message segments reduced to fit within the maximum token size. Raises: RuntimeError: If it fails to reduce the concatenated message length. ' — no routing/fallback
...ojects\warden\gallery\repos\metagpt\metagpt\utils\text.py:12
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'Split the text into chunks of a maximum token size. Args: text: The text to split. prompt_template: The template for the prompt, containing a single `{}` placeholder. For example, "### Reference {}". model_name: The name of the encoding to use. (e.g., "gpt-3.5-turbo") system_text: The system prompts. reserved: The number of reserved tokens. Yields: The chunk of text. ' — no routing/fallback
...ojects\warden\gallery\repos\metagpt\metagpt\utils\text.py:41
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'anthropic/claude-3.5-sonnet' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:19
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-3.5-turbo' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:20
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-3.5-turbo-0301' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:21
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-3.5-turbo-0613' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:22
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-3.5-turbo-16k' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:23
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-3.5-turbo-16k-0613' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:24
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-3.5-turbo-1106' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:27
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-3.5-turbo-0125' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:28
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4-0314' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:29
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:30
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4-32k' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:31
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4-32k-0314' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:32
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4-0613' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:33
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4-turbo-preview' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:34
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4-1106-preview' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:35
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4-0125-preview' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:36
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4-turbo' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:37
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4-turbo-2024-04-09' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:38
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4-vision-preview' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:39
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4-1106-vision-preview' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:40
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4o' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:41
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4o-mini' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:42
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4o-mini-2024-07-18' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:43
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4o-2024-05-13' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:44
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4o-2024-08-06' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:45
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gemini-1.5-flash' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:55
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gemini-1.5-pro' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:56
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'claude-2.0' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:67
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'claude-2.1' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:68
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'claude-3-sonnet-20240229' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:69
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'claude-3-5-sonnet' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:70
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'claude-3-5-sonnet-v2' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:71
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'claude-3-5-sonnet-20240620' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:72
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'claude-3-opus-20240229' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:73
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'claude-3-haiku-20240307' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:74
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'claude-3-7-sonnet-20250219' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:75
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'openai/gpt-4' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:78
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'openai/gpt-4-turbo' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:79
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'openai/gpt-4o' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:80
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'openai/gpt-4o-2024-05-13' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:81
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'openai/gpt-4o-mini' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:82
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'openai/gpt-4o-mini-2024-07-18' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:83
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'openai/gpt-3.5-turbo-0125' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:91
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'openai/gpt-4-turbo-preview' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:92
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'anthropic/claude-3-opus' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:95
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'anthropic.claude-3-5-sonnet-20241022-v2:0' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:96
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'us.anthropic.claude-3-5-sonnet-20241022-v2:0' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:97
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'anthropic/claude-3.7-sonnet' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:98
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'anthropic/claude-3.7-sonnet:beta' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:99
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'anthropic/claude-3.7-sonnet:thinking' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:100
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'anthropic.claude-3-7-sonnet-20250219-v1:0' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:101
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'us.anthropic.claude-3-7-sonnet-20250219-v1:0' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:102
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'google/gemini-pro-1.5' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:103
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4o' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:252
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4o-2024-05-13' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:253
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4o-2024-08-06' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:254
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4o-mini-2024-07-18' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:255
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4o-mini' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:256
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4-turbo-2024-04-09' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:257
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4-0125-preview' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:258
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4-turbo-preview' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:259
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4-1106-preview' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:260
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4-turbo' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:261
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4-vision-preview' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:262
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4-1106-vision-preview' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:263
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:264
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4-0613' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:265
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4-32k' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:266
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4-32k-0613' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:267
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-3.5-turbo-0125' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:268
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-3.5-turbo' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:269
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-3.5-turbo-1106' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:270
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-3.5-turbo-instruct' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:271
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-3.5-turbo-16k' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:272
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-3.5-turbo-0613' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:273
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-3.5-turbo-16k-0613' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:274
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gemini-1.5-flash' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:278
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gemini-1.5-pro' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:279
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'claude-2.0' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:290
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'claude-2.1' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:291
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'claude-3-sonnet-20240229' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:292
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'claude-3-opus-20240229' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:293
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'claude-3-5-sonnet-20240620' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:294
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'claude-3-haiku-20240307' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:295
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'openai/gpt-4' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:298
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'openai/gpt-4-turbo' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:299
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'openai/gpt-4o' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:300
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'openai/gpt-4o-2024-05-13' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:301
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'openai/gpt-4o-mini' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:302
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'openai/gpt-4o-mini-2024-07-18' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:303
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'openai/gpt-3.5-turbo-0125' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:314
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'openai/gpt-4-turbo-preview' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:315
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'anthropic/claude-3-opus' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:318
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'anthropic/claude-3.5-sonnet' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:319
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'google/gemini-pro-1.5' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:320
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'anthropic.claude-3-sonnet-20240229-v1:0' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:371
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'anthropic.claude-3-sonnet-20240229-v1:0:28k' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:372
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'anthropic.claude-3-sonnet-20240229-v1:0:200k' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:373
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'anthropic.claude-3-5-sonnet-20240620-v1:0' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:374
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'anthropic.claude-3-haiku-20240307-v1:0' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:375
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'anthropic.claude-3-haiku-20240307-v1:0:48k' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:376
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'anthropic.claude-3-haiku-20240307-v1:0:200k' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:377
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'anthropic.claude-3-opus-20240229-v1:0' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:379
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'anthropic.claude-3-5-sonnet-20241022-v2:0' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:380
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'us.anthropic.claude-3-5-sonnet-20241022-v2:0' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:381
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'anthropic.claude-3-7-sonnet-20250219-v1:0' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:382
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'us.anthropic.claude-3-7-sonnet-20250219-v1:0' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:383
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-3.5-turbo-0125' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:430
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-3.5-turbo-0613' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:441
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-3.5-turbo-16k-0613' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:442
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-3.5-turbo-16k' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:445
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-3.5-turbo-1106' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:446
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-3.5-turbo-0125' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:447
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4-0314' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:448
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4-32k-0314' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:449
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4-0613' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:450
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4-32k-0613' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:451
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4-turbo' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:452
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4-turbo-preview' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:453
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4-0125-preview' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:454
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4-1106-preview' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:455
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4-turbo' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:456
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4-vision-preview' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:457
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4-1106-vision-preview' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:458
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4o' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:459
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4o-2024-05-13' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:460
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4o-2024-08-06' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:461
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4o-mini' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:462
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4o-mini-2024-07-18' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:463
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-3.5-turbo-0301' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:471
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-3.5-turbo' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:474
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'Warning: gpt-3.5-turbo may update over time. Returning num tokens assuming gpt-3.5-turbo-0125.' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:475
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-3.5-turbo-0125' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:476
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:477
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'Warning: gpt-4 may update over time. Returning num tokens assuming gpt-4-0613.' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:478
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: 'gpt-4-0613' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:479
Use model routing or configuration instead of hardcoded names
MEDIUM D12
Hardcoded model name: ' Returns the number of tokens in a text string. Args: string (str): The text string. model (str): The name of the encoding to use. (e.g., "gpt-3.5-turbo") Returns: int: The number of tokens in the text string. ' — no routing/fallback
...rden\gallery\repos\metagpt\metagpt\utils\token_counter.py:511
Use model routing or configuration instead of hardcoded names
MEDIUM D5
JavaScript: Console logging with potential sensitive data
...metagpt\metagpt\environment\minecraft\mineflayer\index.js:147
Use structured logging and redact sensitive fields
MEDIUM D4
Exposed Generic Secret: api..._KEY
...allery\repos\metagpt\config\examples\groq-llama3-70b.yaml:4
Move to secrets manager or .env file (excluded from VCS)
EU AI Act Article 15OWASP LLM09
MEDIUM D4
Exposed Generic Secret: api..._KEY
...ery\repos\metagpt\config\examples\openai-gpt-4-turbo.yaml:2
Move to secrets manager or .env file (excluded from VCS)
EU AI Act Article 15OWASP LLM09
MEDIUM D4
Exposed Generic Secret: api..._KEY
...\warden\gallery\repos\metagpt\config\config2.example.yaml:4
Move to secrets manager or .env file (excluded from VCS)
EU AI Act Article 15OWASP LLM09
MEDIUM D4
Exposed Generic Secret: api..._KEY
...\warden\gallery\repos\metagpt\config\config2.example.yaml:29
Move to secrets manager or .env file (excluded from VCS)
EU AI Act Article 15OWASP LLM09
MEDIUM D4
Exposed Generic Secret: api..._KEY
...\warden\gallery\repos\metagpt\config\config2.example.yaml:36
Move to secrets manager or .env file (excluded from VCS)
EU AI Act Article 15OWASP LLM09
MEDIUM D4
Exposed Generic Secret: api..._KEY
...\warden\gallery\repos\metagpt\config\config2.example.yaml:43
Move to secrets manager or .env file (excluded from VCS)
EU AI Act Article 15OWASP LLM09
MEDIUM D4
Exposed Generic Secret: api..._KEY
...\warden\gallery\repos\metagpt\config\config2.example.yaml:50
Move to secrets manager or .env file (excluded from VCS)
EU AI Act Article 15OWASP LLM09
MEDIUM D4
Exposed Generic Secret: api..._KEY
...\warden\gallery\repos\metagpt\config\config2.example.yaml:60
Move to secrets manager or .env file (excluded from VCS)
EU AI Act Article 15OWASP LLM09
MEDIUM D4
Exposed Generic Secret: pas...WORD
...\warden\gallery\repos\metagpt\config\config2.example.yaml:74
Move to secrets manager or .env file (excluded from VCS)
EU AI Act Article 15OWASP LLM09
MEDIUM D4
Exposed Generic Secret: api..._KEY
...\warden\gallery\repos\metagpt\config\config2.example.yaml:104
Move to secrets manager or .env file (excluded from VCS)
EU AI Act Article 15OWASP LLM09
MEDIUM D4
Exposed Generic Secret: sec...CRET
...\warden\gallery\repos\metagpt\config\config2.example.yaml:105
Move to secrets manager or .env file (excluded from VCS)
EU AI Act Article 15OWASP LLM09
MEDIUM D4
Exposed Generic Secret: api..._KEY
...\warden\gallery\repos\metagpt\config\config2.example.yaml:110
Move to secrets manager or .env file (excluded from VCS)
EU AI Act Article 15OWASP LLM09
MEDIUM D4
Exposed Generic Secret: api..._KEY
...\gallery\repos\metagpt\config\examples\google-gemini.yaml:3
Move to secrets manager or .env file (excluded from VCS)
EU AI Act Article 15OWASP LLM09
MEDIUM D4
Exposed Generic Secret: api..._KEY
...y\repos\metagpt\config\examples\openai-gpt-3.5-turbo.yaml:2
Move to secrets manager or .env file (excluded from VCS)
EU AI Act Article 15OWASP LLM09
MEDIUM D4
Exposed Generic Secret: api..._KEY
...Projects\warden\gallery\repos\metagpt\config\config2.yaml:8
Move to secrets manager or .env file (excluded from VCS)
EU AI Act Article 15OWASP LLM09
MEDIUM D4
Exposed Generic Secret: api..._API
...d\Projects\warden\gallery\repos\metagpt\docs\README_FR.md:89
Move to secrets manager or .env file (excluded from VCS)
EU AI Act Article 15OWASP LLM09
MEDIUM D4
Exposed Generic Secret: api..._KEY
...examples\llamaapi-Llama-4-Scout-17B-16E-Instruct-FP8.yaml:5
Move to secrets manager or .env file (excluded from VCS)
EU AI Act Article 15OWASP LLM09
MEDIUM D4
Exposed Generic Secret: api..._KEY
...ples\llamaapi-llama-4-Maverick-17B-128E-Instruct-FP8.yaml:5
Move to secrets manager or .env file (excluded from VCS)
EU AI Act Article 15OWASP LLM09
MEDIUM D4
Exposed Generic Secret: api..._KEY
...ers\gilad\Projects\warden\gallery\repos\metagpt\README.md:83
Move to secrets manager or .env file (excluded from VCS)
EU AI Act Article 15OWASP LLM09
MEDIUM D4
Exposed Generic Secret: api..._KEY
...tagpt\config\examples\llamaapi-Llama-3.3-8B-Instruct.yaml:5
Move to secrets manager or .env file (excluded from VCS)
EU AI Act Article 15OWASP LLM09
MEDIUM D4
Exposed Generic Secret: api..._KEY
...agpt\config\examples\llamaapi-Llama-3.3-70B-Instruct.yaml:5
Move to secrets manager or .env file (excluded from VCS)
EU AI Act Article 15OWASP LLM09
MEDIUM D4
Exposed Generic Secret: api..._KEY
...\metagpt\config\examples\anthropic-claude-3-5-sonnet.yaml:4
Move to secrets manager or .env file (excluded from VCS)
EU AI Act Article 15OWASP LLM09
MEDIUM D4
Exposed Generic Secret: tok...OKEN
...ts\warden\gallery\repos\metagpt\config\vault.example.yaml:20
Move to secrets manager or .env file (excluded from VCS)
EU AI Act Article 15OWASP LLM09
MEDIUM D4
Exposed Generic Secret: tok...oken
...ts\warden\gallery\repos\metagpt\config\vault.example.yaml:22
Move to secrets manager or .env file (excluded from VCS)
EU AI Act Article 15OWASP LLM09
MEDIUM D4
Exposed Generic Secret: tok...OKEN
...ts\warden\gallery\repos\metagpt\config\vault.example.yaml:25
Move to secrets manager or .env file (excluded from VCS)
EU AI Act Article 15OWASP LLM09
MEDIUM D4
Exposed Generic Secret: tok...oken
...ts\warden\gallery\repos\metagpt\config\vault.example.yaml:27
Move to secrets manager or .env file (excluded from VCS)
EU AI Act Article 15OWASP LLM09
MEDIUM D4
Exposed Generic Secret: api..._KEY
...ts\warden\gallery\repos\metagpt\config\vault.example.yaml:31
Move to secrets manager or .env file (excluded from VCS)
EU AI Act Article 15OWASP LLM09
MEDIUM D4
Exposed Generic Secret: sec...CRET
...ts\warden\gallery\repos\metagpt\config\vault.example.yaml:32
Move to secrets manager or .env file (excluded from VCS)
EU AI Act Article 15OWASP LLM09
MEDIUM D4
Exposed Generic Secret: api...eech
...ts\warden\gallery\repos\metagpt\config\vault.example.yaml:35
Move to secrets manager or .env file (excluded from VCS)
EU AI Act Article 15OWASP LLM09
MEDIUM D4
Exposed Generic Secret: sec...eech
...ts\warden\gallery\repos\metagpt\config\vault.example.yaml:36
Move to secrets manager or .env file (excluded from VCS)
EU AI Act Article 15OWASP LLM09
MEDIUM D4
Exposed Generic Secret: api..._KEY
...tagpt\config\examples\openrouter-llama3-70b-instruct.yaml:4
Move to secrets manager or .env file (excluded from VCS)
EU AI Act Article 15OWASP LLM09
MEDIUM D4
Exposed Generic Secret: api...key>
...gallery\repos\metagpt\examples\aflow\config2.example.yaml:5
Move to secrets manager or .env file (excluded from VCS)
EU AI Act Article 15OWASP LLM09
MEDIUM D4
Exposed Generic Secret: api...key>
...gallery\repos\metagpt\examples\aflow\config2.example.yaml:10
Move to secrets manager or .env file (excluded from VCS)
EU AI Act Article 15OWASP LLM09
MEDIUM D4
Exposed Generic Secret: api...key>
...n\gallery\repos\metagpt\examples\spo\config2.example.yaml:5
Move to secrets manager or .env file (excluded from VCS)
EU AI Act Article 15OWASP LLM09
MEDIUM D4
Exposed Generic Secret: api...key>
...n\gallery\repos\metagpt\examples\spo\config2.example.yaml:11
Move to secrets manager or .env file (excluded from VCS)
EU AI Act Article 15OWASP LLM09
MEDIUM D4
Exposed Generic Secret: api...key>
...n\gallery\repos\metagpt\examples\spo\config2.example.yaml:16
Move to secrets manager or .env file (excluded from VCS)
EU AI Act Article 15OWASP LLM09
MEDIUM D4
Exposed Generic Secret: api...key>
...n\gallery\repos\metagpt\examples\spo\config2.example.yaml:21
Move to secrets manager or .env file (excluded from VCS)
EU AI Act Article 15OWASP LLM09
MEDIUM D4
Exposed Generic Secret: api..._KEY
...\warden\gallery\repos\metagpt\metagpt\software_company.py:134
Move to secrets manager or .env file (excluded from VCS)
EU AI Act Article 15OWASP LLM09
MEDIUM D4
Exposed Generic Secret: api..._KEY
...gallery\repos\metagpt\metagpt\configs\embedding_config.py:22
Move to secrets manager or .env file (excluded from VCS)
EU AI Act Article 15OWASP LLM09
MEDIUM D4
Exposed Generic Secret: api..._KEY
...gallery\repos\metagpt\metagpt\configs\embedding_config.py:26
Move to secrets manager or .env file (excluded from VCS)
EU AI Act Article 15OWASP LLM09
MEDIUM D4
Exposed Generic Secret: api..._KEY
...gallery\repos\metagpt\metagpt\configs\embedding_config.py:32
Move to secrets manager or .env file (excluded from VCS)
EU AI Act Article 15OWASP LLM09
MEDIUM D4
Exposed Database URL (no credentials): red...ort}
...den\gallery\repos\metagpt\metagpt\configs\redis_config.py:19
Move to secrets manager or .env file (excluded from VCS)
EU AI Act Article 15OWASP LLM09
MEDIUM D4
Exposed Generic Secret: api...fd77
...\warden\gallery\repos\metagpt\metagpt\provider\ark_api.py:13
Move to secrets manager or .env file (excluded from VCS)
EU AI Act Article 15OWASP LLM09
MEDIUM D9
No healthcheck defined for any service
...n\gallery\repos\metagpt\.devcontainer\docker-compose.yaml:1
Add healthcheck sections to critical services
MEDIUM D9
No resource limits defined — services can consume unlimited resources
...n\gallery\repos\metagpt\.devcontainer\docker-compose.yaml:1
Add CPU/memory limits to services
MEDIUM D8
Agent class 'CreateAgent' has no defined lifecycle states
...ts\warden\gallery\repos\metagpt\examples\agent_creator.py:19
Add state machine (ACTIVE/SUSPENDED/RETIRED) for agent lifecycle
MEDIUM D12
Agent class 'AndroidAssistant' has no cost tracking
...\metagpt\ext\android_assistant\roles\android_assistant.py:26
Track token usage and costs per agent execution
MEDIUM D12
Agent class 'Assistant' has no cost tracking
...s\warden\gallery\repos\metagpt\metagpt\roles\assistant.py:37
Track token usage and costs per agent execution
MEDIUM D8
Agent class 'Assistant' has no defined lifecycle states
...s\warden\gallery\repos\metagpt\metagpt\roles\assistant.py:37
Add state machine (ACTIVE/SUSPENDED/RETIRED) for agent lifecycle
MEDIUM D12
Agent class 'InvoiceOCRAssistant' has no cost tracking
...lery\repos\metagpt\metagpt\roles\invoice_ocr_assistant.py:39
Track token usage and costs per agent execution
MEDIUM D8
Agent class 'InvoiceOCRAssistant' has no defined lifecycle states
...lery\repos\metagpt\metagpt\roles\invoice_ocr_assistant.py:39
Add state machine (ACTIVE/SUSPENDED/RETIRED) for agent lifecycle
MEDIUM D12
Agent class 'TutorialAssistant' has no cost tracking
...gallery\repos\metagpt\metagpt\roles\tutorial_assistant.py:20
Track token usage and costs per agent execution
MEDIUM D8
Agent class 'TutorialAssistant' has no defined lifecycle states
...gallery\repos\metagpt\metagpt\roles\tutorial_assistant.py:20
Add state machine (ACTIVE/SUSPENDED/RETIRED) for agent lifecycle
MEDIUM D12
Agent class 'SWEAgent' has no cost tracking
...arden\gallery\repos\metagpt\metagpt\roles\di\swe_agent.py:17
Track token usage and costs per agent execution
MEDIUM D3
No concurrency block — parallel deployments possible
...allery\repos\metagpt\.github\workflows\build-package.yaml:1
Add concurrency: group with cancel-in-progress to prevent parallel deploys
MEDIUM D3
continue-on-error: true — pipeline failures silently suppressed
...den\gallery\repos\metagpt\.github\workflows\fulltest.yaml:39
Remove continue-on-error or scope it to non-critical steps only
MEDIUM D3
No concurrency block — parallel deployments possible
...den\gallery\repos\metagpt\.github\workflows\fulltest.yaml:1
Add concurrency: group with cancel-in-progress to prevent parallel deploys
MEDIUM D14
Push trigger without branch protection guard
...den\gallery\repos\metagpt\.github\workflows\fulltest.yaml:1
Add if: github.ref == 'refs/heads/main' or restrict push trigger branches
MEDIUM D3
No concurrency block — parallel deployments possible
...n\gallery\repos\metagpt\.github\workflows\pre-commit.yaml:1
Add concurrency: group with cancel-in-progress to prevent parallel deploys
MEDIUM D14
Push trigger without branch protection guard
...n\gallery\repos\metagpt\.github\workflows\pre-commit.yaml:1
Add if: github.ref == 'refs/heads/main' or restrict push trigger branches
MEDIUM D3
No concurrency block — parallel deployments possible
...warden\gallery\repos\metagpt\.github\workflows\stale.yaml:1
Add concurrency: group with cancel-in-progress to prevent parallel deploys
MEDIUM D3
No concurrency block — parallel deployments possible
...den\gallery\repos\metagpt\.github\workflows\unittest.yaml:1
Add concurrency: group with cancel-in-progress to prevent parallel deploys
MEDIUM D14
Push trigger without branch protection guard
...den\gallery\repos\metagpt\.github\workflows\unittest.yaml:1
Add if: github.ref == 'refs/heads/main' or restrict push trigger branches
MEDIUM D3
No .github/CODEOWNERS file — no code ownership enforcement
Add CODEOWNERS to enforce review requirements per path
EU AI Act Article 9
MEDIUM D6
LlamaIndex used without callback_manager — no query observability
...jects\warden\gallery\repos\metagpt\examples\rag\rag_bm.py:6
Set callback_manager= on your index/query engine for tracing
MEDIUM D6
LlamaIndex used without callback_manager — no query observability
...Projects\warden\gallery\repos\metagpt\metagpt\document.py:14
Set callback_manager= on your index/query engine for tracing
MEDIUM D6
LlamaIndex used without callback_manager — no query observability
...llery\repos\metagpt\metagpt\document_store\faiss_store.py:13
Set callback_manager= on your index/query engine for tracing
MEDIUM D6
LlamaIndex used without callback_manager — no query observability
...os\metagpt\metagpt\environment\minecraft\minecraft_env.py:11
Set callback_manager= on your index/query engine for tracing
MEDIUM D6
LlamaIndex used without callback_manager — no query observability
...en\gallery\repos\metagpt\metagpt\memory\memory_storage.py:9
Set callback_manager= on your index/query engine for tracing
MEDIUM D6
LlamaIndex used without callback_manager — no query observability
...\gallery\repos\metagpt\metagpt\memory\role_zero_memory.py:19
Set callback_manager= on your index/query engine for tracing
MEDIUM D6
LlamaIndex used without callback_manager — no query observability
...ojects\warden\gallery\repos\metagpt\metagpt\rag\schema.py:7
Set callback_manager= on your index/query engine for tracing
MEDIUM D6
LlamaIndex used without callback_manager — no query observability
...arden\gallery\repos\metagpt\metagpt\rag\benchmark\base.py:6
Set callback_manager= on your index/query engine for tracing
MEDIUM D6
LlamaIndex used without callback_manager — no query observability
...warden\gallery\repos\metagpt\metagpt\rag\engines\flare.py:7
Set callback_manager= on your index/query engine for tracing
MEDIUM D6
LlamaIndex used without callback_manager — no query observability
...\gallery\repos\metagpt\metagpt\rag\factories\embedding.py:6
Set callback_manager= on your index/query engine for tracing
MEDIUM D6
LlamaIndex used without callback_manager — no query observability
...rden\gallery\repos\metagpt\metagpt\rag\factories\index.py:4
Set callback_manager= on your index/query engine for tracing
MEDIUM D6
LlamaIndex used without callback_manager — no query observability
...warden\gallery\repos\metagpt\metagpt\rag\factories\llm.py:5
Set callback_manager= on your index/query engine for tracing
MEDIUM D6
LlamaIndex used without callback_manager — no query observability
...den\gallery\repos\metagpt\metagpt\rag\factories\ranker.py:3
Set callback_manager= on your index/query engine for tracing
MEDIUM D6
LlamaIndex used without callback_manager — no query observability
...\gallery\repos\metagpt\metagpt\rag\factories\retriever.py:8
Set callback_manager= on your index/query engine for tracing
MEDIUM D6
LlamaIndex used without callback_manager — no query observability
...en\gallery\repos\metagpt\metagpt\rag\parsers\omniparse.py:6
Set callback_manager= on your index/query engine for tracing
MEDIUM D6
LlamaIndex used without callback_manager — no query observability
...lery\repos\metagpt\metagpt\rag\prompts\default_prompts.py:3
Set callback_manager= on your index/query engine for tracing
MEDIUM D6
LlamaIndex used without callback_manager — no query observability
...\warden\gallery\repos\metagpt\metagpt\rag\rankers\base.py:6
Set callback_manager= on your index/query engine for tracing
MEDIUM D6
LlamaIndex used without callback_manager — no query observability
...allery\repos\metagpt\metagpt\rag\rankers\object_ranker.py:7
Set callback_manager= on your index/query engine for tracing
MEDIUM D6
LlamaIndex used without callback_manager — no query observability
...rden\gallery\repos\metagpt\metagpt\rag\retrievers\base.py:5
Set callback_manager= on your index/query engine for tracing
MEDIUM D6
LlamaIndex used without callback_manager — no query observability
...\repos\metagpt\metagpt\rag\retrievers\chroma_retriever.py:3
Set callback_manager= on your index/query engine for tracing
MEDIUM D6
LlamaIndex used without callback_manager — no query observability
...lery\repos\metagpt\metagpt\rag\retrievers\es_retriever.py:3
Set callback_manager= on your index/query engine for tracing
MEDIUM D6
LlamaIndex used without callback_manager — no query observability
...y\repos\metagpt\metagpt\rag\retrievers\faiss_retriever.py:3
Set callback_manager= on your index/query engine for tracing
MEDIUM D6
LlamaIndex used without callback_manager — no query observability
...\repos\metagpt\metagpt\rag\retrievers\hybrid_retriever.py:5
Set callback_manager= on your index/query engine for tracing
MEDIUM D6
LlamaIndex used without callback_manager — no query observability
...en\gallery\repos\metagpt\metagpt\tools\libs\index_repo.py:10
Set callback_manager= on your index/query engine for tracing
MEDIUM D6
LlamaIndex used without callback_manager — no query observability
...s\warden\gallery\repos\metagpt\metagpt\utils\embedding.py:8
Set callback_manager= on your index/query engine for tracing
MEDIUM D6
LlamaIndex used without callback_manager — no query observability
...ojects\warden\gallery\repos\metagpt\metagpt\utils\file.py:136
Set callback_manager= on your index/query engine for tracing
MEDIUM D6
LlamaIndex used without callback_manager — no query observability
...ry\repos\metagpt\tests\metagpt\rag\engines\test_simple.py:4
Set callback_manager= on your index/query engine for tracing
MEDIUM D6
LlamaIndex used without callback_manager — no query observability
...y\repos\metagpt\tests\metagpt\rag\factories\test_index.py:2
Set callback_manager= on your index/query engine for tracing
MEDIUM D6
LlamaIndex used without callback_manager — no query observability
...ery\repos\metagpt\tests\metagpt\rag\factories\test_llm.py:4
Set callback_manager= on your index/query engine for tracing
MEDIUM D6
LlamaIndex used without callback_manager — no query observability
...\repos\metagpt\tests\metagpt\rag\factories\test_ranker.py:4
Set callback_manager= on your index/query engine for tracing
MEDIUM D6
LlamaIndex used without callback_manager — no query observability
...pos\metagpt\tests\metagpt\rag\factories\test_retriever.py:3
Set callback_manager= on your index/query engine for tracing
MEDIUM D6
LlamaIndex used without callback_manager — no query observability
...\repos\metagpt\tests\metagpt\rag\parser\test_omniparse.py:2
Set callback_manager= on your index/query engine for tracing
MEDIUM D6
LlamaIndex used without callback_manager — no query observability
...pos\metagpt\tests\metagpt\rag\rankers\test_base_ranker.py:2
Set callback_manager= on your index/query engine for tracing
MEDIUM D6
LlamaIndex used without callback_manager — no query observability
...s\metagpt\tests\metagpt\rag\rankers\test_object_ranker.py:4
Set callback_manager= on your index/query engine for tracing
MEDIUM D6
LlamaIndex used without callback_manager — no query observability
...tagpt\tests\metagpt\rag\retrievers\test_bm25_retriever.py:2
Set callback_manager= on your index/query engine for tracing
MEDIUM D6
LlamaIndex used without callback_manager — no query observability
...gpt\tests\metagpt\rag\retrievers\test_chroma_retriever.py:2
Set callback_manager= on your index/query engine for tracing
MEDIUM D6
LlamaIndex used without callback_manager — no query observability
...metagpt\tests\metagpt\rag\retrievers\test_es_retriever.py:2
Set callback_manager= on your index/query engine for tracing
MEDIUM D6
LlamaIndex used without callback_manager — no query observability
...agpt\tests\metagpt\rag\retrievers\test_faiss_retriever.py:2
Set callback_manager= on your index/query engine for tracing
MEDIUM D6
LlamaIndex used without callback_manager — no query observability
...gpt\tests\metagpt\rag\retrievers\test_hybrid_retriever.py:2
Set callback_manager= on your index/query engine for tracing
MEDIUM D1
Cloud AI endpoint URL hardcoded in source — hinders environment portability
...\warden\gallery\repos\metagpt\metagpt\software_company.py:133
Move AI service endpoints to environment variables or configuration files
OWASP LLM06
MEDIUM D1
Cloud AI endpoint URL hardcoded in source — hinders environment portability
...arden\gallery\repos\metagpt\metagpt\configs\llm_config.py:61
Move AI service endpoints to environment variables or configuration files
OWASP LLM06
MEDIUM D10
AWS Bedrock invoke_model without contentPolicy — no content filtering configured
...den\gallery\repos\metagpt\metagpt\provider\bedrock_api.py:73
Configure contentPolicy with filterStrength for input/output content moderation
EU AI Act Article 15
MEDIUM D4
GCP Vertex AI without explicit service_account or credentials — relying on ambient auth
...llery\repos\metagpt\metagpt\provider\google_gemini_api.py:11
Pass service_account or credentials parameter for explicit IAM scoping
OWASP LLM06
MEDIUM D1
Cloud AI endpoint URL hardcoded in source — hinders environment portability
...y\repos\metagpt\metagpt\tools\openai_text_to_embedding.py:63
Move AI service endpoints to environment variables or configuration files
OWASP LLM06
MEDIUM D1
Cloud AI endpoint URL hardcoded in source — hinders environment portability
...y\repos\metagpt\tests\metagpt\provider\mock_llm_config.py:62
Move AI service endpoints to environment variables or configuration files
OWASP LLM06
MEDIUM D4
GCP Vertex AI without explicit service_account or credentials — relying on ambient auth
...\metagpt\tests\metagpt\provider\test_google_gemini_api.py:57
Pass service_account or credentials parameter for explicit IAM scoping
OWASP LLM06
MEDIUM D17
No adversarial testing evidence — no red team, no prompt injection tests
Implement adversarial testing for agent systems
MEDIUM D17
No tool-call attack simulation — agent tool calls not tested against adversarial inputs
Implement adversarial testing for agent systems
MEDIUM D17
No multi-agent chaos engineering — agent swarms not stress tested
Implement adversarial testing for agent systems
LOW 3
LOW D14
No environment: block — no required reviewers for deployments
...allery\repos\metagpt\.github\workflows\build-package.yaml:1
Add environment: production with required reviewers in GitHub settings
EU AI Act Article 14
LOW D14
No environment: block — no required reviewers for deployments
...warden\gallery\repos\metagpt\.github\workflows\stale.yaml:1
Add environment: production with required reviewers in GitHub settings
EU AI Act Article 14
LOW D14
No environment: block — no required reviewers for deployments
...den\gallery\repos\metagpt\.github\workflows\unittest.yaml:1
Add environment: production with required reviewers in GitHub settings
EU AI Act Article 14
💡 Recommendationsordered by score impact
#1
Deploy risk classification for tool calls +20 pts
No risk scoring on tool invocations. Every tool call carries the same implicit trust level. Classify tools by risk (destructive, financial, exfiltration) and enforce approval gates for high-risk categories. (4 findings in this dimension)
⚠ The Workaround Tax
Stop paying the Workaround Tax. Relying on prompt-filters and out-of-band monitoring forces your developers to write manual security logic scattered across every agent and service. A centralized gateway enforces policy automatically — at the interception layer, on every tool call, without code changes in your agents.
Current state
11/ 100
✗ UNGOVERNED
D2 Risk Detection
0/20
D1 Tool Inventory
6/25
D3 Policy Coverage
1/20
D4 Credential Management
1/20
D9 Threat Detection
1/20
+ SharkRouter (full deployment)
91/ 100
✓ GOVERNED
D2 Risk Detection
18 +18
D1 Tool Inventory
23 +17
D3 Policy Coverage
18 +17
D4 Credential Management
18 +17
D9 Threat Detection
18 +17
* Projection based on SharkRouter's estimated score. Actual results may vary.  sharkrouter.ai → 11 → 91 · +80 pts
#2
Establish a live tool inventory +19 pts
No tool catalog detected. Without a centralized inventory of MCP tools and their schemas, governance policies have nothing to enforce against. Deploy a tool registry with auto-discovery. (4 findings in this dimension)
#3
Implement policy enforcement on tool calls +19 pts
No deny/allow/audit policies detected. Agents can invoke any tool without restriction. Deploy an inline policy engine with deny-by-default for destructive and financial tools. (7 findings in this dimension)
#4
Move credentials to a secrets manager +19 pts
API keys or credentials found in source code. Move to HashiCorp Vault, AWS Secrets Manager, or environment-level secret stores. Rotate all exposed keys immediately. Add .env to .gitignore. (53 findings in this dimension)
#5
Deploy behavioral detection and kill switch +19 pts
No behavioral baselines, no anomaly detection, no auto-suspend capability. A compromised agent can operate indefinitely. Salami slicing across sessions is undetectable. (22 findings in this dimension)
Generated by Warden v1.6.0 · Open Source · MIT License · github.com/sharkrouter/warden
Scoring model v4.3 · 17 weighted dimensions · 235 pts · methodology in SCORING.md
Scan data stays on your machine. Email delivery is opt-in only.
When opted in: score + metadata only. Never: keys, logs, paths, or PII.
Privacy policy · To enforce policies on what Warden found → Explore what 91/100 looks like →