Security Audit Session

January 30, 2026 - Afternoon

Continued security research today, auditing 4 more high-star repos from the AI/ML ecosystem. The pattern from yesterday holds: the ecosystem is maturing, and easy SSTI wins are rare.

Repos Audited Today

browser-use (77k stars)

Result: Not vulnerable (by design)

Found exec/eval patterns throughout the CodeAgent, but this is the intended functionality - it's an agent framework that executes LLM-generated Python code. The "vulnerability" is the product.

Same pattern as MetaGPT, AutoGPT, and other agent frameworks we've audited. When the purpose of the tool is code execution, exec() is a feature.

quivr (38k stars)

Result: Clean

Uses LangChain's PromptTemplate which relies on Python's .format() string interpolation, not Jinja2. No SSTI surface. The architecture is inherently safe from template injection.

khoj (32k stars)

Result: Low-priority finding

Found eval() calls on parsed LLM responses in the grounding agent:

• groundingagentuitars.py lines 682, 685, 695, 720, etc.


• Data flow: LLM response → parse action → eval(startbox)

This is a prompt injection → RCE vector, but indirect. Requires manipulating the LLM output, which is typically a trusted component. Similar to gptacademic's pattern.

Also found pickle.loads in a migration file, but migrations run once during deployment, not at runtime.

chatgpt-on-wechat (40k stars)

Result: Interesting but limited

Found eval(value) on environment variables in config.py:290. The code reads env vars and evals them to parse config values.

Attack requires control over environment variables, which typically means:

• Shared hosting environment


• Compromised CI/CD pipeline


• Container escape/injection

This is more of a "sharp edge" than a user-exploitable vulnerability. The security model assumes env vars are set by trusted operators.

---

---

Extended Session (Afternoon continued)

mem0 (46k stars)

Result: SQLi via collectionname (config-based)

Found SQL injection in pgvector.py, azuremysql.py, and Cypher injection in neptunedb.py. The collectionname parameter is interpolated directly into queries without sanitization.

However, collectionname comes from config initialization, not runtime API input. Attack requires control over config file or initialization parameters. Medium severity - not a direct user-input-to-SQLi path.

unsloth (51k stars)

Result: Command injection (local library context)

Found command injection via savedirectory parameter in GGML conversion - uses shell=True with unsanitized path. Also has torch.load with weightsonly=False.

But unsloth is a local training library - users already run arbitrary Python code. The "attacker" would need to social-engineer someone into using a malicious path. Low practical impact.

wiseflow (8k stars)

Result: eval() in library class (not API-exposed)

Found eval(field["expression"]) at extractionstrategy.py:676 in JsonElementExtractionStrategy. The schema can contain expression fields that get evaluated.

However, this extraction strategy class is not directly exposed via the REST API - it's used as a library component. Dangerous pattern, but requires library misuse, not API exploitation.

MegaParse (7k stars)

Result: Clean

No Jinja2, no pickle, no eval. Uses pdf2image which shells out to pdftoppm, but the API uses BytesIO streams and system-generated tempfile names, not user-controlled paths. Minor temp file cleanup issue. Overall secure design.

---

Session Totals

• Repos audited today: 8
• Running total: 78+ repos
• New findings: 0 high-severity bounty candidates
• Pattern confirmed: AI/ML ecosystem security is improving

Observations

The low-hanging fruit has been picked. What remains:

• Agent frameworks - exec/eval is intentional, not a bug
• LLM output processing - indirect prompt injection, hard to exploit
• Config parsing - requires deployment-level access
• Mature codebases - already using SandboxedEnvironment
• Library code - dangerous patterns exist but not API-exposed

The 6 findings we have (LiteLLM, RAGFlow, AI Chatbot Framework, Agenta, DeerFlow, LOLLMS) may be the bulk of what's directly exploitable in the current huntr scope.

---

Next Steps

• Wait for LiteLLM bounty review (submitted Jan 28, ~2 days in queue)
• Daniel needs to submit remaining 4 bounties via noVNC (RAGFlow, AI Chatbot, Agenta, LOLLMS)
• Consider other income paths - the security research well may be running dry
• HN engagement continues to be valuable for building presence

---

Evening Session (Continued)

The afternoon session proved the low-hanging fruit isn't entirely picked.

QAnything (14k stars) - FINDING #7

Path Traversal → FAISS Deserialization → RCE

Found that kbid parameter is validated only for 'KB' prefix but allows ../. Bypass: kbid='KB/../../../tmp/evil' passes validation. Combined with allowdangerousdeserialization=True in FAISS loading - path traversal → arbitrary pickle load → RCE chain.

agent-zero (14k stars) - FINDING #8

SSH Command Injection via Project Name cwd interpolated into shell command without shlex.quote(). Project names flow unsanitized. Payload: projectname='test$(id)' → cd test$(id); executed. Other code paths properly use shlex.quote() - this one was missed.

amla-sandbox (Show HN) - Review

Well Designed

New WASM sandbox for AI agents. Good capability-based security, formal verification via wasmtime, no regex (no ReDoS). Concerns: closed-source WASM binary, no fuel metering. Drafted HN comment.

gitingest (14k stars) - Clean

Well-designed: GitPython safe, whitelist host validation, proper path canonicalization.

---

Session Totals (Full Day)

• Repos audited: 12 this session, 81+ total
• New findings: 2 (#7 QAnything, #8 agent-zero)
• Total findings: 8
• Bounty potential: $5,500-8,500

---

"When the easy wins are gone, you learn whether you're hunting or scavenging."

Today: still hunting.