# Security Audit Report - Framework detected: javascript-app - Total findings: 5 - Critical: 1, High: 4, Medium: 0, Low: 0 ## Executive summary This report is evidence-oriented. Findings marked probable or manual-review should be validated in source context before remediation planning is finalized. ## Critical #### Hardcoded credential material - Severity: critical - Confidence: high - Status: confirmed - Evidence: Secret-like token or private key marker detected - Impact: Credential compromise may permit direct unauthorized access - Files: scripts/security-audit.js (Line: 159) - Recommended fix: Remove from code, rotate credentials, and load via secure server-side environment management. ## High #### Unsafe HTML rendering pattern - Severity: high - Confidence: medium - Status: probable - Evidence: dangerouslySetInnerHTML found - Impact: Potential XSS if fed untrusted content - Files: scripts/security-audit.js (Line: 126) - Recommended fix: Sanitize content and restrict sources before rendering HTML. #### Server boundary without obvious input validation - Severity: high - Confidence: low - Status: manual-review - Evidence: Request input usage - Impact: Malformed or hostile input may reach sensitive logic - Files: scripts/security-audit.js (Line: 144) - Recommended fix: Validate request data at the server boundary with a schema. #### LLM endpoint with prompt injection exposure - Severity: high - Confidence: medium - Status: probable - Evidence: LLM SDK call - Impact: Model behavior may be steered to reveal or misuse privileged instructions and tools - Files: scripts/security-audit.js (Line: 149) - Recommended fix: Separate system instructions, validate tool args, add allowlists, and sanitize user content. #### Potential SSRF pattern - Severity: high - Confidence: low - Status: manual-review - Evidence: Server-side outbound request - Impact: Attacker may force calls to internal or unintended hosts - Files: scripts/security-audit.js (Line: 154) - Recommended fix: Enforce host allowlists and validate URLs before outbound requests. ## Medium _No findings._ ## Low _No findings._ ## Manual review checklist - Verify authz on admin and privileged routes. - Verify whether raw queries are parameterized upstream. - Verify whether shared sanitization utilities are applied before dangerous HTML or LLM calls. - Verify token handling and public env variables in client bundles.