unstract icon indicating copy to clipboard operation
unstract copied to clipboard
verified publisher icon Zipstack

Add MseeP.ai badge

Open lwsinclair opened this issue 3 months ago • 3 comments

Hi there,

This pull request shares a security update on unstract.

We also have an entry for unstract in our directory, MseeP.ai, where we provide regular security and trust updates on your app.

We invite you to add our badge for your MCP server to your README to help your users learn from a third party that provides ongoing validation of unstract.

You can easily take control over your listing for free: visit it at https://mseep.ai/app/zipstack-unstract.

Yours Sincerely,

Lawrence W. Sinclair CEO/SkyDeck AI Founder of MseeP.ai MCP servers you can trust

MseeP.ai Security Assessment Badge

Here are our latest evaluation results of unstract

Security Scan Results

Security Score: 55/100

Risk Level: high

Scan Date: 2025-09-25

Score starts at 100, deducts points for security issues, and adds points for security best practices

Security Findings

Medium Severity Issues

  • semgrep: Use of exec() detected. This can be dangerous if used with untrusted input.

    • Location: backend/backend/settings/base.py
    • Line: 539

  • semgrep: Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option.

    • Location: backend/backend/custom_db/base.py
    • Line: 48

  • ... and 10 more medium severity issues

Low Severity Issues

  • semgrep: Use of base64 decoding detected. This might indicate obfuscated code.
  • ... and 1 more low severity issues

This security assessment was conducted by MseeP.ai, an independent security validation service for MCP servers. Visit our website to learn more about our security reviews.

lwsinclair avatar Sep 25 '25 13:09 lwsinclair

Summary by CodeRabbit

  • Documentation
    • Added a security assessment badge at the top of the project README, displayed before the logo.
    • Provides quick visibility into the current security scan status for users and contributors.
    • Introduced a minor formatting tweak to preserve layout consistency.
    • No functional changes to the application or APIs.
    • Enhances trust and transparency when visiting the repository homepage.

Walkthrough

Added a security assessment badge at the top of README.md with a following blank line; no other content changes.

Changes

Cohort / File(s) Summary of Changes
Docs
README.md		 Inserted a security assessment badge at the top and added a blank line after it; existing content unchanged and badge precedes the centered logo image.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)
Check name Status Explanation Resolution
Description Check ⚠️ Warning The provided description does not follow the repository’s required template as it lacks the “What”, “Why”, “How”, “Can this PR break any existing features”, “Database Migrations”, “Env Config”, “Relevant Docs”, “Related Issues or PRs”, “Dependencies Versions”, “Notes on Testing”, “Screenshots” sections and the checklist, and instead contains promotional content and an unstructured security report. Please restructure the description to match the template by adding the “What”, “Why”, “How”, “Can this PR break any existing features”, “Database Migrations”, “Env Config”, “Relevant Docs”, “Related Issues or PRs”, “Dependencies Versions”, “Notes on Testing”, “Screenshots” sections and complete the checklist from the contribution guidelines.
✅ Passed checks (2 passed)
Check name Status Explanation
Title Check ✅ Passed The title succinctly captures the primary change of the PR by describing the addition of the MseeP.ai badge and is directly related to the modification in the README without extraneous details.
Docstring Coverage ✅ Passed No functions found in the changes. Docstring coverage check skipped.
✨ Finishing touches
🧪 Generate unit tests
  • [ ] Create PR with unit tests
  • [ ] Post copyable unit tests in a comment
📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to Reviews > Disable Cache setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 97974893844f44f697473d0352cc20263b006301 and 8142a44d9fecd022c2faf32ad917c74d11f4f7f3.

📒 Files selected for processing (1)
  • README.md (1 hunks)
🔇 Additional comments (1)
README.md (1)

1-2: Confirm intent to surface external “High risk” rating badge

The badge advertises a third-party security score of 55/100 (risk level “high”) and pulls its image from a domain the repo hasn’t previously referenced (mseep.net). Before merging, please double-check that we actually want to surface that assessment publicly and that we trust the external asset to remain safe/appropriate over time.

[!TIP]

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

  • Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
  • Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot] avatar Sep 25 '25 13:09 coderabbitai[bot]

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

CLAassistant avatar Sep 25 '25 13:09 CLAassistant

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

sonarqubecloud[bot] avatar Sep 25 '25 13:09 sonarqubecloud[bot]