Security Audit: 2 medium findings (password logging, SSH host key bypass)

[starbuck100]

AgentAudit Security Report

Package: tabularis v0.8.12
Commit: f88d846
Risk Score: 10/100 (safe)
Report: https://agentaudit.dev/skills/tabularis

Findings

1. Database password logged in plaintext via println (MEDIUM)

• File: src-tauri/src/commands.rs:1533
• Issue: The list_databases command logs resolved connection parameters including the full database password via println! to stdout.
• Fix: Remove password from the println! output or replace with log::debug! and redact the password field.

2. SSH host key verification unconditionally disabled (MEDIUM)

• File: src-tauri/src/ssh_tunnel.rs:160
• Issue: Both SSH backends skip host key verification: system SSH uses StrictHostKeyChecking=no, and the russh backend check_server_key always returns Ok(true). This enables MITM attacks on SSH tunnels.
• Fix: Use StrictHostKeyChecking=accept-new (already used in test_ssh_connection_system) for the tunnel backend. For russh, implement proper known_hosts checking.

---

Automated security audit by AgentAudit

[debba]

Thanks @starbuck100 , and yes the project is in full beta and some things requires attention, thanks to point them.
Feel free to contribute if you want for fixing them!

[debba]

@starbuck100 fixed it.

 npx agentaudit audit https://github.com/debba/tabularis

  🛡  AgentAudit v3.9.34
  Security scanner for AI tools

◉  Auditing tabularis  https://github.com/debba/tabularis
│  Deep LLM-powered analysis (3-pass: UNDERSTAND → DETECT → CLASSIFY)

  [1/4] Cloning repository... done
  [2/4] Collecting source files... 53 files
  [3/4] Preparing audit payload... done
  [4/4] Running LLM analysis (openai: gpt-4o)... done (23.6s)

  SAFE  Trust Score: 100/100  (Risk: 0/100)
  Model: openai/gpt-4o  Duration: 23.6s

  No findings — package looks clean.

  Run agentaudit setup to upload reports to the registry

Thanks a lot for this complaint.
I didn’t know about this tool, thanks for introducing me to it, added it to my toolbox :)