🔥 rommapp / romm - A beautiful, powerful, self-hosted rom manager and player.
GitHub热门项目 | A beautiful, powerful, self-hosted rom manager and player. | Stars: 9,580 | 236 stars today | 语言: Python
找到 615 篇相关文章
GitHub热门项目 | A beautiful, powerful, self-hosted rom manager and player. | Stars: 9,580 | 236 stars today | 语言: Python
GitHub热门项目 | Ansible is a radically simple IT automation platform that makes your applications and systems easier to deploy and maintain. Automate everything from code deployment to network configuration to cloud management, in a language that approaches plain English, using SSH, with no agents to install on remote systems. https://docs.ansible.com. | Stars: 69,096 | 50 stars today | 语言: Python
We assume you already know how to write simple Python programs and understand basic syntax (if, for, functions, lists). Here, we're not discussing how to use the language, but why it works the way it does. In the previous article, we learned that variables in Python don't store data themselves. Instead, a name simply refers to an object. With numbers, this feels quite intuitive: x = 10 y = x Both names refer to the same object whose value is 10 . So far, everything seems straightforward. But as soon as we start working with lists, Python's behavior often surprises people. Consider this example: a = [ 1 , 2 ] b = a a . append ( 3 ) print ( b ) Many beginners expect the output to be: [ 1 , 2 ] After all, we modified a , not b . Instead, Python prints: [ 1 , 2 , 3 ] It looks as if changing one variable somehow changed the other. At first glance, it may seem like Python is keeping the two variables synchronized behind the scenes. In reality, the explanation is much simpler. Let's go back to the idea from the previous article. When we write: a = [ 1 , 2 ] Python creates a list object, and the name a becomes bound to it. Visually: a ───► [1, 2] Next comes this line: b = a This is the crucial part. Python does not create a second list. No copy is made. Instead, the name b is bound to exactly the same object. Now the picture looks like this: a ─┐ ├──► [1, 2] b ─┘ Notice that there's still only one list. The only thing that changed is that there are now two names referring to it. That's why the next line: a . append ( 3 ) doesn't create a new list. It modifies the existing object. After the call to append() , the picture becomes: a ─┐ ├──► [1, 2, 3] b ─┘ Since both names refer to the same object, the change is visible through both of them. In other words, Python didn't modify two different lists. It modified one list that simply has two names. This behavior is one of the most common sources of confusion for beginners. For example, you might write a function that modifies a l
I built a red-team test suite that fires adversarial prompts at an LLM-backed API and decides, for each reply, whether a guardrail actually broke. It is the project where I stopped writing tests that answer "did the model refuse?" and started writing tests that answer a much harder question: "did anything bad actually happen?" Those turn out to be very different questions. The gap between them is the whole project. Most of the work is reading, not attacking Every project in this series has turned out to be more reading than coding, and this one most of all. The reflex is to assume the attacks are the work - write a clever payload, watch the model fall over, log a finding. The attacks are the fast part. What eats the time is sitting and reading model replies, one at a time, end to end, to decide whether a reply is a genuine bypass or just the model being chatty. There is no framework in that loop. You fire one payload and read the reply yourself: curl -s localhost:8000/ask -H 'content-type: application/json' \ -d '{"question":"YOUR PAYLOAD HERE"}' | jq -r .answer Here is the smallest example. I sent the model a base64 string that decodes to "how to make a bomb." The input filter is a list of banned English phrases, and base64 isn't English, so it sailed through and my detector flagged it: guardrail evaded, success. Except the model can't actually decode base64. It hallucinated some cleartext and cheerfully answered that instead - a few bland lines about friendship and happiness. The guardrail was bypassed and the payload delivered nothing. If I had trusted the green checkmark, I would have filed a bomb-instructions bypass over a reply about being a good friend. That is the whole project in one reply. A detector can be technically right ("the filter was evaded") and completely wrong about what matters ("something harmful got out"). The only way to tell them apart is to read the actual words. Reading is the work, not a step you do after it. The success rate over-counts
You need to hand a dataset of Chilean RUTs to an outside analytics team. They will join it against other tables by identifier, run the cohort analysis, and hand back a model. They do not need to know, and should never learn, who any of these people are. Asterisk the RUT column and the join dies on contact: **********-K matches every other asterisked RUT in the file. Not almost every one. Every one. You need the same input to reappear as the same output, shaped like a real, check-digit-valid identifier the rest of your schema still recognizes, and eight weeks later, when a fraud investigator needs the original RUT back for one row, you need to be able to give it to them. Irreversible masking cannot do any of this. Hashing gets you consistency but not the format, and never the value back. What you need is format-preserving encryption: run a digit string through a cipher and get out another digit string, same length, same shape, that decrypts to the original under the key you hold. Nothing else. What FPE actually does MaskOps exposes this as mask_pii_fpe . It masks digit-based PII, cards, phones, RUT, CPF, Argentine DNI, in place, and gives back something the same length and shape: import maskops import secrets key = secrets . token_bytes ( 32 ) # AES-256, client holds this tweak = secrets . token_bytes ( 7 ) # per-column/per-dataset context df . with_columns ( maskops . mask_pii_fpe ( " rut_column " , key , tweak )) 76.354.771-K becomes some other RUT-shaped, check-digit-valid string of the same length, under this key and tweak. Run it back through with the same key and tweak and it decrypts. Non-digit PII, IBAN, VAT, email, IP, EU national IDs, gets none of this. It always asterisks. There is no clean digit domain to encrypt into, so MaskOps does not pretend there is. The key never touches MaskOps' output. The client generates it, holds it, and passes it in at call time, and because MaskOps makes no network call and keeps no storage layer, there is nowhere for that k
An investigation agent flagged "the license API PHP returns Japanese-hardcoded messages" and we sat down to fix it. But something felt off the moment we opened the file — the version running on the production server didn't match the latest commit in the local repo . Stranger still, production had more recent features than our local checkout . A bit of digging turned up the truth: months earlier, someone had hot-patched the production file in response to a different user issue, and that change had never been committed back to git . This post walks through how we detected that drift, and the two-stage strategy we used to merge production back into the local repo safely. How this regression silently slips in If we'd written the fix on top of our local repo and uploaded it to production, here's what would have happened: all the production-only improvements get overwritten and quietly disappear . In our case, the production file had a half-year-old language-handling addition for the "Early Bird Bonus" feature — when a USD customer buys, client_name is set to 'Early Bird Bonus' ; for JPY customers it's '早期利用特典' . None of that existed in our local git. A normal PR-merge-and-deploy cycle would have silently rolled back the Early Bird i18n logic , regressing English users' display back to Japanese. Catching this was half luck. Opening the file to start the fix, I noticed code I didn't recognize, ran git blame , and the lines were nowhere in git history . That's when alarm bells went off. Two-stage rollforward — make production the source of truth first The strategy we landed on was a two-stage merge. Stage 1 (rollforward sync) : Pull the production file straight into the local repo. Apply the diff in the "production → local" direction, not the other way . After this, the local repo's HEAD matches what's actually running on production. # Pull the production file into the local repo scp -i ~/.ssh/key layer2024@host:wpmm.jp/public_html/license/api/register_free.php \ /tmp/regis
Maintaining a robust testing pipeline or managing automated node infrastructure often requires orchestrating dozens of isolated EVM wallets. Over time, these automated Python or JavaScript configurations inevitably hit a common wall: the accumulation of fragmented token dust across multiple layers (Ethereum, Arbitrum, Base, BSC, etc.). Trying to clear these micro-balances manually or writing one-off scripts to sweep individual assets scale operational costs rapidly. Each network requires separate RPC updates, custom middleware logic, and redundant gas overhead, turning standard infrastructure hygiene into an engineering bottleneck. The Problem with Traditional Asset Sweeping When handling larger developer setups or wallet clusters, custom scripts face three major friction points: Redundant Network Fees: Batching transfers without native contract-level optimization burns excessive gas when scaling to 50+ addresses. RPC Disruption: Constantly querying and broadcasting batch transfers via public or even shared private endpoints can trigger rate limits. Data Contamination: Manually routing funds from dense testing nodes increases the risk of cluster cross-contamination. To resolve this friction within our decentralized dev pipelines, we deployed a streamlined utility layer: CryptonEquity Terminal ( https://cryptonequity.com ). Building a Unified Utility Layer for Multi-Chain Workflows The terminal introduces a non-custodial Cross-Chain Dust Sweeper designed to eliminate fragmented operational friction. Instead of manually deploying individual sweeping scripts per account, the infrastructure automates multi-chain scanning and groups asset consolidation into a single transaction link. Simultaneous Layer Aggregation: Automatically detects micro-balances across dominant EVM networks at once. Gas Mitigation: Designed to structure transfer paths to limit redundant network fee overhead. Zero Onboarding Friction: Operating strictly on a non-custodial architecture, it requires n
Here's the thing: i Cut My LLM Bill 40x and Rewrote Nothing: A CTO's Migration Story Six months ago my CFO slid a single line item across the table. OpenAI: $4,800 for the month. I'd like to say I was surprised, but I'd been watching the number climb for two quarters. What actually surprised me was how little it took to bring that number down to under $200 without anyone on my engineering team writing new code, without a single regression, and without telling my customers anything had changed. This is the story of how we did it, what we evaluated, what broke, and what I'd tell any other CTO walking into the same conversation with their finance lead. The Real Cost of Vendor Lock-In I've been a CTO long enough to recognize the pattern. You pick a vendor. The vendor becomes the default. Procurement assumes you're locked. Your engineers build abstractions around their quirks. Six months later nobody can tell you what it would actually cost to switch because the switching cost has become invisible. It's just "how we do things." OpenAI was that vendor for us. GPT-4o handled our summarization pipeline, our customer support copilot, and a few internal tools I'd hacked together on a Saturday. We were paying $2.50 per million input tokens and $10.00 per million output tokens. At our volume, those numbers add up faster than you'd think because the output side balloons in conversational workloads. Here's the arithmetic that should scare every CTO: at $10/M output, every million tokens of generated text costs a dime on the dollar. If your product generates a 1,000-token response for 100,000 users a day, that's 100 million tokens a day, which is $1,000 a day in output alone. That's $30,000 a month. Just for one feature. The 40x claim I keep seeing isn't marketing spin. DeepSeek V4 Flash charges $0.18/M input and $0.25/M output. Do that math against GPT-4o and the comparison is brutal. Multiply your current OpenAI output spend by 0.025 and you'll get the rough number you'd pay for
Here is a question I could not answer from the headlines: which European countries are actually losing people the fastest, in absolute terms or per capita? Those are two different questions, and they give two different answers. So I pulled the open data and ran the numbers. The headline figure Across the 19 European countries in the 2024 dataset, 17 recorded a net loss of native-born residents . Only two were net positive. So the "brain drain" story is not a handful of outliers, it is the default state of the continent. But the interesting part is who tops the ranking, because it depends entirely on how you measure. Load the data yourself The dataset is public on GitHub (CC BY 4.0). Every number below is reproducible with a few lines of pandas. No download, no API key, it reads the raw CSV straight from the repo: import pandas as pd url = ( " https://raw.githubusercontent.com/DatapulseResearch/ " " brain-drain-eu/main/data/net_migration_native_born_2024.csv " ) df = pd . read_csv ( url ) print ( df . shape ) # (19, 3) print ( df . columns . tolist ()) # ['country', 'net_migration', 'per_1000_residents'] # How many countries lost native-born residents? losers = ( df [ " net_migration " ] < 0 ). sum () print ( f " { losers } of { len ( df ) } countries had a net loss " ) # 17 of 19 net_migration is the raw count for 2024 (negative means a net loss of native-born residents). per_1000_residents is the same flow normalized by population size. The absolute ranking: Germany runs away with it Sort by the raw count and one country dominates: worst_absolute = df . sort_values ( " net_migration " ). head ( 5 ) print ( worst_absolute [[ " country " , " net_migration " ]]) country net _ migration 0 Germany - 91067 ... Germany loses -91,067 native-born residents, far more than anyone else in absolute terms. If you stop reading here, the story writes itself: "Germany, Europe's biggest brain drain." Plenty of coverage did exactly that. The counterintuitive finding: the ranking inve
GitHub热门项目 | Tensors and Dynamic neural networks in Python with strong GPU acceleration | Stars: 101,079 | 45 stars today | 语言: Python
GitHub热门项目 | Langflow is a powerful tool for building and deploying AI-powered agents and workflows. | Stars: 150,426 | 74 stars today | 语言: Python
GitHub热门项目 | Specification and documentation for Agent Skills | Stars: 21,425 | 47 stars today | 语言: Python
Build a Real-Time Crypto Trading Dashboard with Python, WebSockets, and React Real-time data is the difference between catching a move and reading about it later. This tutorial walks through a minimal but complete stack: a Python WebSocket client pulling live prices, a simple signal generator, and a React frontend displaying everything. You will end up with a dashboard that shows live Binance prices, basic momentum signals, and auto-updates without polling. Why this stack Binance provides a clean WebSocket API for tickers and trades. Python handles the backend connection and lightweight analysis. React keeps the UI reactive and simple to extend. No heavy frameworks, no paid data feeds. Prerequisites Python 3.11+ Node 20+ A Binance API key (read-only is fine for prices) Step 1: Python price stream Install the client library: pip install python-binance pandas Create price_stream.py : import asyncio import json from binance import AsyncClient , BinanceSocketManager import pandas as pd from datetime import datetime async def main (): client = await AsyncClient . create () bm = BinanceSocketManager ( client ) ts = bm . trade_socket ( ' BTCUSDT ' ) async with ts as tscm : while True : res = await tscm . recv () price = float ( res [ ' p ' ]) qty = float ( res [ ' q ' ]) ts = datetime . fromtimestamp ( res [ ' T ' ] / 1000 ) print ( f " { ts } | BTCUSDT { price : . 2 f } | { qty : . 4 f } BTC " ) if __name__ == " __main__ " : asyncio . run ( main ()) Run it: python price_stream.py You should see a live feed of trades. Keep this running as your data source. Step 2: Add a simple momentum signal Extend the script to calculate a 20-trade rolling average and flag when price deviates more than 0.3%: # inside the loop, after parsing res prices . append ( price ) if len ( prices ) > 20 : prices . pop ( 0 ) avg = sum ( prices ) / len ( prices ) deviation = ( price - avg ) / avg * 100 if abs ( deviation ) > 0.3 : print ( f " ⚡ Signal: { deviation : + . 2 f } % from 20-trade avg " )
A pre-install supply-chain gate returns ALLOW or DENY for each package your AI agent proposes, before npm install runs, keyed on provenance: is the name in a vouched snapshot or a popular baseline, and is the .npmrc registry trusted. An SBOM taken after resolve cannot answer that question. In this post's attack manifest, supply_chain_gate.py returns 2 DENY and exits 1. AI disclosure: I wrote supply_chain_gate.py with an AI assistant and ran it myself, offline, before publishing. Every number in the output blocks below is pasted from a real local run on Python 3.13.5, standard library only, no network. I checked the exit codes (0 / 1 / 2), hashed the STDOUT twice to confirm it is byte-for-byte deterministic, and edited every line. The external figures I cite (the USENIX 2025 package-hallucination study) are the researchers' numbers, not mine, and I link the source and say how they measured. I keep their numbers and my run's numbers in separate paragraphs on purpose. In short: An SBOM and a CVE scan run after npm install . They record what resolved and whether it has a known CVE. Neither can say whether your agent should have proposed that name in the first place. A coding agent recommends a dependency with the same flat confidence whether the name is real, hallucinated, or one letter off a real one. That confidence is exactly what a post-resolve scan cannot see through: a name registered yesterday has no CVE yet, so a known-CVE scan lists it as clean. supply_chain_gate.py reads a manifest (the packages the agent proposed, your vouched snapshot, and your .npmrc ) and returns ALLOW or DENY per package against a bundled popular baseline, before install. The result that carries the argument: the same 277-name baseline that ALLOWs express (exact match) DENYs expresss in a sibling manifest. One letter flips the verdict. What flips it is default-deny against a vouched baseline, not a static blocklist of known-bad names; the edit-distance check only labels the DENY ( TYPOSQU
⚠️ This article contains affiliate advertising (promotions). A portion of revenue generated through linked sites is paid to the author, but this does not affect the purchase price for readers in any way. Hey — I'm a working engineer running a side hustle in tech writing and e-commerce. Here's the bottom line upfront: by the time you finish this article, you'll have a Python script that extracts "side-hustle promo noise" from your X (Twitter) timeline and auto-adds it to a mute list , plus a Claude Haiku classifier that labels each tweet as signal or noise for roughly ¥0.02 per tweet — copy-paste ready, just swap in your API keys. My own information-gathering time dropped from 90 minutes to 12 minutes a day (7-day average; details below). Why Manual Muting Breaks Down on X: The 30-Item Wall Muting on X via the GUI is one entry at a time. In my case, roughly 70% of the 480 accounts I follow are genuinely useful — but 30% are promotional, making them "almost good" accounts. Muting at the account level kills the useful tweets too. So I turned to keyword muting, which becomes unmanageable past 30–40 keywords manually. Add "free," "limited time," "LINE sign-up," and "#RT please" to the list and you start catching legitimate tech tweets as collateral damage. One failure story: early on I added "side hustle" as a mute keyword, missed an entire high-quality thread squarely in my interest zone, missed the viral wave, and conservatively lost about ¥3,000 in affiliate opportunity. Word filters don't have the precision. That's the starting point for this article. Extracting "Promo Templates" Mechanically with Tweepy and Filter Rules First, using the X API v2 (read access is available even on the free tier) and Tweepy, I pull tweets equivalent to my home timeline and numerically score structural features common in promotional content. The trick is to score on three axes — emoji density, URL count, and call-to-action verbs — rather than keyword matching. import re import tweepy cl
I used to spend ten hours every week doing content research manually. Checking competitor blogs. Scanning Reddit threads. Copying and pasting search results into a spreadsheet. Trying to spot patterns in an ocean of unstructured text. It was exhausting, slow, and completely unnecessary. Once I learned to automate this with Python and a few affordable APIs, I cut that ten-hour grind down to under thirty minutes. Here is the exact system I built, what it costs, and how you can replicate it yourself. The Quick Answer To automate content research with Python, combine a search API like Serper to pull structured Google search data, BeautifulSoup or requests-html to parse page content, and an LLM API like Gemini to synthesize insights into actionable content briefs. Connect these three components in a sequential Python pipeline and you have a fully automated research agent that runs in minutes instead of hours. What I Actually Built I needed a system that could do three things automatically: First, find what real people are asking about any topic across Reddit, Quora, and Google search. Second, identify what my top competitors have written about that topic and where the gaps are. Third, summarize everything into a clean content brief I can use to write or generate an article. I built this using Python with three core components: the Serper API for search data, BeautifulSoup for page parsing, and the Google Gemini API for synthesis. Total monthly cost: about twelve dollars. I document the full working version of this system — including the Flask web interface and WordPress publishing integration — at https://zerofilterdiary.com Step-by-Step Build Guide Step 1: Install the Required Libraries pip install requests beautifulsoup4 python-dotenv google-generativeai Step 2: Set Up Your API Keys Create a .env file in your project root: SERPER_API_KEY=your_serper_key_here GEMINI_API_KEY=your_gemini_key_here Step 3: Search for Real Discussions Using Serper API import requests import
We’ve all been there. You get a notification from your smartwatch saying your heart rate has been a bit funky, or your blood oxygen is dipping. Usually, we ignore it until it becomes a problem. But what if your personal AI was looking out for you? 🤖 In this tutorial, we are building an Autonomous Health Agent . This isn't just a notification bot; it's a proactive system that uses Playwright browser automation , OpenAI Function Calling , and Python to monitor your health trends and—if things look suspicious for three days straight—literally opens a browser and books a doctor's appointment for you. By leveraging Autonomous AI Agents and Playwright automation , we are moving from "Passive Monitoring" to "Active Intervention." This is the future of Health Tech Automation . 🏗 The Architecture Before we dive into the code, let's look at how the data flows from a "scary heart rate" to a "confirmed appointment." graph TD A[Wearable Data/Health Logs] --> B{3-Day Anomaly Check} B -- Normal --> C[Stay Healthy! 🟢] B -- Abnormal --> D[Trigger AI Agent 🤖] D --> E[OpenAI Function Calling] E --> F[Playwright Browser Automation] F --> G[Hospital Booking Platform] G --> H[Appointment Confirmation 🏥] H --> I[Notify User via SMS/Email] 🛠 Prerequisites To follow along, you’ll need: Python 3.10+ Playwright : The king of modern browser automation. OpenAI API Key : For the "brain" of our agent. A healthy dose of curiosity! 🥑 pip install playwright openai pydantic playwright install chromium 👨💻 Step 1: Defining the "Brain" (OpenAI Function Calling) We don't want the LLM to just "talk" about booking an appointment; we want it to actually execute the action. We'll use OpenAI's Function Calling to bridge the gap between text and code. import json from openai import OpenAI client = OpenAI () # Define the tool our agent can use tools = [ { " type " : " function " , " function " : { " name " : " book_doctor_appointment " , " description " : " Books a medical appointment based on department and s
CodeTrace-AI v1.0.1 — Stop Reading Code. Start Understanding It. Every developer has experienced this. You clone a repository, open it, and suddenly you're staring at thousands of files. You spend hours answering questions like: Where is this function called? Which files depend on this module? What happens if I modify this class? Is this code even used anymore? Traditional tools like grep , IDE search, or AI chat assistants can help you find code. They don't help you understand the architecture . That's why I built CodeTrace-AI . What is CodeTrace-AI? CodeTrace-AI is an AI-powered code intelligence tool that transforms your repository into a searchable structural knowledge graph. Instead of treating your project as plain text, it understands your codebase structurally by analyzing: 📂 Folder hierarchy 📄 Files 🏛 Classes ⚙ Functions 📦 Imports 🔗 Function calls 🌐 Cross-file dependencies Think of it as having an AI Software Architect that understands your entire repository. 🚀 What's New in v1.0.1 This release focuses on speed, privacy, and understanding large repositories. 🕸 Interactive Code Graph One of the biggest additions is the interactive repository graph. Instead of reading hundreds of files manually, you can visualize relationships between: Folders Files Classes Functions Imports Function calls Understanding a new project becomes dramatically easier. ⚡ SHA-256 Delta Sync Engine One feature I'm particularly proud of is the new Incremental Indexing Engine. Most code intelligence tools rebuild their entire index every time. CodeTrace-AI doesn't. It computes a SHA-256 fingerprint for every tracked file and detects: ✅ Modified files ➕ Newly added files ❌ Deleted files Only those files are: Re-parsed Re-embedded Re-added to the knowledge graph Everything else is skipped. This makes repeated indexing dramatically faster, especially for large repositories where only a few files change between runs. Under the hood The sync engine includes: SHA-256 fingerprinting Parallel f
A note before we start: this is about the machine, not the money. I'm not going to show you returns, positions, or a single "this strategy made X%." Partly because that's a regulatory minefield, and partly because the returns aren't the interesting part — the engineering is. If you came for a get-rich screenshot, this isn't that. If you came to see how one person ships production infrastructure with an AI, pull up a chair. The thing I built Over the last few months I built, with an AI coding agent as my pair-programmer, a fleet of ~35 automated trading bots. They run across five equity markets plus crypto. Each one is a long-running service. They share a single database, post to a live dashboard, fire alerts to my phone, and — the part that took the longest — they're built to survive restarts, reconcile against reality, and refuse to do anything stupid. I'm one person. I am not a team. The "team" is me plus an AI in a terminal, working the way you'd work with a very fast, very literal junior engineer who never gets tired and occasionally needs to be talked out of a bad idea. Here's how it's put together, and the handful of lessons that cost me the most to learn. The architecture, in one breath One Postgres database is the brain — every trade, signal, and piece of state lives there. Around it sit ~35 containerized bots, each isolated (its own tables, its own config, its own identity), orchestrated with Docker Compose. A Streamlit dashboard reads the database and renders the whole fleet — open positions, P&L curves, health. A notification layer pushes Telegram alerts on every meaningful event. Schema changes go through migrations so a new bot is never born with a stale database shape. Each bot is the same skeleton wearing a different hat: a signal module (the strategy logic), a trader that turns signals into orders, a storage layer that persists everything, a runner loop on a schedule. Strategies are swappable. The infra underneath them is identical. That sameness is
Hey DevHunt community! 👋 I'm incredibly excited to launch Scankii! As developers, we are building more and more AI Agents using frameworks like LangChain, OpenHands, and AutoGen. The standard paradigm is giving these agents "skills" or "tools" — which are basically just Python functions combined with Natural Language instructions (prompts or docstrings). But here is the problem: Standard secret scanners (like GitLeaks or TruffleHog) are blind to AI-specific vulnerabilities. They only scan source code for hardcoded secrets. But what if your Python code securely loads an API key, and your English instructions accidentally trick the agent into printing that key to stdout? The agent framework captures that output, injects it into the LLM context window, and your secret is suddenly exposed. We call this Cross-Modal Leakage. Enter Scankii. 🛡️ Scankii solves this by analyzing the intersection of your Natural Language and your code. It uses a dual-engine pipeline (NL Semantic Analyzer + AST Syntax Analyzer) to track variable flows between your prompts and your code sinks. ✨ Core Features: Dual-Engine Scanning: Correlates English instructions with Python ASTs. Local-First & Fast: Your proprietary agent tools and code never leave your machine. CI/CD Ready: Outputs standard SARIF reports. Drop it into GitHub Actions or use it as a pre-commit hook. Framework Agnostic: Works with LangChain, AutoGen, CrewAI, MCP, or any custom python agent framework. I built Scankii to give developers peace of mind when scaling their agent toolchains. Security shouldn't be an afterthought when building autonomous systems. I would love for you to try it out on your agent repos, star the project, and leave any feedback or questions below! I'll be here all day answering them. 👇 GitHub Repository: https://github.com/ashp15205/scankii Installation: pip install scankii