fix(unitree_g1): silence bandit findings in SONIC example/pipeline

examples/unitree_g1/pkl_to_npz.py

@@ -43,14 +43,14 @@ def load_pkl(path: str) -> dict:
     except Exception:
         # joblib clips are zlib-compressed pickles; fall back to manual inflate.
         import contextlib
-        import pickle
+        import pickle  # nosec B403 - loads trusted local SMPL clips authored by the user
         import zlib
 
         with open(path, "rb") as f:
             raw = f.read()
         with contextlib.suppress(zlib.error):
             raw = zlib.decompress(raw)
-        return pickle.loads(raw)
+        return pickle.loads(raw)  # nosec B301 - local, user-provided motion files only
 
 
 def main():

examples/unitree_g1/sonic.py

@@ -28,7 +28,9 @@ import argparse
 import contextlib
 import faulthandler
 import gc
+import os
 import sys
+import tempfile
 import time
 
 import numpy as np
@@ -164,7 +166,7 @@ def main():
             did_blend = False
             t_start = time.time()
 
-            log_path = "/tmp/sonic_pose_log.csv"
+            log_path = os.path.join(tempfile.gettempdir(), "sonic_pose_log.csv")
             jnames = [m.name for m in G1_29_JointIndex]
             log_ctx = open(log_path, "w") if args.log_csv else None  # noqa: SIM115
             if log_ctx:

src/lerobot/robots/unitree_g1/controllers/sonic_pipeline.py

@@ -766,7 +766,7 @@ def _planner_worker(path, req_q, res_q, stop_evt, version, seed, use_gpu):
     while not stop_evt.is_set():
         try:
             ctx, gf, ms_dict = req_q.get(timeout=0.05)
-        except Exception:
+        except queue.Empty:  # nosec B112 - idle poll, nothing queued this tick
             continue
         try:
             inp = _build_planner_inputs(ctx, ms_dict, version, seed)