Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
114 of your 186 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.
Upstream (GitHub) caused delay on this scan — not Repobility.
  • GitHub API rate-limited (HTTP 403) — preflight skipped, fell back to direct git clone.
  • Clone from GitHub took 55.9s for a 126.4 MB repo slow.
  • Repobility's analysis ran in 8.43s after the clone landed.

unilabsim/UniLab

https://github.com/unilabsim/UniLab · scanned 2026-06-05 14:33 UTC (5 days, 3 hours ago) · 10 languages

423 raw signals (173 security + 250 graph) 11/13 scanners ran 97th percentile · Python · large (100-500K LoC) System graph score 79 (higher by 12)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 3 hours ago · v2 · 162 actionable findings from 2 signal sources. 111 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
85.6
/100
Security checks
92
60 findings
System graph
79
88.9% cov · 102 findings
Critical
2
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 85.0 0.15 12.75
security_score 100.0 0.25 25.00
testing_score 100.0 0.20 20.00
documentation_score 100.0 0.15 15.00
practices_score 90.0 0.15 13.50
code_quality 45.0 0.10 4.50
Overall 1.00 90.8
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 2 High 36 Medium 11 Low 65 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 60 System graph 102 Crowd 0 Layer: Quality 89 Cicd 6 Software 29 Security 32 Api 1 Hardware 4 Frontend 1
Scan summary Quality grade A (91/100). Dimensions: security 100, maintainability 85. 173 findings (28 security). 106,154 lines analyzed.

Showing 114 of 162 actionable findings. 273 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks quality Quality conf 1.00 ✓ Repobility [MINED030] Python Pickle Loads: pickle.loads() can execute arbitrary code via __reduce__.
Review and fix per the pattern semantics. See CWE-502 / for context.
src/unilab/algos/mlx/ppo/runner.py:161
high Security checks quality Quality conf 1.00 ✓ Repobility 4 occurrences [MINED107] Missing import: `stat` used but not imported: The file uses `stat.something(...)` but never imports `stat`. This raises NameError at runtime the first time the line executes.
Add `import stat` at the top of the file.
4 files, 4 locations
benchmark/benchmark_replay_buffer_placement.py:744
src/unilab/algos/torch/appo/runner.py:439
src/unilab/envs/motion_tracking/g1/motion_loader.py:84
tests/scripts/doc_checks.py:447
critical Security checks quality Quality conf 1.00 [SEC081] Python: pickle.loads / marshal.loads on untrusted data: pickle.load(s) and marshal.load(s) execute arbitrary code on untrusted input. Ported from dlint DUO103 / DUO120 (BSD-3).
Use json, msgpack, or protobuf for untrusted data. If pickle is required, sign the payload with HMAC.
src/unilab/algos/mlx/ppo/runner.py:161
low Security checks quality Quality conf 1.00 ✓ Repobility [MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.
Review and fix per the pattern semantics. See CWE-705 / for context.
src/unilab/tools/render_teaser.py:77
high Security checks software dependencies conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `nvidia/cuda:12.8.0-cudnn-runtime-ubuntu22.04` not pinned by digest: `FROM nvidia/cuda:12.8.0-cudnn-runtime-ubuntu22.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM nvidia/cuda:12.8.0-cudnn-runtime-ubuntu22.04@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
Dockerfile:2
high Security checks software dependencies conf 0.90 ✓ Repobility 3 occurrences [MINED131] pre-commit hook `https://github.com/astral-sh/ruff-pre-commit` pinned to mutable rev `v0.14.14`: `.pre-commit-config.yaml` references `https://github.com/astral-sh/ruff-pre-commit` at `rev: v0.14.14`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine.
Pin to a commit SHA: `rev: <40-char-sha>` and bump it through `pre-commit autoupdate` (which writes to PRs that are reviewed).
lines 2, 8, 14
.pre-commit-config.yaml:2, 8, 14 (3 hits)
low Security checks security Injection conf 1.00 [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.
Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders).
src/unilab/utils/support_matrix.py:177
low Security checks security Injection conf 1.00 [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.
Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders).
benchmark/core/device_info.py:42
high Security checks cicd CI/CD security conf 0.92 Dockerfile pipes a remote script into a shell
Download the artifact, verify its checksum or signature, pin the version, and then execute it.
Dockerfile:30 CI/CD securitycontainers
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 9 occurrences GitHub Action is tag-pinned rather than SHA-pinned
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6.0.2`: `uses: actions/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit …
2 files, 9 locations
.github/workflows/ci.yml:30, 46, 62, 78, 97 (5 hits)
.github/workflows/docs.yml:49, 64 (4 hits)
CI/CD securitySupply chainGitHub Actions
medium Security checks cicd CI/CD security conf 0.90 ✓ Repobility 12 occurrences GitHub Action is tag-pinned rather than SHA-pinned
[MINED115] Action `astral-sh/setup-uv` pinned to mutable ref `@v8.0.0`: `uses: astral-sh/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char com…
2 files, 12 locations
.github/workflows/ci.yml:35, 51, 67, 83, 102 (10 hits)
.github/workflows/docs.yml:52 (2 hits)
CI/CD securitySupply chainGitHub Actions
high System graph hardware Supply chain conf 1.00 Dockerfile pipes a remote installer into a shell
Executing downloaded code during image build gives the remote endpoint build-time code execution. Prefer pinned packages or verify downloaded installers by checksum/signature.
Dockerfile:29 containersRemote installer
high System graph security security conf 1.00 Insecure pattern 'eval_used' in benchmark/benchmark_ane_inference.py:96
Found a known-risky pattern (eval_used). Review and replace if possible.
benchmark/benchmark_ane_inference.py:96 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in benchmark/benchmark_ane_peak.py:77
Found a known-risky pattern (eval_used). Review and replace if possible.
benchmark/benchmark_ane_peak.py:77 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in benchmark/benchmark_backends.py:174
Found a known-risky pattern (eval_used). Review and replace if possible.
benchmark/benchmark_backends.py:174 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in benchmark/benchmark_conversions.py:142
Found a known-risky pattern (eval_used). Review and replace if possible.
benchmark/benchmark_conversions.py:142 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in benchmark/benchmark_ipc_weight_sync.py:177
Found a known-risky pattern (eval_used). Review and replace if possible.
benchmark/benchmark_ipc_weight_sync.py:177 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in benchmark/benchmark_mlp_inference.py:362
Found a known-risky pattern (eval_used). Review and replace if possible.
benchmark/benchmark_mlp_inference.py:362 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in benchmark/benchmark_mlx_compile.py:83
Found a known-risky pattern (eval_used). Review and replace if possible.
benchmark/benchmark_mlx_compile.py:83 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in benchmark/benchmark_postprocess.py:211
Found a known-risky pattern (eval_used). Review and replace if possible.
benchmark/benchmark_postprocess.py:211 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in scripts/train_appo.py:231
Found a known-risky pattern (eval_used). Review and replace if possible.
scripts/train_appo.py:231 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in scripts/train_hora_distill.py:272
Found a known-risky pattern (eval_used). Review and replace if possible.
scripts/train_hora_distill.py:272 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in scripts/train_mlx_ppo.py:267
Found a known-risky pattern (eval_used). Review and replace if possible.
scripts/train_mlx_ppo.py:267 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in scripts/train_offpolicy.py:428
Found a known-risky pattern (eval_used). Review and replace if possible.
scripts/train_offpolicy.py:428 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in src/unilab/algos/mlx/common/normalization.py:38
Found a known-risky pattern (eval_used). Review and replace if possible.
src/unilab/algos/mlx/common/normalization.py:38 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in src/unilab/algos/mlx/ppo/ppo.py:80
Found a known-risky pattern (eval_used). Review and replace if possible.
src/unilab/algos/mlx/ppo/ppo.py:80 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in src/unilab/algos/mlx/ppo/runner.py:138
Found a known-risky pattern (eval_used). Review and replace if possible.
src/unilab/algos/mlx/ppo/runner.py:138 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in src/unilab/algos/torch/appo/learner.py:177
Found a known-risky pattern (eval_used). Review and replace if possible.
src/unilab/algos/torch/appo/learner.py:177 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in src/unilab/algos/torch/appo/runner.py:41
Found a known-risky pattern (eval_used). Review and replace if possible.
src/unilab/algos/torch/appo/runner.py:41 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in src/unilab/algos/torch/appo/worker.py:162
Found a known-risky pattern (eval_used). Review and replace if possible.
src/unilab/algos/torch/appo/worker.py:162 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in src/unilab/algos/torch/common/ane_actor.py:33
Found a known-risky pattern (eval_used). Review and replace if possible.
src/unilab/algos/torch/common/ane_actor.py:33 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in src/unilab/algos/torch/common/ane_inference.py:28
Found a known-risky pattern (eval_used). Review and replace if possible.
src/unilab/algos/torch/common/ane_inference.py:28 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in src/unilab/algos/torch/flash_sac/learner.py:207
Found a known-risky pattern (eval_used). Review and replace if possible.
src/unilab/algos/torch/flash_sac/learner.py:207 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in src/unilab/algos/torch/him_ppo/algorithm.py:79
Found a known-risky pattern (eval_used). Review and replace if possible.
src/unilab/algos/torch/him_ppo/algorithm.py:79 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in src/unilab/algos/torch/him_ppo/runner.py:211
Found a known-risky pattern (eval_used). Review and replace if possible.
src/unilab/algos/torch/him_ppo/runner.py:211 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in src/unilab/algos/torch/hora/appo.py:179
Found a known-risky pattern (eval_used). Review and replace if possible.
src/unilab/algos/torch/hora/appo.py:179 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in src/unilab/algos/torch/hora/appo_worker.py:170
Found a known-risky pattern (eval_used). Review and replace if possible.
src/unilab/algos/torch/hora/appo_worker.py:170 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in src/unilab/algos/torch/hora/distill.py:356
Found a known-risky pattern (eval_used). Review and replace if possible.
src/unilab/algos/torch/hora/distill.py:356 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in src/unilab/algos/torch/offpolicy/worker.py:345
Found a known-risky pattern (eval_used). Review and replace if possible.
src/unilab/algos/torch/offpolicy/worker.py:345 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in src/unilab/visualization/interactive_playback.py:558
Found a known-risky pattern (eval_used). Review and replace if possible.
src/unilab/visualization/interactive_playback.py:558 Eval used
low Security checks quality Error handling conf 1.00 3 occurrences [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.
3 files, 3 locations
benchmark/benchmark_fast_sac_backends.py:106
benchmark/core/device_info.py:108
benchmark/core/mem_profile.py:32
medium Security checks quality Quality conf 1.00 ✓ Repobility [MINED109] Mutable default argument in `__init__` (list): `def __init__(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
Use None as the default and create the collection inside the function: `def __init__(x=None): x = x or []`
src/unilab/algos/torch/common/ane_actor.py:13
low Security checks security Deserialization conf 1.00 [SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.
Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data.
src/unilab/algos/mlx/ppo/runner.py:161
low Security checks quality Quality conf 1.00 3 occurrences [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws — wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated.
Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows.
3 files, 3 locations
benchmark/core/backends.py:46
benchmark/core/mem_profile.py:70
scripts/visualize_task_env.py:55
low Security checks quality Error handling conf 0.55 ✓ Repobility 25 occurrences Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
8 files, 25 locations
benchmark/benchmark_mlp_inference.py:54, 90, 97, 103, 107, 112, 120, 751, +3 more (11 hits)
benchmark/benchmark_backends.py:38, 43, 48, 211 (4 hits)
benchmark/benchmark_mujoco_vs_motrix.py:55, 108, 156, 169 (4 hits)
benchmark/benchmark_physics_step_mujoco_warp.py:165, 256 (2 hits)
benchmark/benchmark_conversions.py:53
benchmark/benchmark_env_step.py:1552
benchmark/benchmark_mujoco_rollout_model_sharing.py:41
benchmark/benchmark_physics_step_motrixsim.py:51
Error handlingquality
high Security checks cicd CI/CD security conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
Dockerfile:2 CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.76 Dockerfile copies broad context with incomplete .dockerignore
Tighten .dockerignore or replace COPY . with explicit COPY statements.
Dockerfile:34 CI/CD securitycontainers
high Security checks software dependencies conf 0.70 8 occurrences Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
8 files, 8 locations
README.md:84
README_zh.md:84
docs/sphinx/source/en/0-index.md:67
docs/sphinx/source/en/1-getting_started/1-quick_demo.md:10
docs/sphinx/source/en/1-getting_started/2-installation.md:16
docs/sphinx/source/zh_CN/0-index.md:66
docs/sphinx/source/zh_CN/1-getting_started/1-quick_demo.md:10
docs/sphinx/source/zh_CN/1-getting_started/2-installation.md:15
medium System graph hardware Security conf 1.00 Dockerfile runs as root: Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — benchmark/benchmark_env_step.py:1496
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — benchmark/benchmark_mjmodel_memory.py:140
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — benchmark/benchmark_mujoco_rollout_model_sharing.py:389
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — src/unilab/cli.py:287
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — src/unilab/demo.py:201
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — src/unilab/tools/import_robot.py:63
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph security Coverage conf 1.00 No auth library detected
The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.
auth
low Security checks cicd CI/CD security conf 0.72 .dockerignore misses sensitive defaults
Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases.
.dockerignore CI/CD securitycontainers
low Security checks software Race condition conf 1.00 [SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacker swap the file between check and use (symlink attack). `mktemp` is deprecated for the same reason.
Use `os.open(path, os.O_CREAT | os.O_EXCL | os.O_WRONLY)` for atomic create-only. Use `tempfile.NamedTemporaryFile()` (not `mktemp`). For locking, use `fcntl.flock`.
src/unilab/algos/torch/common/ane_actor.py:51
low Security checks quality Quality conf 0.60 30 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
12 files, 17 locations
src/unilab/envs/locomotion/go2/joystick.py:22, 82, 168 (3 hits)
src/unilab/algos/torch/offpolicy/runner.py:164, 541 (2 hits)
src/unilab/base/np_env.py:298, 301 (2 hits)
src/unilab/envs/locomotion/go2/handstand.py:166, 236 (2 hits)
scripts/deploy/export_motion_bin.py:33
scripts/deploy/prepend_warmup.py:65
scripts/motion/csv_to_npz.py:26
scripts/motion/replay_bones_seed_csv.py:58
duplicationquality
high Security checks quality Quality conf 0.62 Source file name looks like an AI patch artifact
Rename it to the domain concept it implements or merge it into the existing module it was meant to change.
src/unilab/ipc/replay_pipelines/transfer/torch_copy.py:1
low System graph hardware Coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
Deployment
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: nvidia/cuda:12.8.0-cudnn-runtime-ubuntu22.04
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
Dockerfile:2 containersPinned dependencies
low System graph software Dead code candidate conf 1.00 File has no detected symbols: benchmark/smoke_test.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 12 places
Functions with the same first-5-line body hash: benchmark/benchmark_mlp_inference.py:fwd, benchmark/benchmark_mlp_inference.py:fwd, benchmark/benchmark_mlp_inference.py:fwd, benchmark/benchmark_mlp_inference.py:fwd This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see …
duplicatesduplication
low System graph quality Integrity conf 1.00 16 occurrences Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: scripts/train_mlx_ppo.py:flush, src/unilab/algos/mlx/ppo/runner.py:flush This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
16 occurrences
repo-level (16 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: benchmark/benchmark_mlp_inference.py:run_coreml, benchmark/benchmark_mlp_inference.py:run_ane, benchmark/benchmark_ane_inference.py:run_ane This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygie…
duplicatesduplication
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 7 places
Functions with the same first-5-line body hash: benchmark/benchmark_gpu_buffer.py:sync_device, benchmark/benchmark_ipc_buffer_layout.py:sync_device, benchmark/benchmark_ipc_buffer_layout.py:s, benchmark/benchmark_ipc_weight_sync.py:sync_device This is *the* AI-coder failure mode (4× more duplicati…
duplicatesduplication
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 9 places
Functions with the same first-5-line body hash: benchmark/benchmark_mlp_inference.py:run_numpy, benchmark/benchmark_mlp_inference.py:run_numba, benchmark/benchmark_mlp_inference.py:run_jax, benchmark/benchmark_mlp_inference.py:run_torch_cpu This is *the* AI-coder failure mode (4× more duplication …
duplicatesduplication
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `model_50_legacy` in tests/training/test_resume_logger_state.py:116
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `obs_copy` in benchmark/benchmark_sample_overhead.py:38
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `state_copy` in benchmark/benchmark_mujoco_backend_step_detail.py:10
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `test_add_patches_terminal_next_obs_without_prebuilding_full_transition_copy` in tests/ipc/test_replay_buffer.py:146
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `torch_copy` in benchmark/benchmark_replay_buffer_placement.py:223
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `torch_copy` in src/unilab/ipc/replay_pipelines/transfer/factory.py:9
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `torch_copy` in src/unilab/ipc/replay_pipelines/transfer/torch_copy.py:16
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `torch_copy` in tests/ipc/test_replay_pipeline_double_buffer.py:179
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph software Dead code conf 1.00 Possibly dead Python function: build_obs_from_layout
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/deploy/sim_prototype.py:79
low System graph software Dead code conf 1.00 Possibly dead Python function: compiled
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
benchmark/benchmark_mlx_compile.py:201
low System graph software Dead code conf 1.00 Possibly dead Python function: copy_increment
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
benchmark/benchmark_replay_buffer_placement.py:553
low System graph software Dead code conf 1.00 Possibly dead Python function: copy_sampled_batch
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
benchmark/benchmark_replay_buffer_placement.py:618
low System graph software Dead code conf 1.00 Possibly dead Python function: disabled_build_init_randomization_plan
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
benchmark/benchmark_sharpa_init_dr_construct.py:150
low System graph software Dead code conf 1.00 Possibly dead Python function: ensure_available
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/unilab/ipc/replay_pipelines/native_h2d.py:122
low System graph software Dead code conf 1.00 Possibly dead Python function: eval_main
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/unilab/cli.py:294
low System graph software Dead code conf 1.00 Possibly dead Python function: ew
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
benchmark/benchmark_backends.py:176
low System graph software Dead code conf 1.00 Possibly dead Python function: init_play_renderer
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/unilab/base/np_env.py:299
low System graph software Dead code conf 1.00 Possibly dead Python function: loop_fn
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
benchmark/benchmark_sim.py:292
low System graph software Dead code conf 1.00 Possibly dead Python function: memory_snapshot
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
benchmark/core/mem_profile.py:81
low System graph software Dead code conf 1.00 Possibly dead Python function: mm
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
benchmark/benchmark_backends.py:172
low System graph software Dead code conf 1.00 Possibly dead Python function: plain
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
benchmark/benchmark_mlx_compile.py:195
low System graph software Dead code conf 1.00 Possibly dead Python function: play_appo
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/train_appo.py:145
low System graph software Dead code conf 1.00 Possibly dead Python function: reraise
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/unilab/ipc/collector_error.py:34
low System graph software Dead code conf 1.00 Possibly dead Python function: run_rollout_benchmark
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
benchmark/benchmark_mujoco_rollout_model_sharing.py:208
low System graph software Dead code conf 1.00 Possibly dead Python function: sample_cpu
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
benchmark/benchmark_replay_buffer_placement.py:483
low System graph software Dead code conf 1.00 Possibly dead Python function: sample_gpu
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
benchmark/benchmark_replay_buffer_placement.py:511
low System graph software Dead code conf 1.00 Possibly dead Python function: sample_into_cpu_batch
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
benchmark/benchmark_replay_buffer_placement.py:601
low System graph software Dead code conf 1.00 Possibly dead Python function: setup
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
docs/sphinx/source/conf.py:508
low System graph software Dead code conf 1.00 Possibly dead Python function: step_fn
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
benchmark/benchmark_sim.py:283
low System graph software Dead code conf 1.00 Possibly dead Python function: synthetic_load_grasp_cache
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
benchmark/benchmark_sharpa_init_dr_construct.py:172
low System graph software Dead code conf 1.00 Possibly dead Python function: wait_ready
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/unilab/ipc/replay_pipelines/base.py:31
low System graph software Dead code conf 1.00 Possibly dead Python function: wait_ready
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/unilab/ipc/replay_pipelines/cpu_pinned_double_buffer.py:379
low System graph quality Integrity conf 1.00 Stub function `_init_task_domain_randomization` (body is just `pass`/`return`) — src/unilab/envs/locomotion/go2/footstand.py:260
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `close` (body is just `pass`/`return`) — src/unilab/ipc/replay_pipelines/transfer/xpu.py:95
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `get_hidden_state` (body is just `pass`/`return`) — src/unilab/algos/torch/hora/models.py:443
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `get_joint_range` (body is just `pass`/`return`) — src/unilab/base/backend/motrix/backend.py:492
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `validate` (body is just `pass`/`return`) — src/unilab/dr/provider.py:18
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `wait_ready` (body is just `pass`/`return`) — src/unilab/ipc/replay_pipelines/cpu_pinned_double_buffer.py:379
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Complexity conf 1.00 Very large file: benchmark/benchmark_env_step.py (1616 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: scripts/play_interactive.py (1384 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: src/unilab/base/backend/motrix/backend.py (1411 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: src/unilab/base/backend/mujoco/backend.py (1341 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: src/unilab/envs/manipulation/sharpa_inhand/rotation.py (1551 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: src/unilab/envs/motion_tracking/g1/tracking.py (1423 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: tests/envs/test_env_configs.py (1981 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: tests/scripts/test_train_scripts.py (2893 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/06d21e0a-afaf-4f7f-aeb3-566a8e10033f/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/06d21e0a-afaf-4f7f-aeb3-566a8e10033f/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.