Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
103 of your 170 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 3.51s · analysis 8.32s · 20.3 MB · GitHub API rate-limit (preflight)

Luce-Org/lucebox-hub

https://github.com/Luce-Org/lucebox-hub · scanned 2026-06-05 17:25 UTC (4 days, 21 hours ago) · 10 languages

278 raw signals (154 security + 124 graph) 55th percentile · Cpp · medium (20-100K LoC) System graph score 82 (lower by 16)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 4 days, 21 hours ago · v2 · 108 actionable findings from 2 signal sources. 108 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
73.1
/100
Security checks
64
59 findings
System graph
82
88.9% cov · 49 findings
Critical
1
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 66.9 0.25 16.73
testing_score 62.0 0.20 12.40
documentation_score 100.0 0.15 15.00
practices_score 67.0 0.15 10.05
code_quality 27.0 0.10 2.70
Overall 1.00 65.9
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 1 High 7 Medium 13 Low 39 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 59 System graph 49 Crowd 0 Layer: Software 32 Security 7 Quality 63 Cicd 4 Api 1 Frontend 1
Scan summary Quality grade B- (66/100). Dimensions: security 67, maintainability 60. 154 findings (14 security). 76,438 lines analyzed.

Showing 60 of 108 actionable findings. 216 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks security secrets conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
server/scripts/laguna_pflash_niah.py:39
low Security checks cicd CI/CD security conf 0.35 ✓ Repobility Workflow references repository secrets in a pull_request workflow
Fork pull_request runs do not receive normal repository secrets on GitHub Actions. Review this as a reliability/intent signal, not as direct fork-secret exfiltration. Raise severity only for pull_request_target or another trusted-context path that runs untrusted PR code with secrets.
.github/workflows/ci.yml:29 CI/CD securityworkflow secretsGitHub Actions
low Security checks quality Quality conf 1.00 ✓ Repobility [MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.
Review and fix per the pattern semantics. See CWE-705 / for context.
server/scripts/run.py:225
high Security checks software Resource exhaustion conf 1.00 [SEC035] Unbounded Resource Allocation — DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust memory, or trigger expensive computation. CWE-770/400. Examples: CVE-2023-44487 (HTTP/2 Rapid Reset), countless YAML/XML billion-laughs variants.
Cap user-controlled sizes BEFORE allocation: size = min(int(request.args.get('n', 100)), MAX_SIZE) Set framework-level limits: Flask: app.config['MAX_CONTENT_LENGTH'] = 10 * 1024 * 1024 FastAPI: use middleware to enforce request size Django: DATA_UPLOAD_MAX_MEMORY_SIZE in settings.py …
server/scripts/quantize_draft_q8.py:186
high Security checks software Resource exhaustion conf 1.00 [SEC035] Unbounded Resource Allocation — DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust memory, or trigger expensive computation. CWE-770/400. Examples: CVE-2023-44487 (HTTP/2 Rapid Reset), countless YAML/XML billion-laughs variants.
Cap user-controlled sizes BEFORE allocation: size = min(int(request.args.get('n', 100)), MAX_SIZE) Set framework-level limits: Flask: app.config['MAX_CONTENT_LENGTH'] = 10 * 1024 * 1024 FastAPI: use middleware to enforce request size Django: DATA_UPLOAD_MAX_MEMORY_SIZE in settings.py …
server/scripts/convert_dflash_to_gguf.py:209
low Security checks security Injection conf 1.00 3 occurrences [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.
Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders).
3 files, 3 locations
harness/clients/run_claude_llamacpp_matrix.sh:77
harness/clients/summarize_backend_pair.py:231
optimizations/megakernel/setup.py:32
high Security checks quality Quality conf 1.00 ✓ Repobility 25 occurrences `self.reset` used but never assigned in __init__
Method `generate` of class `Decoder` reads `self.reset`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
3 files, 25 locations
optimizations/megakernel/model_nvfp4.py:677, 684, 686, 691, 692, 701, 777, 815, +7 more (15 hits)
optimizations/pflash/pflash/dflash_client.py:206, 220, 226, 227, 228, 229, 230 (7 hits)
optimizations/megakernel/model.py:306, 309, 314 (3 hits)
medium Security checks cicd CI/CD security conf 0.90 ✓ Repobility 3 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `astral-sh/setup-uv` pinned to mutable ref `@v3` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
lines 14, 30, 41
.github/workflows/ci.yml:14, 30, 41 (3 hits)
CI/CD securitySupply chainGitHub Actions
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 2 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `actions/checkout` pinned to mutable ref `@v4` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
lines 13, 26
.github/workflows/ci.yml:13, 26 (2 hits)
CI/CD securitySupply chainGitHub Actions
high System graph security security conf 1.00 Insecure pattern 'eval_used' in optimizations/megakernel/final_bench.py:118
Found a known-risky pattern (eval_used). Review and replace if possible.
optimizations/megakernel/final_bench.py:118 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in optimizations/megakernel/final_bench_nvfp4.py:249
Found a known-risky pattern (eval_used). Review and replace if possible.
optimizations/megakernel/final_bench_nvfp4.py:249 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in server/scripts/parity_laguna.py:111
Found a known-risky pattern (eval_used). Review and replace if possible.
server/scripts/parity_laguna.py:111 Eval used
low Security checks quality Error handling conf 1.00 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.
server/scripts/quality_ab_simple.py:92
low Security checks quality Error handling conf 1.00 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.
optimizations/pflash/pflash/dflash_client.py:280
medium Security checks security Crypto conf 1.00 3 occurrences [SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.
Enable SSL verification. Use verify=True (default) for requests. Pin certificates if needed.
3 files, 3 locations
server/src/common/backend_factory.h:50
server/src/qwen35/qwen35_backend.h:61
server/src/qwen35/qwen35_daemon.h:31
medium Security checks cicd CI/CD security conf 0.68 Agent auto-approve or skip-permissions mode is easy to enable
Codex/agent auto-approve, YOLO, or skip-permissions modes can be useful in isolated automation, but they remove the human checkpoint before command execution, network access, and file edits.
harness/clients/run_hermes.sh:74 CI/CD securityagent runtimepermissions
medium Security checks software dependencies conf 0.88 aiohttp: GHSA-hg6j-4rv6-33pg
AIOHTTP is vulnerable to cross-origin redirect with per-request cookies
uv.lock
medium Security checks software dependencies conf 0.88 aiohttp: GHSA-jg22-mg44-37j8
AIOHTTP is Vulnerable to Deserialization of Untrusted Data
uv.lock
low Security checks quality Error handling conf 0.55 ✓ Repobility 24 occurrences Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
12 files, 23 locations
server/scripts/bench_server.py:140, 168, 246, 343, 434 (5 hits)
harness/client_test_runner.py:954, 1591, 1751 (3 hits)
server/scripts/bench_agent.py:302, 376, 395 (3 hits)
server/scripts/quality_humaneval_plus.py:110, 198, 261 (3 hits)
server/scripts/quality_ab_simple.py:143, 154 (2 hits)
optimizations/megakernel/final_bench_nvfp4.py:351
optimizations/pflash/pflash/dflash_client.py:50
server/scripts/bench_agent_loop.py:115
Error handlingquality
medium Security checks quality Quality conf 0.78 Suspicious implementation file appears unreferenced
A file created as a fixed/new/final/copy variant is not referenced by imports or path-like strings in the rest of the repository. This is a strong sign that an agent produced code beside the active application path.
server/src/cuda_cross_device_copy.cpp:1
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — harness/client_test_runner.py:323
`urllib.request.urlretrieve(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — optimizations/megakernel/bench_pp_tg_nvfp4.py:350
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — optimizations/megakernel/build_corpus.py:145
`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — server/scripts/phase_split_dual_gpu.py:424
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — server/scripts/quality_humaneval_plus.py:128
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — server/scripts/run.py:203
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph security Coverage conf 1.00 No auth library detected
The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.
auth
low Security checks quality Quality conf 0.60 30 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
12 files, 17 locations
optimizations/megakernel/diag_phase2_metrics.py:24, 43 (2 hits)
optimizations/megakernel/diag_prefill_kernels.py:11, 19 (2 hits)
server/scripts/quantize_gemma_dflash_q8.py:26, 100 (2 hits)
server/src/qwen35/gguf_target_loader.cpp:21, 96 (2 hits)
server/src/qwen35/qwen35_backend.h:31, 36 (2 hits)
optimizations/megakernel/final_bench.py:5
optimizations/megakernel/final_bench_nvfp4.py:12
optimizations/megakernel/model_nvfp4.py:25
duplicationquality
high Security checks quality Quality conf 0.62 Source file name looks like an AI patch artifact
Files named as final, fixed, copy, new, or backup are often temporary patch artifacts. They may be legitimate, but they deserve review before becoming production surface area.
server/src/cuda_cross_device_copy.cpp:1
low System graph software Dead code candidate conf 1.00 File has no detected symbols: optimizations/megakernel/_phase2_variant.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: optimizations/megakernel/bench.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: optimizations/pflash/pflash/config.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: server/scripts/bench_he_http.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph quality Integrity conf 1.00 8 occurrences Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: optimizations/megakernel/model.py:generate, optimizations/megakernel/model_nvfp4.py:generate This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separa…
8 occurrences
repo-level (8 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 5 occurrences Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: optimizations/megakernel/diag_phase2_metrics.py:prefill, optimizations/megakernel/bench_pp_tg.py:prefill, optimizations/megakernel/diag_prefill_kernels.py:prefill This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see http…
5 occurrences
repo-level (5 hits)
duplicatesduplication
low System graph software Dead code conf 1.00 Possibly dead Python function: cmd_compare
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
harness/benchmarks/generation_benchmark.py:389
low System graph software Dead code conf 1.00 Possibly dead Python function: cmd_run
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
harness/benchmarks/generation_benchmark.py:329
low System graph software Dead code conf 1.00 Possibly dead Python function: detok_drafter
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
server/scripts/laguna_pflash_niah.py:93
low System graph software Dead code conf 1.00 Possibly dead Python function: do_GET
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
harness/clients/llamacpp_compat_proxy.py:405
low System graph software Dead code conf 1.00 Possibly dead Python function: do_GET
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
harness/clients/session_inject_proxy.py:93
low System graph software Dead code conf 1.00 Possibly dead Python function: do_POST
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
harness/clients/llamacpp_compat_proxy.py:416
low System graph software Dead code conf 1.00 Possibly dead Python function: do_POST
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
harness/clients/session_inject_proxy.py:100
low System graph software Dead code conf 1.00 Possibly dead Python function: log_message
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
harness/clients/llamacpp_compat_proxy.py:380
low System graph software Dead code conf 1.00 Possibly dead Python function: log_message
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
harness/clients/session_inject_proxy.py:33
low System graph software Dead code conf 1.00 Possibly dead Python function: loop
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
server/scripts/phase_split_dual_gpu.py:211
low System graph software Dead code conf 1.00 Possibly dead Python function: max_safe_decode_blocks
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
optimizations/megakernel/model.py:52
low System graph software Dead code conf 1.00 Possibly dead Python function: park_target
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
optimizations/pflash/pflash/dflash_client.py:229
low System graph software Dead code conf 1.00 Possibly dead Python function: reader
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
server/scripts/phase_split_dual_gpu.py:89
low System graph software Dead code conf 1.00 Possibly dead Python function: replace_reminder
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
harness/clients/llamacpp_compat_proxy.py:64
low System graph software Dead code conf 1.00 Possibly dead Python function: run_bench_niah
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
server/scripts/phase_split_dual_gpu.py:761
low System graph software Dead code conf 1.00 Possibly dead Python function: run_prompt
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
server/scripts/phase_split_dual_gpu.py:754
low System graph software Dead code conf 1.00 Possibly dead Python function: set_decode_blocks
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
optimizations/megakernel/model.py:58
low System graph software Dead code conf 1.00 3 occurrences Possibly dead Python function: sort_key
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
3 files, 3 locations
server/scripts/convert_dflash_to_gguf.py:198
server/scripts/quantize_draft_q8.py:171
server/scripts/quantize_gemma_dflash_q8.py:160
low System graph software Dead code conf 1.00 Possibly dead Python function: tokenize_for_drafter
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
server/scripts/laguna_pflash_niah.py:90
low System graph software Dead code conf 1.00 Possibly dead Python function: workload_agent
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
server/scripts/bench_server.py:308
low System graph software Dead code conf 1.00 Possibly dead Python function: workload_gsm8k
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
server/scripts/bench_server.py:159
low System graph software Dead code conf 1.00 Possibly dead Python function: workload_he
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
server/scripts/bench_server.py:129
low System graph software Dead code conf 1.00 Possibly dead Python function: workload_math500
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
server/scripts/bench_server.py:229
low System graph quality Complexity conf 1.00 Very large file: harness/client_test_runner.py (1994 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: server/tests/test_server_comprehensive.py (1168 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/0838809c-6f38-40bb-bb3c-2b50c78949a2/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/0838809c-6f38-40bb-bb3c-2b50c78949a2/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.