Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
95 of your 167 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 19.61s · analysis 3.31s · 25.2 MB · GitHub API rate-limit (preflight)

NanmiCoder/MediaCrawler

https://github.com/NanmiCoder/MediaCrawler · scanned 2026-06-05 11:42 UTC (5 days, 10 hours ago) · 10 languages

365 raw signals (159 security + 206 graph) 11/13 scanners ran 74th percentile · Python · medium (20-100K LoC) System graph score 60 (higher by 17)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 10 hours ago · v2 · 139 actionable findings from 2 signal sources. 123 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
72.1
/100
Security checks
84
57 findings
System graph
60
100.0% cov · 82 findings
Critical
2
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 75.0 0.15 11.25
security_score 100.0 0.25 25.00
testing_score 63.0 0.20 12.60
documentation_score 72.0 0.15 10.80
practices_score 71.0 0.15 10.65
code_quality 71.0 0.10 7.10
Overall 1.00 77.4
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 2 High 27 Medium 8 Low 76 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 57 System graph 82 Crowd 0 Layer: Software 37 Quality 60 Security 15 Cicd 2 Frontend 2 Api 23
Scan summary Quality grade B+ (77/100). Dimensions: security 100, maintainability 75. 159 findings (18 security). 27,243 lines analyzed.

Showing 112 of 139 actionable findings. 262 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

low Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED013] Password In Url: https://user:password@host — leaks creds via logs, referrer, error messages.
Review and fix per the pattern semantics. See CWE-200 / A07:2021 for context.
3 files, 3 locations
database/mongodb_store_base.py:67
proxy/proxy_ip_pool.py:83
proxy/proxy_mixin.py:72
critical Security checks quality Quality conf 1.00 ✓ Repobility [MINED030] Python Pickle Loads: pickle.loads() can execute arbitrary code via __reduce__.
Review and fix per the pattern semantics. See CWE-502 / for context.
cache/redis_cache.py:65
high Security checks quality Quality conf 1.00 ✓ Repobility 5 occurrences [MINED107] Missing import: `stat` used but not imported: The file uses `stat.something(...)` but never imports `stat`. This raises NameError at runtime the first time the line executes.
Add `import stat` at the top of the file.
4 files, 5 locations
api/routers/data.py:54, 80 (2 hits)
api/routers/websocket.py:68
cmd_arg/arg.py:349
store/xhs/__init__.py:225
critical Security checks quality Quality conf 1.00 [SEC081] Python: pickle.loads / marshal.loads on untrusted data: pickle.load(s) and marshal.load(s) execute arbitrary code on untrusted input. Ported from dlint DUO103 / DUO120 (BSD-3).
Use json, msgpack, or protobuf for untrusted data. If pickle is required, sign the payload with HMAC.
cache/redis_cache.py:65
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED106] Phantom test coverage: test_extract_creator_info: Test function `test_extract_creator_info` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
Add an explicit assertion that captures the test's intent, or remove the test.
media_platform/tieba/help.py:881
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED106] Phantom test coverage: test_extract_note_detail: Test function `test_extract_note_detail` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
Add an explicit assertion that captures the test's intent, or remove the test.
media_platform/tieba/help.py:843
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED106] Phantom test coverage: test_extract_search_note_list: Test function `test_extract_search_note_list` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
Add an explicit assertion that captures the test's intent, or remove the test.
media_platform/tieba/help.py:835
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED106] Phantom test coverage: test_extract_tieba_note_list: Test function `test_extract_tieba_note_list` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
Add an explicit assertion that captures the test's intent, or remove the test.
media_platform/tieba/help.py:872
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED106] Phantom test coverage: test_extract_tieba_note_parment_comments: Test function `test_extract_tieba_note_parment_comments` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
Add an explicit assertion that captures the test's intent, or remove the test.
media_platform/tieba/help.py:851
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED106] Phantom test coverage: test_extract_tieba_note_sub_comments: Test function `test_extract_tieba_note_sub_comments` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
Add an explicit assertion that captures the test's intent, or remove the test.
media_platform/tieba/help.py:859
high Security checks quality Quality conf 1.00 ✓ Repobility 25 occurrences [MINED108] `self._apply_header_style` used but never assigned in __init__: Method `_write_headers` of class `ExcelStoreBase` reads `self._apply_header_style`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._apply_header_style = <default>` in __init__, or add a class-level default.
2 files, 25 locations
store/excel_store_base.py:204, 249, 253, 271, 275, 291, 295, 315, +8 more (16 hits)
tools/cdp_browser.py:110, 113, 119, 122, 125, 128, 137, 188, +1 more (9 hits)
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED110] Blocking call `time.sleep` inside async function `get_comments`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress.
Use the async equivalent: `aiohttp` instead of `requests`, `asyncio.sleep` instead of `time.sleep`, `aiofiles` instead of `open`.
media_platform/kuaishou/core.py:298
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST / has no auth: Handler `receive_sms_notification` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
recv_sms.py:56
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /start has no auth: Handler `start_crawler` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
api/routers/crawler.py:28
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /stop has no auth: Handler `stop_crawler` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
api/routers/crawler.py:41
high Security checks software dependencies conf 0.90 ✓ Repobility [MINED130] Lockfile pulls package from off-canonical host `registry.npmmirror.com`: `package-lock.json` resolved URL for `node_modules/@algolia/autocomplete-core` is `https://registry.npmmirror.com/@algolia/autocomplete-core/-/autocomplete-core-1....` — host `registry.npmmirror.com` is not the canonical registry. Could be a mirror compromise, dependency confusion attack, or a forgotten private registry.
Verify the host is intentional. If your org uses a private registry, add it to your scanner's allowlist (CANONICAL_NPM_HOSTS). Otherwise, regenerate the lockfile against the canonical registry.
package-lock.json:1
high Security checks software dependencies conf 0.90 ✓ Repobility [MINED131] pre-commit hook `https://github.com/pre-commit/pre-commit-hooks` pinned to mutable rev `v4.5.0`: `.pre-commit-config.yaml` references `https://github.com/pre-commit/pre-commit-hooks` at `rev: v4.5.0`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine.
Pin to a commit SHA: `rev: <40-char-sha>` and bump it through `pre-commit autoupdate` (which writes to PRs that are reviewed).
.pre-commit-config.yaml:27
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 10 occurrences GitHub Action is tag-pinned rather than SHA-pinned
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lo…
lines 32, 38, 43, 49, 64
.github/workflows/deploy.yml:32, 38, 43, 49, 64 (10 hits)
CI/CD securitySupply chainGitHub Actions
high System graph quality Integrity conf 1.00 Blocking `time.sleep(...)` inside `async def get_comments` — media_platform/kuaishou/core.py:298
Sync I/O inside an async function blocks the event loop. While `time.sleep(...)` is running, *all* other coroutines on this loop are paused — silent throughput collapse under concurrency. Use the async equivalent (`httpx.AsyncClient`, `asyncio.sleep`, `aiofiles`) or wrap with `await asyncio.to_thre…
media_platform/kuaishou/core.py:298 Sync io in asyncPerformance
high System graph security auth conf 1.00 FastAPI POST `receive_sms_notification` without auth dependency — recv_sms.py:55
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
recv_sms.py:55 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `start_crawler` without auth dependency — api/routers/crawler.py:27
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/crawler.py:27 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `stop_crawler` without auth dependency — api/routers/crawler.py:40
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/crawler.py:40 securityAuth fastapi unauth mutation
medium Security checks security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them.
high Security checks security auth conf 0.74 [AUC002] Low visible authorization coverage in route inventory: Only 13.3% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes.
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /logs.
Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml.
api/routers/crawler.py:59
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /status.
Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml.
api/routers/crawler.py:53
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /start.
Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml.
api/routers/crawler.py:27
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /stop.
Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml.
api/routers/crawler.py:40
medium Security checks security auth conf 0.72 [AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements.
Set docs_url=None, redoc_url=None, and openapi_url=None for production apps unless the docs are intentionally public and protected by routing, ingress, or an authenticated docs handler.
low Security checks quality Error handling conf 1.00 3 occurrences [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.
3 files, 3 locations
api/routers/data.py:48
api/routers/websocket.py:150
main.py:154
medium Security checks software dependencies conf 0.90 ✓ Repobility [MINED124] requirements.txt: `opencv-python` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace `opencv-python` with `opencv-python==<version>` and manage upgrades through PRs / Dependabot.
requirements.txt:6
low Security checks security Deserialization conf 1.00 [SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.
Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data.
cache/redis_cache.py:65
medium Security checks security Crypto conf 1.00 [SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.
Enable SSL verification. Use verify=True (default) for requests. Pin certificates if needed.
config/base_config.py:141
high Security checks quality Quality conf 0.72 3 occurrences Agent control bridge may listen on a network interface without visible auth
Bind local agent bridges to 127.0.0.1 by default. If remote access is required, require a bearer token or mTLS, enforce origin/CSRF checks for browser clients, and document the threat model.
3 files, 3 locations
api/main.py:21
media_platform/tieba/test_data/note_comments.html:76
media_platform/tieba/test_data/note_detail.html:76
low Security checks quality Error handling conf 0.55 ✓ Repobility 21 occurrences Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
12 files, 19 locations
main.py:82, 96, 125, 133 (4 hits)
media_platform/douyin/help.py:181, 196 (2 hits)
media_platform/kuaishou/help.py:91, 106 (2 hits)
media_platform/tieba/help.py:299, 829 (2 hits)
tools/browser_launcher.py:233, 238 (2 hits)
api/main.py:137
api/routers/websocket.py:130
media_platform/douyin/login.py:102
Error handlingquality
high Security checks quality Quality conf 0.74 Frontend API reference is not matched by discovered backend routes
Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore.
api/webui/assets/index-DvClRayq.js:239
high Security checks quality Quality conf 0.80 localStorage write failures are swallowed silently
Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics.
api/webui/assets/index-DvClRayq.js:234
medium Security checks quality Quality conf 0.78 Public web service has no security.txt
Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored.
.well-known/security.txt
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — api/webui/assets/index-DvClRayq.js:33
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — api/webui/assets/index-DvClRayq.js:1
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/deploy.yml CI/CD securitySupply chainGithub actions
low Security checks security auth conf 0.76 [AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.
Add regression tests for anonymous denial, cross-user object denial, admin role limits, and super_admin-only behavior.
low Security checks quality Quality conf 0.60 30 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
12 files, 24 locations
media_platform/xhs/core.py:76, 329, 342 (3 hits)
media_platform/zhihu/core.py:91, 327, 347 (3 hits)
store/tieba/_store_impl.py:17, 176, 191 (3 hits)
store/weibo/_store_impl.py:16, 199, 214 (3 hits)
media_platform/tieba/core.py:479, 499 (2 hits)
media_platform/xhs/login.py:13, 14 (2 hits)
media_platform/zhihu/login.py:12, 13 (2 hits)
store/kuaishou/_store_impl.py:133, 163 (2 hits)
duplicationquality
low System graph software Dead code candidate conf 1.00 File has no detected symbols: config/base_config.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: config/bilibili_config.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: config/db_config.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: config/dy_config.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: config/ks_config.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: config/tieba_config.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: config/weibo_config.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: config/xhs_config.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: config/zhihu_config.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: constant/baidu_tieba.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: constant/zhihu.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: media_platform/kuaishou/field.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: model/m_weibo.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: var.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph quality Tests conf 1.00 Low test-to-source ratio
16 tests / 147 src (ratio 0.11).
low System graph quality Integrity conf 1.00 13 occurrences Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: media_platform/zhihu/client.py:get_all_articles_by_creator, media_platform/zhihu/client.py:get_all_videos_by_creator This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or doc…
13 occurrences
repo-level (13 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 4 occurrences Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: media_platform/weibo/core.py:get_creators_and_notes, media_platform/zhihu/core.py:get_creators_and_notes, media_platform/tieba/core.py:get_creators_and_notes This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://j…
4 occurrences
repo-level (4 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 4 places
Functions with the same first-5-line body hash: media_platform/weibo/core.py:start, media_platform/bilibili/core.py:start, media_platform/douyin/core.py:start, media_platform/xhs/core.py:start This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-…
duplicatesduplication
low System graph quality Integrity conf 1.00 2 occurrences Near-duplicate function bodies in 7 places
Functions with the same first-5-line body hash: media_platform/weibo/core.py:launch_browser, media_platform/zhihu/core.py:launch_browser, media_platform/bilibili/core.py:launch_browser, media_platform/douyin/core.py:launch_browser This is *the* AI-coder failure mode (4× more duplication in vibe-co…
2 occurrences
repo-level (2 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `_custom_hash_v2` in media_platform/xhs/playwright_sign.py:60
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `request_rest_v2` in media_platform/kuaishou/client.py:92
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph software Dead code conf 1.00 Possibly dead Python function: async_cleanup
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
main.py:119
low System graph software Dead code conf 1.00 Possibly dead Python function: b64_encode
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
media_platform/xhs/xhs_sign.py:128
low System graph software Dead code conf 1.00 Possibly dead Python function: base36decode
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
media_platform/xhs/help.py:274
low System graph software Dead code conf 1.00 Possibly dead Python function: ease_in_quad
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
tools/easing.py:32
low System graph software Dead code conf 1.00 Possibly dead Python function: ease_out_quad
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
tools/easing.py:36
low System graph software Dead code conf 1.00 Possibly dead Python function: ease_out_quart
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
tools/easing.py:40
low System graph software Dead code conf 1.00 Possibly dead Python function: encode_utf8
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
media_platform/xhs/xhs_sign.py:113
low System graph software Dead code conf 1.00 Possibly dead Python function: fetch_creator_notes_detail
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
media_platform/xhs/core.py:228
low System graph software Dead code conf 1.00 Possibly dead Python function: fetch_creator_video_detail
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
media_platform/douyin/core.py:296
low System graph software Dead code conf 1.00 Possibly dead Python function: fetch_creator_video_detail
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
media_platform/kuaishou/core.py:428
low System graph software Dead code conf 1.00 Possibly dead Python function: new_jisu_http_proxy
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
proxy/providers/jishu_http_proxy.py:99
low System graph software Dead code conf 1.00 Possibly dead Python function: save_notes_with_full_text
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
media_platform/weibo/core.py:320
low System graph software Dead code conf 1.00 Possibly dead Python function: sync_cleanup
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
tools/cdp_browser.py:54
low System graph software Dead code conf 1.00 Possibly dead Python function: test_extract_note_detail
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
media_platform/tieba/help.py:843
low System graph software Dead code conf 1.00 Possibly dead Python function: test_extract_search_note_list
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
media_platform/tieba/help.py:835
low System graph software Dead code conf 1.00 Possibly dead Python function: test_extract_tieba_note_list
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
media_platform/tieba/help.py:872
low System graph software Dead code conf 1.00 Possibly dead Python function: test_extract_tieba_note_parment_comments
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
media_platform/tieba/help.py:851
low System graph software Dead code conf 1.00 Possibly dead Python function: test_extract_tieba_note_sub_comments
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
media_platform/tieba/help.py:859
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — api/webui/assets/index-DvClRayq.js:291
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph quality Integrity conf 1.00 Stub function `begin` (body is just `pass`/`return`) — base/base_crawler.py:70
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `login_by_mobile` (body is just `pass`/`return`) — media_platform/bilibili/login.py:116
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `login_by_mobile` (body is just `pass`/`return`) — media_platform/kuaishou/login.py:111
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `login_by_mobile` (body is just `pass`/`return`) — media_platform/weibo/login.py:121
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `store_creator` (body is just `pass`/`return`) — store/kuaishou/_store_impl.py:87
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `store_creator` (body is just `pass`/`return`) — store/xhs/_store_impl.py:64
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph api Wiring conf 1.00 Unused endpoint: GET /
`recv_sms.py` declares `GET /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/config/options
`api/main.py` declares `GET /api/config/options` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/config/platforms
`api/main.py` declares `GET /api/config/platforms` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/env/check
`api/main.py` declares `GET /api/env/check` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/health
`api/main.py` declares `GET /api/health` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /config/options
`api/webui/assets/index-DvClRayq.js` declares `GET /config/options` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /config/platforms
`api/webui/assets/index-DvClRayq.js` declares `GET /config/platforms` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /crawler/logs
`api/webui/assets/index-DvClRayq.js` declares `GET /crawler/logs` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /crawler/status
`api/webui/assets/index-DvClRayq.js` declares `GET /crawler/status` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /data/files
`api/webui/assets/index-DvClRayq.js` declares `GET /data/files` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /data/files/
`api/webui/assets/index-DvClRayq.js` declares `GET /data/files/` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /data/stats
`api/webui/assets/index-DvClRayq.js` declares `GET /data/stats` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /download/{file_path:path}
`api/routers/data.py` declares `GET /download/{file_path:path}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /env/check
`api/webui/assets/index-DvClRayq.js` declares `GET /env/check` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /files
`api/routers/data.py` declares `GET /files` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /files/{file_path:path}
`api/routers/data.py` declares `GET /files/{file_path:path}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /logs
`api/routers/crawler.py` declares `GET /logs` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /stats
`api/routers/data.py` declares `GET /stats` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /
`recv_sms.py` declares `POST /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /crawler/start
`api/webui/assets/index-DvClRayq.js` declares `POST /crawler/start` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /crawler/stop
`api/webui/assets/index-DvClRayq.js` declares `POST /crawler/stop` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /start
`api/routers/crawler.py` declares `POST /start` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /stop
`api/routers/crawler.py` declares `POST /stop` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/0d236f0c-360d-4752-8c2f-e650610910e6/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/0d236f0c-360d-4752-8c2f-e650610910e6/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.