Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
95 of your 167 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 19.61s · analysis 3.31s · 25.2 MB · GitHub API rate-limit (preflight)

NanmiCoder/MediaCrawler

https://github.com/NanmiCoder/MediaCrawler · scanned 2026-06-05 11:42 UTC (1 week, 2 days ago) · 10 languages

365 raw signals (159 security + 206 graph) 11/13 scanners ran 75th percentile · Python · medium (20-100K LoC) System graph score 60 (higher by 17)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 1 week, 2 days ago · v2 · 139 actionable findings from 2 signal sources. 123 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
72.1
/100
Security checks
84
57 findings
System graph
60
100.0% cov · 82 findings
Critical
3
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 75.0 0.15 11.25
security_score 100.0 0.25 25.00
testing_score 63.0 0.20 12.60
documentation_score 72.0 0.15 10.80
practices_score 71.0 0.15 10.65
code_quality 71.0 0.10 7.10
Overall 1.00 77.4
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: source: scanner × excluding tests × Reset all
Severity: Critical 3 High 27 Medium 8 Low 76 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 57 System graph 82 Crowd 0 Layer: Software 37 Quality 60 Security 15 Cicd 2 Frontend 2 Api 23
Scan summary Quality grade B+ (77/100). Dimensions: security 100, maintainability 75. 159 findings (18 security). 27,243 lines analyzed.

Showing 76 of 139 actionable findings. 262 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high System graph quality Integrity conf 1.00 Blocking `time.sleep(...)` inside `async def get_comments` — media_platform/kuaishou/core.py:298
Sync I/O inside an async function blocks the event loop. While `time.sleep(...)` is running, *all* other coroutines on this loop are paused — silent throughput collapse under concurrency. Use the async equivalent (`httpx.AsyncClient`, `asyncio.sleep`, `aiofiles`) or wrap with `await asyncio.to_thre…
media_platform/kuaishou/core.py:298 Sync io in asyncPerformance
high System graph security auth conf 1.00 FastAPI POST `receive_sms_notification` without auth dependency — recv_sms.py:55
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
recv_sms.py:55 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `start_crawler` without auth dependency — api/routers/crawler.py:27
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/crawler.py:27 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `stop_crawler` without auth dependency — api/routers/crawler.py:40
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
api/routers/crawler.py:40 securityAuth fastapi unauth mutation
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — api/webui/assets/index-DvClRayq.js:33
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — api/webui/assets/index-DvClRayq.js:1
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/deploy.yml CI/CD securitySupply chainGithub actions
low System graph software Dead code candidate conf 1.00 File has no detected symbols: config/base_config.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: config/bilibili_config.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: config/db_config.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: config/dy_config.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: config/ks_config.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: config/tieba_config.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: config/weibo_config.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: config/xhs_config.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: config/zhihu_config.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: constant/baidu_tieba.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: constant/zhihu.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: media_platform/kuaishou/field.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: model/m_weibo.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: var.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph quality Tests conf 1.00 Low test-to-source ratio
16 tests / 147 src (ratio 0.11).
low System graph quality Integrity conf 1.00 13 occurrences Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: media_platform/zhihu/client.py:get_all_articles_by_creator, media_platform/zhihu/client.py:get_all_videos_by_creator This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or doc…
13 occurrences
repo-level (13 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 4 occurrences Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: media_platform/weibo/core.py:get_creators_and_notes, media_platform/zhihu/core.py:get_creators_and_notes, media_platform/tieba/core.py:get_creators_and_notes This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://j…
4 occurrences
repo-level (4 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 4 places
Functions with the same first-5-line body hash: media_platform/weibo/core.py:start, media_platform/bilibili/core.py:start, media_platform/douyin/core.py:start, media_platform/xhs/core.py:start This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-…
duplicatesduplication
low System graph quality Integrity conf 1.00 2 occurrences Near-duplicate function bodies in 7 places
Functions with the same first-5-line body hash: media_platform/weibo/core.py:launch_browser, media_platform/zhihu/core.py:launch_browser, media_platform/bilibili/core.py:launch_browser, media_platform/douyin/core.py:launch_browser This is *the* AI-coder failure mode (4× more duplication in vibe-co…
2 occurrences
repo-level (2 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `_custom_hash_v2` in media_platform/xhs/playwright_sign.py:60
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `request_rest_v2` in media_platform/kuaishou/client.py:92
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph software Dead code conf 1.00 Possibly dead Python function: async_cleanup
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
main.py:119
low System graph software Dead code conf 1.00 Possibly dead Python function: b64_encode
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
media_platform/xhs/xhs_sign.py:128
low System graph software Dead code conf 1.00 Possibly dead Python function: base36decode
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
media_platform/xhs/help.py:274
low System graph software Dead code conf 1.00 Possibly dead Python function: ease_in_quad
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
tools/easing.py:32
low System graph software Dead code conf 1.00 Possibly dead Python function: ease_out_quad
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
tools/easing.py:36
low System graph software Dead code conf 1.00 Possibly dead Python function: ease_out_quart
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
tools/easing.py:40
low System graph software Dead code conf 1.00 Possibly dead Python function: encode_utf8
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
media_platform/xhs/xhs_sign.py:113
low System graph software Dead code conf 1.00 Possibly dead Python function: fetch_creator_notes_detail
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
media_platform/xhs/core.py:228
low System graph software Dead code conf 1.00 Possibly dead Python function: fetch_creator_video_detail
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
media_platform/douyin/core.py:296
low System graph software Dead code conf 1.00 Possibly dead Python function: fetch_creator_video_detail
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
media_platform/kuaishou/core.py:428
low System graph software Dead code conf 1.00 Possibly dead Python function: new_jisu_http_proxy
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
proxy/providers/jishu_http_proxy.py:99
low System graph software Dead code conf 1.00 Possibly dead Python function: save_notes_with_full_text
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
media_platform/weibo/core.py:320
low System graph software Dead code conf 1.00 Possibly dead Python function: sync_cleanup
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
tools/cdp_browser.py:54
low System graph software Dead code conf 1.00 Possibly dead Python function: test_extract_note_detail
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
media_platform/tieba/help.py:843
low System graph software Dead code conf 1.00 Possibly dead Python function: test_extract_search_note_list
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
media_platform/tieba/help.py:835
low System graph software Dead code conf 1.00 Possibly dead Python function: test_extract_tieba_note_list
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
media_platform/tieba/help.py:872
low System graph software Dead code conf 1.00 Possibly dead Python function: test_extract_tieba_note_parment_comments
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
media_platform/tieba/help.py:851
low System graph software Dead code conf 1.00 Possibly dead Python function: test_extract_tieba_note_sub_comments
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
media_platform/tieba/help.py:859
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — api/webui/assets/index-DvClRayq.js:291
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph quality Integrity conf 1.00 Stub function `begin` (body is just `pass`/`return`) — base/base_crawler.py:70
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `login_by_mobile` (body is just `pass`/`return`) — media_platform/bilibili/login.py:116
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `login_by_mobile` (body is just `pass`/`return`) — media_platform/kuaishou/login.py:111
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `login_by_mobile` (body is just `pass`/`return`) — media_platform/weibo/login.py:121
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `store_creator` (body is just `pass`/`return`) — store/kuaishou/_store_impl.py:87
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `store_creator` (body is just `pass`/`return`) — store/xhs/_store_impl.py:64
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph api Wiring conf 1.00 Unused endpoint: GET /
`recv_sms.py` declares `GET /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/config/options
`api/main.py` declares `GET /api/config/options` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/config/platforms
`api/main.py` declares `GET /api/config/platforms` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/env/check
`api/main.py` declares `GET /api/env/check` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/health
`api/main.py` declares `GET /api/health` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /config/options
`api/webui/assets/index-DvClRayq.js` declares `GET /config/options` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /config/platforms
`api/webui/assets/index-DvClRayq.js` declares `GET /config/platforms` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /crawler/logs
`api/webui/assets/index-DvClRayq.js` declares `GET /crawler/logs` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /crawler/status
`api/webui/assets/index-DvClRayq.js` declares `GET /crawler/status` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /data/files
`api/webui/assets/index-DvClRayq.js` declares `GET /data/files` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /data/files/
`api/webui/assets/index-DvClRayq.js` declares `GET /data/files/` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /data/stats
`api/webui/assets/index-DvClRayq.js` declares `GET /data/stats` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /download/{file_path:path}
`api/routers/data.py` declares `GET /download/{file_path:path}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /env/check
`api/webui/assets/index-DvClRayq.js` declares `GET /env/check` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /files
`api/routers/data.py` declares `GET /files` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /files/{file_path:path}
`api/routers/data.py` declares `GET /files/{file_path:path}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /logs
`api/routers/crawler.py` declares `GET /logs` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /stats
`api/routers/data.py` declares `GET /stats` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /
`recv_sms.py` declares `POST /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /crawler/start
`api/webui/assets/index-DvClRayq.js` declares `POST /crawler/start` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /crawler/stop
`api/webui/assets/index-DvClRayq.js` declares `POST /crawler/stop` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /start
`api/routers/crawler.py` declares `POST /start` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /stop
`api/routers/crawler.py` declares `POST /stop` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/0d236f0c-360d-4752-8c2f-e650610910e6/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/0d236f0c-360d-4752-8c2f-e650610910e6/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.