Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
47 of your 138 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 2.71s · analysis 20.49s · 9.0 MB · GitHub API rate-limit (preflight)

Open-Less/openless

https://github.com/Open-Less/openless · scanned 2026-06-05 02:29 UTC (4 days, 20 hours ago) · 10 languages

607 raw signals (91 security + 516 graph) 12th percentile · Typescript · medium (20-100K LoC) System graph score 86 (lower by 34)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 4 days, 20 hours ago · v9 · 100 actionable findings from 2 signal sources. 47 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
70.3
/100
Security checks
54
55 findings
System graph
86
100.0% cov · 45 findings
Critical
1
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 55.0 0.15 8.25
security_score 55.0 0.25 13.75
testing_score 22.0 0.20 4.40
documentation_score 64.0 0.15 9.60
practices_score 72.0 0.15 10.80
code_quality 58.8 0.10 5.88
Overall 1.00 52.7
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 1 High 21 Medium 17 Low 30 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 55 System graph 45 Crowd 0 Layer: Quality 52 Software 39 Cicd 4 Security 2 Api 1 Frontend 2
Scan summary Quality grade C- (53/100). Dimensions: security 55, maintainability 55. 91 findings (42 security). 71,887 lines analyzed.

Showing 69 of 100 actionable findings. 147 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks security secrets conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
openless-all/app/src-tauri/tauri.conf.json:116
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED036] Python Os System Call: os.system() invokes shell with no escaping.
Review and fix per the pattern semantics. See CWE-78 / for context.
openless-all/app/scripts/windows-openless-lifecycle-e2e.py:19
high Security checks quality Quality conf 1.00 ✓ Repobility 2 occurrences `self._send` used but never assigned in __init__
Method `evaluate` of class `CdpClient` reads `self._send`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
lines 61, 81
openless-all/app/scripts/windows-openless-lifecycle-e2e.py:61, 81 (2 hits)
high Security checks software dependencies conf 0.88 atk-sys: RUSTSEC-2024-0416
gtk-rs GTK3 bindings - no longer maintained
openless-all/app/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 atk: RUSTSEC-2024-0413
gtk-rs GTK3 bindings - no longer maintained
openless-all/app/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 gdk-sys: RUSTSEC-2024-0418
gtk-rs GTK3 bindings - no longer maintained
openless-all/app/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 gdk: RUSTSEC-2024-0412
gtk-rs GTK3 bindings - no longer maintained
openless-all/app/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 gdkwayland-sys: RUSTSEC-2024-0411
gtk-rs GTK3 bindings - no longer maintained
openless-all/app/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 gdkx11-sys: RUSTSEC-2024-0414
gtk-rs GTK3 bindings - no longer maintained
openless-all/app/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 gdkx11: RUSTSEC-2024-0417
gtk-rs GTK3 bindings - no longer maintained
openless-all/app/src-tauri/Cargo.lock
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 20 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `actions/checkout` pinned to mutable ref `@v4` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
3 files, 20 locations
.github/workflows/release-tauri.yml:60, 65, 514, 523, 534, 544, 555, 566, +1 more (16 hits)
.github/workflows/ci.yml:37, 42 (2 hits)
.github/workflows/claude.yml:38 (2 hits)
CI/CD securitySupply chainGitHub Actions
medium Security checks cicd CI/CD security conf 0.90 ✓ Repobility 8 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
3 files, 8 locations
.github/workflows/release-tauri.yml:71, 77, 609 (5 hits)
.github/workflows/claude.yml:71 (2 hits)
.github/workflows/ci.yml:48
CI/CD securitySupply chainGitHub Actions
high Security checks software dependencies conf 0.88 glib: RUSTSEC-2024-0429
Unsoundness in `Iterator` and `DoubleEndedIterator` impls for `glib::VariantStrIter`
openless-all/app/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 gtk-sys: RUSTSEC-2024-0420
gtk-rs GTK3 bindings - no longer maintained
openless-all/app/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 gtk3-macros: RUSTSEC-2024-0419
gtk-rs GTK3 bindings - no longer maintained
openless-all/app/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 gtk: RUSTSEC-2024-0415
gtk-rs GTK3 bindings - no longer maintained
openless-all/app/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 proc-macro-error: RUSTSEC-2024-0370
proc-macro-error is unmaintained
openless-all/app/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 unic-char-property: RUSTSEC-2025-0081
`unic-char-property` is unmaintained
openless-all/app/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 unic-char-range: RUSTSEC-2025-0075
`unic-char-range` is unmaintained
openless-all/app/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 unic-common: RUSTSEC-2025-0080
`unic-common` is unmaintained
openless-all/app/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 unic-ucd-ident: RUSTSEC-2025-0100
`unic-ucd-ident` is unmaintained
openless-all/app/src-tauri/Cargo.lock
high Security checks software dependencies conf 0.88 unic-ucd-version: RUSTSEC-2025-0098
`unic-ucd-version` is unmaintained
openless-all/app/src-tauri/Cargo.lock
low Security checks quality Error handling conf 1.00 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.
openless-all/app/scripts/windows-openless-lifecycle-e2e.py:38
medium Security checks quality Error handling conf 1.00 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
openless-all/app/src/components/WindowChrome.tsx:117
low Security checks quality Quality conf 1.00 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws — wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated.
Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows.
openless-all/app/scripts/windows-openless-lifecycle-e2e.py:22
low Security checks quality Error handling conf 0.55 ✓ Repobility 2 occurrences Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
lines 33, 160
openless-all/app/scripts/windows-openless-lifecycle-e2e.py:33, 160 (2 hits)
Error handlingquality
medium Security checks software dependencies conf 0.88 esbuild: GHSA-67mh-4wv8-2f99
esbuild enables any website to send any requests to the development server and read the response
openless-all/app/package-lock.json
high Security checks quality Quality conf 0.80 localStorage write failures are swallowed silently
localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota.
openless-all/app/src/lib/ipc.ts:1353
high Security checks quality Quality conf 0.80 localStorage write failures are swallowed silently
localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota.
openless-all/app/src/lib/fontScale.ts:35
medium Security checks software dependencies conf 0.90 npm package `@types/react-dom` is 1 major version(s) behind (18.3.7 -> 19.2.3)
`@types/react-dom` is pinned/resolved at 18.3.7 but the latest stable release on the npm registry is 19.2.3 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
openless-all/app/package.json
medium Security checks software dependencies conf 0.90 npm package `@vitejs/plugin-react` is 2 major version(s) behind (4.7.0 -> 6.0.2)
`@vitejs/plugin-react` is pinned/resolved at 4.7.0 but the latest stable release on the npm registry is 6.0.2 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs rais…
openless-all/app/package.json
medium Security checks software dependencies conf 0.90 npm package `marked` is 7 major version(s) behind (11.2.0 -> 18.0.5)
`marked` is pinned/resolved at 11.2.0 but the latest stable release on the npm registry is 18.0.5 (7 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
openless-all/app/package.json
medium Security checks software dependencies conf 0.88 openssl: GHSA-phqj-4mhp-q6mq
rust-openssl: Potential out-of-bounds write in `CipherCtxRef::cipher_update_inplace` for AES-KW-PAD ciphers
openless-all/app/src-tauri/Cargo.lock
medium Security checks software dependencies conf 0.88 tar: GHSA-3pv8-6f4r-ffg2
tar has a PAX header desynchronization issue
openless-all/app/src-tauri/Cargo.lock
medium Security checks software dependencies conf 0.88 tauri: GHSA-7gmj-67g7-phm9
Tauri has an Origin Confusion Issue that Allows Remote Pages to Invoke Local-Only IPC Commands
openless-all/app/src-tauri/Cargo.lock
medium Security checks software dependencies conf 0.88 vite: GHSA-4w7w-66w2-5vf9
Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling
openless-all/app/package-lock.json
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — openless-all/app/src/pages/QaPanel.tsx:435
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — openless-all/design_handoff_openless/design-canvas.jsx:63
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/claude.yml CI/CD securitySupply chainGithub actions
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/release-tauri.yml CI/CD securitySupply chainGithub actions
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in openless-all/app/src/pages/QaPanel.tsx:435
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
openless-all/app/src/pages/QaPanel.tsx:435 Dangerous innerhtml
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — openless-all/app/scripts/windows-openless-lifecycle-e2e.py:126
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Tests conf 1.00 Very low test-to-source ratio
9 test file(s) for 134 source file(s) (ratio 0.07). Consider adding integration or unit tests for critical paths.
Coverage
low Security checks quality Quality conf 0.60 10 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
9 files, 10 locations
openless-all/design_handoff_openless/pages.jsx:16, 758 (2 hits)
openless-all/app/src-tauri/src/asr/local/sherpa.rs:238
openless-all/app/src-tauri/src/asr/volcengine.rs:2
openless-all/app/src-tauri/src/selection.rs:291
openless-all/app/src-tauri/src/unicode_keystroke.rs:268
openless-all/app/src/components/SettingsModal.tsx:52
openless-all/app/src/pages/Translation.tsx:17
openless-all/design_handoff_openless/data.js:2
duplicationquality
low Security checks software dependencies conf 0.90 npm package `@tauri-apps/cli` is minor version(s) behind (2.10.1 -> 2.11.2)
`@tauri-apps/cli` is pinned/resolved at 2.10.1 but the latest stable release on the npm registry is 2.11.2 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
openless-all/app/package.json
low System graph software Dead code candidate conf 1.00 File has no detected symbols: openless-all/app/src/i18n/en.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: openless-all/app/src/i18n/ja.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: openless-all/app/src/i18n/ko.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: openless-all/app/src/i18n/zh-CN.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: openless-all/app/src/i18n/zh-TW.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: openless-all/app/src/lib/appVersion.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: openless-all/app/src/lib/mockData.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: openless-all/app/src/lib/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: openless-all/app/src/vite-env.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: openless-all/app/vite.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: openless-all/design_handoff_openless/data.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — openless-all/app/src/lib/audioCue.test.ts:112
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph quality Complexity conf 1.00 Very large file: openless-all/app/src-tauri/src/commands.rs (4692 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: openless-all/app/src-tauri/src/coordinator.rs (5482 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: openless-all/app/src-tauri/src/coordinator/dictation.rs (2247 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: openless-all/app/src-tauri/src/lib.rs (1626 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: openless-all/app/src-tauri/src/persistence.rs (2595 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: openless-all/app/src-tauri/src/polish.rs (3219 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: openless-all/app/src-tauri/src/types.rs (2604 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: openless-all/app/src/i18n/ja.ts (1035 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: openless-all/app/src/i18n/ko.ts (1035 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: openless-all/app/src/lib/ipc.ts (1456 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: openless-all/app/src/pages/LocalAsr.tsx (3396 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: openless-all/app/src/pages/Style.tsx (1261 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/154d1fd0-3531-4810-9a33-c2cfd5a61503/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/154d1fd0-3531-4810-9a33-c2cfd5a61503/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.