Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo

Scan timing: clone 2.91s · analysis 8.19s · 17.8 MB · GitHub API rate-limit (preflight)

jd-opensource/OxyGent

https://github.com/jd-opensource/OxyGent · scanned 2026-05-31 01:24 UTC (1 week, 6 days ago) · 10 languages

707 raw signals (257 security + 450 graph) 50th percentile · Python · medium (20-100K LoC) System graph score 57 (higher by 6)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 1 week, 6 days ago · v2 · 319 actionable findings from 2 signal sources. 163 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
51.3
/100
Security checks
46
123 findings
System graph
57
88.9% cov · 196 findings
Critical
2
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 40.0 0.15 6.00
security_score 34.2 0.25 8.55
testing_score 93.0 0.20 18.60
documentation_score 100.0 0.15 15.00
practices_score 77.0 0.15 11.55
code_quality 30.6 0.10 3.06
Overall 1.00 62.8
Severity distribution — click a segment to filter
Active filters: severity: medium × excluding tests × Reset all
Severity: Critical 2 High 110 Medium 13 Low 129 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 123 System graph 196 Crowd 0 Layer: Security 90 Quality 111 Software 55 Cicd 2 Frontend 11 Api 50
Scan summary Quality grade C+ (63/100). Dimensions: security 34, maintainability 40. 257 findings (47 security). 90,537 lines analyzed.

Showing 13 of 319 actionable findings. 482 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

medium Security checks security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
medium Security checks security auth conf 0.72 [AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements.
FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements.
medium Security checks quality Quality conf 0.78 Public web service has no security.txt
security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt.
.well-known/security.txt
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — applications/oxybank/web/src/composables/useAnnotationPlatform.ts:87
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — function_hubs/chart/web/js/app.js:18
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — oxygent/web/js/prompt-manager.js:365
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph security security conf 1.00 Insecure pattern 'subprocess_shell_true' in oxygent/preset_tools/shell_tools.py:30
Found a known-risky pattern (subprocess_shell_true). Review and replace if possible.
oxygent/preset_tools/shell_tools.py:30 Subprocess shell true
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in applications/oxybank/app/api/endpoints/knowledge_file.py:138
Found a known-risky pattern (weak_hash). Review and replace if possible.
applications/oxybank/app/api/endpoints/knowledge_file.py:138 Weak hash
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in applications/oxybank/app/api/models.py:64
Found a known-risky pattern (weak_hash). Review and replace if possible.
applications/oxybank/app/api/models.py:64 Weak hash
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in applications/oxybank/web/openapi/swagger.json:300
Found a known-risky pattern (weak_hash). Review and replace if possible.
applications/oxybank/web/openapi/swagger.json:300 Weak hash
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in oxygent/schemas/oxy.py:89
Found a known-risky pattern (weak_hash). Review and replace if possible.
oxygent/schemas/oxy.py:89 Weak hash
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — examples/backend/demo_human_in_the_loop.py:16
`requests.post(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — function_hubs/train_ticket_tools.py:101
`requests.get(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/265b0750-c349-4696-b5c2-85ab2c95b0b9/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/265b0750-c349-4696-b5c2-85ab2c95b0b9/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.