TomoeMami/S1PlainTextBackup

Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.

8 of your 21 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 11.53s · analysis 3.92s · 64.9 MB · GitHub API rate-limit (preflight)

https://github.com/TomoeMami/S1PlainTextBackup · scanned 2026-06-06 00:57 UTC (1 week, 2 days ago) · 10 languages

54 raw signals (20 security + 34 graph) 11/13 scanners ran 20th percentile · Python · tiny (<2K LoC) System graph score 89 (lower by 35)

File as issue Image

UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 1 week, 2 days ago · v2 · 30 actionable findings from 2 signal sources. 7 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON

77.8% cov · 13 findings

Score breakdown â 2026-05-18-v5

Component	Sub-score	Weight	Contribution
`structure_score`	40.0	0.15	6.00
`security_score`	100.0	0.25	25.00
`testing_score`	0.0	0.20	0.00
`documentation_score`	48.0	0.15	7.20
`practices_score`	55.0	0.15	8.25
`code_quality`	78.0	0.10	7.80
Overall		1.00	54.2

security_score may be inflated — optional security scanners were skipped on this fast scan

Severity distribution — click a segment to filter

Active filters: severity: info × excluding tests × Reset all

Severity: Critical 0 High 3 Medium 4 Low 12 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 17 System graph 13 Crowd 0 Layer: Quality 15 Security 5 Cicd 3 Software 5 Api 1 Frontend 1

Exclude dismissed / FP Exclude test files

Scan summary Quality grade C- (54/100). Dimensions: security 100, maintainability 40. 20 findings (9 security). 1,152 lines analyzed.

Showing 11 of 30 actionable findings. 37 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

info Security checks quality Quality conf 0.95 [COMP001] High cognitive complexity: Function `build_reply_content` has cognitive complexity 29 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=4, for=4, if=5, nested_bonus=16.

Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 — yours is 29.

TopThreadReply.py:67

info Security checks quality Quality conf 0.95 [COMP001] High cognitive complexity: Function `main` has cognitive complexity 32 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=3, else=1, except=3, for=4, if=6, nested_bonus=15.

autorun.py:157

info Security checks quality Quality conf 1.00 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes — DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production.

Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint.

TopThreadReply.py:165

info Security checks quality Testing No test files found

Add a test directory (tests/ or __tests__/) with unit tests for core functionality. Use pytest (Python), Jest (JS/TS), or go test (Go). Start with tests for critical business logic and security-sensitive functions.

info Security checks quality Quality conf 0.95 [COMP001] High cognitive complexity: Function `parse_html` has cognitive complexity 24 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=7, except=2, for=1, if=6, nested_bonus=8.

autorun.py:68

info Security checks security Security conf 1.00 [SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility.

Add rel="noopener noreferrer" to every <a target="_blank">: <a href="..." target="_blank" rel="noopener noreferrer">link</a> For dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden — costs nothing.

s1.py:120

info Security checks quality Quality conf 1.00 [SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites — the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p

Python: `f"prefix {var} suffix"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically.

S1B.py:76

info System graph quality Integrity conf 1.00 Commented-code block (16 lines) in simpleadd.py:33

A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.

commented codeDead code

info System graph quality Integrity conf 1.00 Commented-code block (6 lines) in data.py:66

A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.

commented codeDead code

info System graph api Coverage conf 1.00 No API endpoints detected

The scanner did not find FastAPI/Flask/Express/NestJS/GraphQL/gRPC routes. If this repo exposes APIs, the framework may be unsupported.

info System graph frontend Coverage conf 1.00 No frontend routes/components detected

No React/Vue/Next routes were found. This is fine for backend-only repos.

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.

For AI agents + API integrations

Email me when this repo regresses

Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.

API access

This page is publicly accessible at: https://repobility.com/scan/30f03892-f284-4cfd-8600-0c718d898966/

To check status programmatically (no auth required):

curl -s https://repobility.com/api/v1/public/scan/30f03892-f284-4cfd-8600-0c718d898966/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.