Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
50 of your 104 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 3.44s · analysis 11.63s · 5.8 MB · GitHub API rate-limit (preflight)

Gilgamesh-J/X-ASR

https://github.com/Gilgamesh-J/X-ASR · scanned 2026-06-06 01:10 UTC (3 days, 23 hours ago) · 10 languages

289 raw signals (97 security + 192 graph) 0th percentile · Swift · medium (20-100K LoC) System graph score 88 (lower by 38)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 3 days, 23 hours ago · v2 · 88 actionable findings from 2 signal sources. 105 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
75.1
/100
Security checks
62
30 findings
System graph
88
88.9% cov · 58 findings
Critical
0
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 40.0 0.15 6.00
security_score 96.0 0.25 24.00
testing_score 0.0 0.20 0.00
documentation_score 78.0 0.15 11.70
practices_score 40.0 0.15 6.00
code_quality 25.7 0.10 2.57
Overall 1.00 50.3
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 0 High 21 Medium 7 Low 31 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 30 System graph 58 Crowd 0 Layer: Software 23 Security 17 Quality 43 Api 1 Frontend 1 Cicd 3
Scan summary Quality grade C- (50/100). Dimensions: security 96, maintainability 40. 97 findings (13 security). 65,246 lines analyzed.

Showing 59 of 88 actionable findings. 193 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Security checks security path traversal conf 0.80 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.
Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads.
projects/Vibe_XASR/refiner_eval/eval_refiner.py:160
high Security checks quality Quality conf 1.00 ✓ Repobility 25 occurrences `self.forward_encoder` used but never assigned in __init__
Method `forward` of class `AsrModel` reads `self.forward_encoder`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
2 files, 25 locations
X-ASR-zh-en/zipformer/onnx_pretrained.py:151, 158, 164, 165, 166, 168, 169, 172, +13 more (21 hits)
X-ASR-zh-en/zipformer/model.py:422, 429, 449, 457 (4 hits)
high Security checks quality Quality conf 1.00 ✓ Repobility Blocking call `time.sleep` inside async function `main`
`time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress.
X-ASR-zh-en/deployment/infer_and_client/sherpa_streaming_client.py:69
high Security checks quality Quality conf 1.00 ✓ Repobility Phantom test coverage: test_clean_cuts
Test function `test_clean_cuts` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
X-ASR-zh-en/zipformer/multi_dataset.py:236
high Security checks quality Quality conf 1.00 ✓ Repobility Phantom test coverage: test_cuts
Test function `test_cuts` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
X-ASR-zh-en/zipformer/multi_dataset.py:153
high Security checks quality Quality conf 1.00 ✓ Repobility Phantom test coverage: test_dataloaders
Test function `test_dataloaders` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
X-ASR-zh-en/zipformer/asr_datamodule.py:367
high Security checks quality Quality conf 1.00 ✓ Repobility Phantom test coverage: test_other_cuts
Test function `test_other_cuts` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
X-ASR-zh-en/zipformer/multi_dataset.py:243
high System graph quality Integrity conf 1.00 Blocking `time.sleep(...)` inside `async def main` — X-ASR-zh-en/deployment/infer_and_client/sherpa_streaming_client.py:69
Sync I/O inside an async function blocks the event loop. While `time.sleep(...)` is running, *all* other coroutines on this loop are paused — silent throughput collapse under concurrency. Use the async equivalent (`httpx.AsyncClient`, `asyncio.sleep`, `aiofiles`) or wrap with `await asyncio.to_thre…
X-ASR-zh-en/deployment/infer_and_client/sherpa_streaming_client.py:69 Sync io in asyncPerformance
high System graph security security conf 1.00 Insecure pattern 'eval_used' in X-ASR-zh-en/zipformer/asr_datamodule.py:266
Found a known-risky pattern (eval_used). Review and replace if possible.
X-ASR-zh-en/zipformer/asr_datamodule.py:266 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in X-ASR-zh-en/zipformer/decode.py:844
Found a known-risky pattern (eval_used). Review and replace if possible.
X-ASR-zh-en/zipformer/decode.py:844 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in X-ASR-zh-en/zipformer/export-onnx-streaming.py:772
Found a known-risky pattern (eval_used). Review and replace if possible.
X-ASR-zh-en/zipformer/export-onnx-streaming.py:772 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in X-ASR-zh-en/zipformer/export-onnx.py:541
Found a known-risky pattern (eval_used). Review and replace if possible.
X-ASR-zh-en/zipformer/export-onnx.py:541 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in X-ASR-zh-en/zipformer/export.py:504
Found a known-risky pattern (eval_used). Review and replace if possible.
X-ASR-zh-en/zipformer/export.py:504 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in X-ASR-zh-en/zipformer/finetune.py:1303
Found a known-risky pattern (eval_used). Review and replace if possible.
X-ASR-zh-en/zipformer/finetune.py:1303 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in X-ASR-zh-en/zipformer/jit_pretrained.py:214
Found a known-risky pattern (eval_used). Review and replace if possible.
X-ASR-zh-en/zipformer/jit_pretrained.py:214 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in X-ASR-zh-en/zipformer/jit_pretrained_ctc.py:279
Found a known-risky pattern (eval_used). Review and replace if possible.
X-ASR-zh-en/zipformer/jit_pretrained_ctc.py:279 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in X-ASR-zh-en/zipformer/jit_pretrained_streaming.py:184
Found a known-risky pattern (eval_used). Review and replace if possible.
X-ASR-zh-en/zipformer/jit_pretrained_streaming.py:184 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in X-ASR-zh-en/zipformer/pretrained.py:300
Found a known-risky pattern (eval_used). Review and replace if possible.
X-ASR-zh-en/zipformer/pretrained.py:300 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in X-ASR-zh-en/zipformer/streaming_decode.py:850
Found a known-risky pattern (eval_used). Review and replace if possible.
X-ASR-zh-en/zipformer/streaming_decode.py:850 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in X-ASR-zh-en/zipformer/train.py:874
Found a known-risky pattern (eval_used). Review and replace if possible.
X-ASR-zh-en/zipformer/train.py:874 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in X-ASR-zh-en/zipformer/zipformer.py:2451
Found a known-risky pattern (eval_used). Review and replace if possible.
X-ASR-zh-en/zipformer/zipformer.py:2451 Eval used
low Security checks quality Error handling conf 0.55 ✓ Repobility Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
X-ASR-zh-en/deployment/x-asr-live-demo/live_asr.py:275 Error handlingquality
medium Security checks quality Quality conf 1.00 ✓ Repobility Mutable default argument in `__init__` (list)
`def __init__(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
X-ASR-zh-en/zipformer/zipformer.py:102
medium Security checks software dependencies conf 0.90 ✓ Repobility 9 occurrences requirements.txt: `numpy` has no version pin
Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
3 files, 9 locations
X-ASR-zh-en/deployment/requirements.txt:1, 2, 3, 4, 5 (5 hits)
X-ASR-zh-en/deployment/x-asr-live-demo/requirements.txt:5, 6, 7 (3 hits)
X-ASR-zh-en/deployment/x-asr-live-demo/requirements-firered.txt:6
medium System graph cicd CI/CD security conf 1.00 5 occurrences GitHub Action is tag-pinned rather than SHA-pinned
pypa/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
5 files, 5 locations
projects/Vibe_XASR/macos_build/native/third_party/kaldi-native-fbank/.github/workflows/build-wheels-aarch64.yaml:33
projects/Vibe_XASR/macos_build/native/third_party/kaldi-native-fbank/.github/workflows/build-wheels-macos-arm64.yaml:29
projects/Vibe_XASR/macos_build/native/third_party/kaldi-native-fbank/.github/workflows/build-wheels-macos-x64.yaml:29
projects/Vibe_XASR/macos_build/native/third_party/kaldi-native-fbank/.github/workflows/build-wheels-win32.yaml:31
projects/Vibe_XASR/macos_build/native/third_party/kaldi-native-fbank/.github/workflows/build-wheels.yaml:32
CI/CD securitySupply chainGithub actions
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
projects/Vibe_XASR/macos_build/native/third_party/kaldi-native-fbank/.github/workflows/iwyu.yaml CI/CD securitySupply chainGithub actions
medium System graph security security conf 1.00 Insecure pattern 'subprocess_shell_true' in X-ASR-zh-en/zipformer/optim.py:1226
Found a known-risky pattern (subprocess_shell_true). Review and replace if possible.
X-ASR-zh-en/zipformer/optim.py:1226 Subprocess shell true
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — X-ASR-zh-en/zipformer/optim.py:1225
`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph security Coverage conf 1.00 No auth library detected
The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.
auth
low Security checks quality Quality conf 0.60 30 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
12 files, 29 locations
X-ASR-zh-en/zipformer/onnx_pretrained.py:4, 13, 61, 70, 192 (5 hits)
X-ASR-zh-en/zipformer/onnx_pretrained-streaming.py:4, 63, 296, 298 (4 hits)
X-ASR-zh-en/zipformer/pretrained.py:120, 180, 183, 230 (4 hits)
X-ASR-zh-en/zipformer/streaming_decode.py:77, 322, 619, 668 (4 hits)
X-ASR-zh-en/zipformer/export.py:139, 163, 359 (3 hits)
X-ASR-zh-en/zipformer/export-onnx.py:18, 77 (2 hits)
X-ASR-zh-en/zipformer/generate_averaged_model.py:27, 58 (2 hits)
X-ASR-zh-en/zipformer/export-onnx-streaming.py:91
duplicationquality
low System graph cicd CI/CD security conf 1.00 8 occurrences GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-python@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
5 files, 8 locations
projects/Vibe_XASR/macos_build/native/third_party/kaldi-native-fbank/.github/workflows/iwyu.yaml:58, 65, 133, 160 (4 hits)
projects/Vibe_XASR/macos_build/native/third_party/kaldi-native-fbank/.github/workflows/build-wheels-win64.yaml:29
projects/Vibe_XASR/macos_build/native/third_party/kaldi-native-fbank/.github/workflows/linux-macos.yaml:32
projects/Vibe_XASR/macos_build/native/third_party/kaldi-native-fbank/.github/workflows/test-wheel.yaml:43
projects/Vibe_XASR/macos_build/native/third_party/kaldi-native-fbank/.github/workflows/windows-x64.yaml:53
CI/CD securitySupply chainGithub actions
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 16 places
Functions with the same first-5-line body hash: X-ASR-zh-en/zipformer/onnx_check.py:get_parser, X-ASR-zh-en/zipformer/generate_averaged_model.py:get_parser, X-ASR-zh-en/zipformer/jit_pretrained.py:get_parser, X-ASR-zh-en/zipformer/train.py:get_parser This is *the* AI-coder failure mode (4× more du…
duplicatesduplication
low System graph quality Integrity conf 1.00 18 occurrences Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: X-ASR-zh-en/zipformer/jit_pretrained.py:read_sound_files, X-ASR-zh-en/zipformer/jit_pretrained_ctc.py:read_sound_files This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or d…
18 occurrences
repo-level (18 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: X-ASR-zh-en/zipformer/jit_pretrained.py:token_ids_to_words, X-ASR-zh-en/zipformer/onnx_pretrained.py:token_ids_to_words, X-ASR-zh-en/zipformer/onnx_decode.py:token_ids_to_words This is *the* AI-coder failure mode (4× more duplication in vibe-coded re…
duplicatesduplication
low System graph software Dead code conf 1.00 Possibly dead Python function: build_extension
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
projects/Vibe_XASR/macos_build/native/third_party/kaldi-native-fbank/cmake/cmake_extension.py:54
low System graph software Dead code conf 1.00 Possibly dead Python function: callback
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
X-ASR-zh-en/deployment/x-asr-live-demo/live_asr.py:316
low System graph software Dead code conf 1.00 Possibly dead Python function: extra_repr
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
X-ASR-zh-en/zipformer/scaling.py:201
low System graph software Dead code conf 1.00 Possibly dead Python function: fast_beam_search_with_nbest_rescoring
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
X-ASR-zh-en/zipformer/beam_search.py:2113
low System graph software Dead code conf 1.00 Possibly dead Python function: fast_beam_search_with_nbest_rnn_rescoring
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
X-ASR-zh-en/zipformer/beam_search.py:2273
low System graph software Dead code conf 1.00 9 occurrences Possibly dead Python function: forward
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
9 files, 9 locations
X-ASR-zh-en/zipformer/decoder.py:103
X-ASR-zh-en/zipformer/encoder_interface.py:24
X-ASR-zh-en/zipformer/export-onnx-streaming.py:382
X-ASR-zh-en/zipformer/export-onnx.py:270
X-ASR-zh-en/zipformer/export.py:324
X-ASR-zh-en/zipformer/joiner.py:36
X-ASR-zh-en/zipformer/model.py:335
X-ASR-zh-en/zipformer/subsampling.py:289
low System graph software Dead code conf 1.00 Possibly dead Python function: keywords_search
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
X-ASR-zh-en/zipformer/beam_search.py:962
low System graph software Dead code conf 1.00 Possibly dead Python function: modified_beam_search_lm_rescore
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
X-ASR-zh-en/zipformer/beam_search.py:1406
low System graph software Dead code conf 1.00 Possibly dead Python function: modified_beam_search_lm_rescore_LODR
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
X-ASR-zh-en/zipformer/beam_search.py:1604
low System graph software Dead code conf 1.00 Possibly dead Python function: modified_beam_search_lm_shallow_fusion
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
X-ASR-zh-en/zipformer/beam_search.py:2934
low System graph software Dead code conf 1.00 Possibly dead Python function: modified_beam_search_LODR
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
X-ASR-zh-en/zipformer/beam_search.py:2628
low System graph software Dead code conf 1.00 Possibly dead Python function: modified_beam_search_ngram_rescoring
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
X-ASR-zh-en/zipformer/beam_search.py:2464
low System graph software Dead code conf 1.00 Possibly dead Python function: normalize_cjk
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
X-ASR-zh-en/deployment/x-asr-live-demo/live_asr.py:69
low System graph software Dead code conf 1.00 Possibly dead Python function: random_cast_to_half
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
X-ASR-zh-en/zipformer/scaling.py:243
low System graph software Dead code conf 1.00 Possibly dead Python function: remove_short_and_long_utt
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
X-ASR-zh-en/zipformer/train.py:1201
low System graph software Dead code conf 1.00 Possibly dead Python function: remove_short_and_long_utt
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
X-ASR-zh-en/zipformer/finetune.py:2104
low System graph software Dead code conf 1.00 3 occurrences Possibly dead Python function: remove_short_utt
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
3 files, 3 locations
X-ASR-zh-en/zipformer/decode.py:871
X-ASR-zh-en/zipformer/finetune.py:2184
X-ASR-zh-en/zipformer/streaming_decode.py:862
low System graph software Dead code conf 1.00 Possibly dead Python function: ScaledConv1d
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
X-ASR-zh-en/zipformer/scaling.py:526
low System graph software Dead code conf 1.00 Possibly dead Python function: tokenize_and_encode_text
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
X-ASR-zh-en/zipformer/train.py:1238
low System graph software Dead code conf 1.00 Possibly dead Python function: tokenize_and_encode_text
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
X-ASR-zh-en/zipformer/finetune.py:2156
low System graph quality Complexity conf 1.00 Very large file: X-ASR-zh-en/zipformer/beam_search.py (3189 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: X-ASR-zh-en/zipformer/finetune.py (2362 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: X-ASR-zh-en/zipformer/optim.py (1237 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: X-ASR-zh-en/zipformer/scaling.py (1913 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: X-ASR-zh-en/zipformer/zipformer.py (2464 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/32f6df76-60ef-4611-b2a5-4f85eb10e159/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/32f6df76-60ef-4611-b2a5-4f85eb10e159/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.