Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
Upstream (GitHub) caused delay on this scan — not Repobility.
  • GitHub API rate-limited (HTTP 403) — preflight skipped, fell back to direct git clone.
  • Clone from GitHub took 38.12s for a 46.0 MB repo slow.
  • Repobility's analysis ran in 5.16s after the clone landed.

thClaws/thClaws

https://github.com/thClaws/thClaws · scanned 2026-05-31 01:25 UTC (5 days, 13 hours ago) · 10 languages

239 findings (93 legacy + 146 scanner) 11/13 scanners ran 62nd percentile · Rust · large (100-500K LoC)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 13 hours ago · v2 · 177 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
73.4
/100
Repobility
77
93 legacy
9-layer
70
88.9% cov · 84 gaps
Critical
0
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 100.0 0.25 25.00
testing_score 20.0 0.20 4.00
documentation_score 96.0 0.15 14.40
practices_score 90.0 0.15 13.50
code_quality 50.0 0.10 5.00
Overall 1.00 70.9
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: severity: low × excluding tests × Reset all
Severity: Critical 0 High 62 Medium 10 Low 49 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 93 9-layer 84 Crowd 0 Layer: Cicd 7 Quality 107 Software 38 Security 5 Api 1 Frontend 16 Hardware 3
Corpus Intelligence Cross-corpus context (cohort percentile, top patterns, fix plan) is shown only on repositories you own. Sign up and connect your repo to view it.
Scan summary Repository scanned at 69.9/100 with 88.9% coverage. It contains 873 nodes across 0 cross-layer flows, written primarily in mixed languages. Engine surfaced 84 findings — concentrated in quality (50), frontend (16), software (8). Risk profile is high: 0 critical, 2 high, 7 medium. Recommended next step: open the quality layer findings first — that's where the highest-impact wins live.

Showing 49 of 177 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

low Legacy software xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.
For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.
crates/core/assets/gui-shells/session-explorer/main.js:142 xsslegacy
low Legacy quality quality conf 1.00 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).
Use execFile / spawn with separate args array; never pass shell strings.
frontend/src/components/TeamView.tsx:95 qualitylegacy
low Legacy cicd docker conf 0.72 .dockerignore misses sensitive defaults
Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases.
.dockerignore dockerlegacy
low 9-layer quality maintenance conf 1.00 47 TODO/FIXME markers
High count of TODO/FIXME/HACK markers — track them as issues so they're not forgotten.
maintenance
low 9-layer hardware coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
coveragedeployment
low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: node:${NODE_VERSION}
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
Dockerfile:24 supply-chaindockerpinned-dependencies
low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: rust:${RUST_VERSION}
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
Dockerfile:43 supply-chaindockerpinned-dependencies
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: frontend/eslint.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: frontend/src/global.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: frontend/src/main.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: frontend/vite.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: paperclip-adapter/src/server/agent-mutex.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: paperclip-adapter/src/server/model-profiles.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: paperclip-adapter/src/server/pricing-fallback.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: paperclip-adapter/src/server/session-codec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/cache@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/cargo-audit.yml:25 supply-chaingithub-actionspinned-dependencies
low 9-layer quality complexity conf 1.00 Very large file: crates/core/src/agent.rs (3191 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/core/src/config.rs (1739 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/core/src/gui.rs (1471 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/core/src/ipc.rs (3358 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/core/src/kms.rs (5099 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/core/src/mcp.rs (2408 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/core/src/model_catalogue.rs (1949 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/core/src/providers/anthropic.rs (1378 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/core/src/providers/gemini.rs (1302 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/core/src/providers/mod.rs (1475 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/core/src/providers/openai.rs (1644 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/core/src/repl.rs (11997 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/core/src/research/llm_calls.rs (1534 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/core/src/schedule.rs (2382 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/core/src/server.rs (1454 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/core/src/session.rs (2216 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/core/src/shared_session.rs (5018 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/core/src/shell_dispatch.rs (4386 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/core/src/skills.rs (2478 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/core/src/team.rs (2502 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/core/src/tools/bash.rs (1887 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/core/src/workflow/runtime.rs (2001 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: frontend/src/components/ChatView.tsx (1586 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: paperclip-adapter/src/server/pricing-fallback.ts (2665 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low Legacy quality quality conf 1.00 ✓ Repobility [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
crates/core/src/messenger/config.rs:191 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
crates/core/src/line/config.rs:195 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
crates/core/src/external_url.rs:70 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
Review and fix per the pattern semantics. See CWE-476 / for context.
frontend/src/hooks/useIPC.ts:46 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
Review and fix per the pattern semantics. See CWE-476 / for context.
frontend/src/components/SettingsMenu.tsx:68 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.
Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context.
frontend/src/components/TeamView.tsx:253 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.
Review and fix per the pattern semantics. See CWE-755 / for context.
crates/core/src/messenger/client.rs:300 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.
Review and fix per the pattern semantics. See CWE-755 / for context.
crates/core/src/line/protocol.rs:127 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.
Review and fix per the pattern semantics. See CWE-755 / for context.
crates/core/src/cancel.rs:162 qualitylegacy
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/35c0bd90-7a84-43f2-96fa-aa9e363646bc/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/35c0bd90-7a84-43f2-96fa-aa9e363646bc/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.