Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
Upstream (GitHub) caused delay on this scan — not Repobility.
  • GitHub API rate-limited (HTTP 403) — preflight skipped, fell back to direct git clone.
  • Clone from GitHub took 38.12s for a 46.0 MB repo slow.
  • Repobility's analysis ran in 5.16s after the clone landed.

thClaws/thClaws

https://github.com/thClaws/thClaws · scanned 2026-05-31 01:25 UTC (5 days, 7 hours ago) · 10 languages

239 findings (93 legacy + 146 scanner) 11/13 scanners ran 54th percentile · Rust · large (100-500K LoC)

File as issue Image v2 schema
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 7 hours ago · v2 · 177 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
73.4
/100
Repobility
77
93 legacy
9-layer
70
88.9% cov · 84 gaps
Critical
0
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 100.0 0.25 25.00
testing_score 20.0 0.20 4.00
documentation_score 96.0 0.15 14.40
practices_score 90.0 0.15 13.50
code_quality 50.0 0.10 5.00
Overall 1.00 70.9
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 0 High 62 Medium 10 Low 49 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 93 9-layer 84 Crowd 0 Layer: Cicd 7 Quality 107 Software 38 Security 5 Api 1 Frontend 16 Hardware 3
Corpus Intelligence Cross-corpus context (cohort percentile, top patterns, fix plan) is shown only on repositories you own. Sign up and connect your repo to view it.
Scan summary Repository scanned at 69.9/100 with 88.9% coverage. It contains 873 nodes across 0 cross-layer flows, written primarily in mixed languages. Engine surfaced 84 findings — concentrated in quality (50), frontend (16), software (8). Risk profile is high: 0 critical, 2 high, 7 medium. Recommended next step: open the quality layer findings first — that's where the highest-impact wins live.

Showing 121 of 177 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/cache@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
.github/workflows/cargo-audit.yml:25 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
.github/workflows/cargo-audit.yml:19 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v5` and let Dependabot bump it on a scheduled cadence.
.github/workflows/ci.yml:140 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v5` and let Dependabot bump it on a scheduled cadence.
.github/workflows/ci.yml:100 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v5` and let Dependabot bump it on a scheduled cadence.
.github/workflows/ci.yml:68 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v5` and let Dependabot bump it on a scheduled cadence.
.github/workflows/ci.yml:41 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v5` and let Dependabot bump it on a scheduled cadence.
.github/workflows/ci.yml:30 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/download-artifact@<40-char-sha> # v8` and let Dependabot bump it on a scheduled cadence.
.github/workflows/ci.yml:150 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/download-artifact@<40-char-sha> # v8` and let Dependabot bump it on a scheduled cadence.
.github/workflows/ci.yml:110 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/download-artifact@<40-char-sha> # v8` and let Dependabot bump it on a scheduled cadence.
.github/workflows/ci.yml:79 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/setup-node` pinned to mutable ref `@v5`: `uses: actions/setup-node@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/setup-node@<40-char-sha> # v5` and let Dependabot bump it on a scheduled cadence.
.github/workflows/ci.yml:45 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/upload-artifact@<40-char-sha> # v7` and let Dependabot bump it on a scheduled cadence.
.github/workflows/ci.yml:56 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`: `uses: dtolnay/rust-toolchain@stable` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: dtolnay/rust-toolchain@<40-char-sha> # stable` and let Dependabot bump it on a scheduled cadence.
.github/workflows/ci.yml:141 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`: `uses: dtolnay/rust-toolchain@stable` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: dtolnay/rust-toolchain@<40-char-sha> # stable` and let Dependabot bump it on a scheduled cadence.
.github/workflows/ci.yml:101 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`: `uses: dtolnay/rust-toolchain@stable` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: dtolnay/rust-toolchain@<40-char-sha> # stable` and let Dependabot bump it on a scheduled cadence.
.github/workflows/ci.yml:69 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`: `uses: dtolnay/rust-toolchain@stable` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: dtolnay/rust-toolchain@<40-char-sha> # stable` and let Dependabot bump it on a scheduled cadence.
.github/workflows/ci.yml:31 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`: `uses: dtolnay/rust-toolchain@stable` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: dtolnay/rust-toolchain@<40-char-sha> # stable` and let Dependabot bump it on a scheduled cadence.
.github/workflows/cargo-audit.yml:22 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v6`: `uses: pnpm/action-setup@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: pnpm/action-setup@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/ci.yml:42 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: Swatinem/rust-cache@<40-char-sha> # v2` and let Dependabot bump it on a scheduled cadence.
.github/workflows/ci.yml:142 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: Swatinem/rust-cache@<40-char-sha> # v2` and let Dependabot bump it on a scheduled cadence.
.github/workflows/ci.yml:102 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: Swatinem/rust-cache@<40-char-sha> # v2` and let Dependabot bump it on a scheduled cadence.
.github/workflows/ci.yml:72 dependencylegacy
low Legacy software xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.
For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.
crates/core/assets/gui-shells/session-explorer/main.js:142 xsslegacy
low Legacy quality quality conf 1.00 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).
Use execFile / spawn with separate args array; never pass shell strings.
frontend/src/components/TeamView.tsx:95 qualitylegacy
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in crates/core/src/research/pipeline.rs:1063
Found a known-risky pattern (eval_used). Review and replace if possible.
crates/core/src/research/pipeline.rs:1063 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in crates/core/src/workflow/runtime.rs:49
Found a known-risky pattern (eval_used). Review and replace if possible.
crates/core/src/workflow/runtime.rs:49 owaspeval_used
medium Legacy quality error_handling conf 1.00 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
frontend/src/components/ShellPicker.tsx:179 error_handlinglegacy
high Legacy quality quality conf 0.68 Agent auto-approve or skip-permissions mode is easy to enable
Require an explicit isolated profile for auto-approve modes. Keep safe defaults interactive, add visible warnings, and block these modes when the workspace contains secrets or production deploy credentials.
user-manual-th/ch26-gui-shells.md:185 qualitylegacy
high Legacy quality quality conf 0.68 Agent auto-approve or skip-permissions mode is easy to enable
Require an explicit isolated profile for auto-approve modes. Keep safe defaults interactive, add visible warnings, and block these modes when the workspace contains secrets or production deploy credentials.
user-manual/ch26-gui-shells.md:189 qualitylegacy
medium Legacy quality quality Average file size is 587 lines (recommend <300)
Refactor large files by extracting related functions into separate modules. Target files with 300+ lines first. Use the Single Responsibility Principle — each module should have one clear purpose.
qualitylegacy
medium Legacy cicd docker conf 0.94 Compose service `thclaws` image uses the latest tag
Pin to a maintained version tag or digest and update it deliberately through dependency automation.
docker-compose.yml:20 dockerlegacy
high Legacy quality quality conf 0.80 localStorage write failures are swallowed silently
Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics.
frontend/src/components/ModelPickerModal.tsx:33 qualitylegacy
high Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
user-manual-th/ch05-permissions.md:121 dependencylegacy
high Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
user-manual-th/ch02-installation.md:270 dependencylegacy
high Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
user-manual/ch05-permissions.md:106 dependencylegacy
high Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
user-manual-th/ch11-built-in-tools.md:35 dependencylegacy
high Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
user-manual/ch11-built-in-tools.md:35 dependencylegacy
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — frontend/src/components/ChatView.tsx:1173
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — frontend/src/components/KmsViewerOverlay.tsx:350
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — frontend/src/components/TeamView.tsx:74
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
dtolnay/rust-toolchain@stable can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/cargo-audit.yml:22 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/release.yml supply-chaingithub-actionsleast-privilege
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in frontend/src/components/KmsViewerOverlay.tsx:350
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
frontend/src/components/KmsViewerOverlay.tsx:350 owaspdangerous_innerhtml
medium 9-layer quality tests conf 1.00 Very low test-to-source ratio
5 test file(s) for 243 source file(s) (ratio 0.02). Consider adding integration or unit tests for critical paths.
testscoverage
low Legacy cicd docker conf 0.72 .dockerignore misses sensitive defaults
Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases.
.dockerignore dockerlegacy
high Legacy cicd docker conf 0.56 Compose service does not declare a runtime user
Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive.
docker-compose.yml:20 dockerlegacy
high Legacy cicd docker conf 0.62 Compose service lacks no-new-privileges hardening
Add `security_opt: ["no-new-privileges:true"]` unless the service has a documented need for privilege escalation.
docker-compose.yml:20 dockerlegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
frontend/src/components/TodoSidebar.tsx:57 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
frontend/src/components/TodoSidebar.tsx:41 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
frontend/src/components/TelegramConnectModal.tsx:111 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
frontend/src/components/Sidebar.tsx:22 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
frontend/src/components/ResearchSidebar.tsx:143 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
frontend/src/components/PlanSidebar.tsx:107 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
frontend/src/components/MessengerConnectModal.tsx:39 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
frontend/src/components/KmsBrowserSidebar.tsx:91 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/core/src/workflow/headless.rs:34 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/core/src/telegram/topic.rs:47 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/core/src/telegram/headless.rs:108 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/core/src/telegram/config.rs:95 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/core/src/telegram/client.rs:259 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/core/src/telegram/approver.rs:108 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/core/src/telegram/approver.rs:51 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/core/src/messenger/config.rs:53 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/core/src/messenger/client.rs:23 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/core/src/messenger/bootstrap.rs:42 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/core/src/messenger/approver.rs:9 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/core/src/gui_shell/serve.rs:118 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/core/src/deploy_client.rs:14 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
frontend/src/components/PlanSidebar.tsx:83 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
frontend/src/components/ModelPickerModal.tsx:179 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
frontend/src/components/MarkdownEditor.tsx:64 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/core/src/tools/pptx_edit.rs:86 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/core/src/tools/pptx_create.rs:216 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/core/src/tools/memory.rs:133 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/core/src/providers/openai_responses.rs:148 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
crates/core/src/providers/ollama_cloud.rs:24 qualitylegacy
low 9-layer quality maintenance conf 1.00 47 TODO/FIXME markers
High count of TODO/FIXME/HACK markers — track them as issues so they're not forgotten.
maintenance
low 9-layer hardware coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
coveragedeployment
low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: node:${NODE_VERSION}
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
Dockerfile:24 supply-chaindockerpinned-dependencies
low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: rust:${RUST_VERSION}
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
Dockerfile:43 supply-chaindockerpinned-dependencies
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: frontend/eslint.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: frontend/src/global.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: frontend/src/main.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: frontend/vite.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: paperclip-adapter/src/server/agent-mutex.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: paperclip-adapter/src/server/model-profiles.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: paperclip-adapter/src/server/pricing-fallback.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: paperclip-adapter/src/server/session-codec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/cache@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/cargo-audit.yml:25 supply-chaingithub-actionspinned-dependencies
low 9-layer quality complexity conf 1.00 Very large file: crates/core/src/agent.rs (3191 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/core/src/config.rs (1739 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/core/src/gui.rs (1471 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/core/src/ipc.rs (3358 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/core/src/kms.rs (5099 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/core/src/mcp.rs (2408 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/core/src/model_catalogue.rs (1949 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/core/src/providers/anthropic.rs (1378 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/core/src/providers/gemini.rs (1302 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/core/src/providers/mod.rs (1475 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/core/src/providers/openai.rs (1644 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/core/src/repl.rs (11997 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/core/src/research/llm_calls.rs (1534 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/core/src/schedule.rs (2382 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/core/src/server.rs (1454 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/core/src/session.rs (2216 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/core/src/shared_session.rs (5018 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/core/src/shell_dispatch.rs (4386 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/core/src/skills.rs (2478 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/core/src/team.rs (2502 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/core/src/tools/bash.rs (1887 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: crates/core/src/workflow/runtime.rs (2001 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: frontend/src/components/ChatView.tsx (1586 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: paperclip-adapter/src/server/pricing-fallback.ts (2665 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low Legacy quality quality conf 1.00 ✓ Repobility [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
crates/core/src/messenger/config.rs:191 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
crates/core/src/line/config.rs:195 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
crates/core/src/external_url.rs:70 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
Review and fix per the pattern semantics. See CWE-476 / for context.
frontend/src/hooks/useIPC.ts:46 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
Review and fix per the pattern semantics. See CWE-476 / for context.
frontend/src/components/SettingsMenu.tsx:68 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.
Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context.
frontend/src/components/TeamView.tsx:253 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.
Review and fix per the pattern semantics. See CWE-755 / for context.
crates/core/src/messenger/client.rs:300 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.
Review and fix per the pattern semantics. See CWE-755 / for context.
crates/core/src/line/protocol.rs:127 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.
Review and fix per the pattern semantics. See CWE-755 / for context.
crates/core/src/cancel.rs:162 qualitylegacy
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/35c0bd90-7a84-43f2-96fa-aa9e363646bc/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/35c0bd90-7a84-43f2-96fa-aa9e363646bc/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.