Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
42 of your 60 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 1.48s · analysis 1.81s · 0.2 MB · GitHub preflight 464ms

LagrangeDev/lagrange-python

https://github.com/LagrangeDev/lagrange-python · scanned 2026-06-05 18:26 UTC (4 days, 18 hours ago) · 10 languages

186 raw signals (56 security + 130 graph) 11th percentile · Python · small (2-20K LoC) System graph score 95 (lower by 48)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 4 days, 18 hours ago · v2 · 76 actionable findings from 2 signal sources. 45 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
79.1
/100
Security checks
63
27 findings
System graph
95
77.8% cov · 49 findings
Critical
4
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 75.0 0.15 11.25
security_score 67.6 0.25 16.90
testing_score 0.0 0.20 0.00
documentation_score 33.0 0.15 4.95
practices_score 42.0 0.15 6.30
code_quality 79.0 0.10 7.90
Overall 1.00 47.3
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 4 High 5 Medium 5 Low 39 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 27 System graph 49 Crowd 0 Layer: Software 32 Quality 34 Security 7 Api 1 Frontend 1 Cicd 1
Scan summary Quality grade D+ (47/100). Dimensions: security 68, maintainability 75. 56 findings (6 security). 3,660 lines analyzed.

Showing 53 of 76 actionable findings. 121 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks quality Quality conf 1.00 ✓ Repobility [MINED030] Python Pickle Loads: pickle.loads() can execute arbitrary code via __reduce__.
Review and fix per the pattern semantics. See CWE-502 / for context.
lagrange/info/serialize.py:56
critical Security checks security Crypto conf 1.00 [SEC039] Plaintext-equivalent password hash — unsalted single-pass digest: Single-pass digest of a password is cryptographically strong as a hash, but is rainbow-table-attackable when used for passwords: there's no salt and no key-stretching. Attackers with the hash database can crack 90%+ of common passwords offline in hours. CWE-916 (use of password hash without computational effort).
Use a purpose-built password hash: - Python: passlib.hash.argon2.hash(password) - Python: bcrypt.hashpw(password.encode(), bcrypt.gensalt()) - Python: hashlib.pbkdf2_hmac('sha256', password, salt, 600000) - PHP: password_hash($password, PASSWORD_ARGON2ID) - Node.js: argon2.hash(password) …
lagrange/client/wtlogin/tlv/common.py:68
critical Security checks security Crypto conf 1.00 [SEC039] Plaintext-equivalent password hash — unsalted single-pass digest: Single-pass digest of a password is cryptographically strong as a hash, but is rainbow-table-attackable when used for passwords: there's no salt and no key-stretching. Attackers with the hash database can crack 90%+ of common passwords offline in hours. CWE-916 (use of password hash without computational effort).
Use a purpose-built password hash: - Python: passlib.hash.argon2.hash(password) - Python: bcrypt.hashpw(password.encode(), bcrypt.gensalt()) - Python: hashlib.pbkdf2_hmac('sha256', password, salt, 600000) - PHP: password_hash($password, PASSWORD_ARGON2ID) - Node.js: argon2.hash(password) …
lagrange/client/base.py:244
critical Security checks quality Quality conf 1.00 [SEC081] Python: pickle.loads / marshal.loads on untrusted data: pickle.load(s) and marshal.load(s) execute arbitrary code on untrusted input. Ported from dlint DUO103 / DUO120 (BSD-3).
Use json, msgpack, or protobuf for untrusted data. If pickle is required, sign the payload with HMAC.
lagrange/info/serialize.py:56
high Security checks quality Quality conf 1.00 ✓ Repobility Missing import: `stat` used but not imported
The file uses `stat.something(...)` but never imports `stat`. This raises NameError at runtime the first time the line executes.
lagrange/utils/httpcat.py:106
high Security checks quality Quality conf 1.00 ✓ Repobility 25 occurrences `self.decompressed_body` used but never assigned in __init__
Method `json` of class `HttpResponse` reads `self.decompressed_body`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
3 files, 25 locations
lagrange/utils/network.py:60, 65, 67, 73, 78, 79, 81, 83, +6 more (16 hits)
lagrange/utils/log.py:13, 14, 15, 21, 32, 36, 40 (7 hits)
lagrange/utils/httpcat.py:40, 43 (2 hits)
high Security checks quality Quality conf 1.00 ✓ Repobility 2 occurrences Blocking call `input` inside async function `login`
`input` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress.
lines 53, 54
lagrange/client/client.py:53, 54 (2 hits)
high Security checks software dependencies conf 0.88 cryptography: GHSA-r6ph-v2qm-q3c2
cryptography Vulnerable to a Subgroup Attack Due to Missing Subgroup Validation for SECT Curves
pdm.lock
high Security checks software dependencies conf 0.88 cryptography: PYSEC-2026-35
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently, cryptography woul…
pdm.lock
low Security checks quality Error handling conf 1.00 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.
lagrange/utils/binary/protobuf.py:120
low Security checks security Deserialization conf 1.00 [SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.
Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data.
lagrange/info/serialize.py:56
low Security checks quality Error handling conf 0.55 ✓ Repobility Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
lagrange/utils/network.py:87 Error handlingquality
medium Security checks software dependencies conf 0.88 cryptography: GHSA-h4gh-qq45-vh27
pyca/cryptography has a vulnerable OpenSSL included in cryptography wheels
pdm.lock
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/release.yml CI/CD securitySupply chainGithub actions
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — pdm_build.py:20
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph security Coverage conf 1.00 No auth library detected
The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.
auth
medium System graph quality Tests conf 1.00 Very low test-to-source ratio
0 test file(s) for 99 source file(s) (ratio 0.00). Consider adding integration or unit tests for critical paths.
Coverage
low Security checks software dependencies conf 0.88 cryptography: GHSA-79v4-65xg-pq4g
Vulnerable OpenSSL included in cryptography wheels
pdm.lock
low System graph software Dead code candidate conf 1.00 File has no detected symbols: lagrange/client/message/types.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: lagrange/client/server_push/log.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: lagrange/version.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph security security conf 1.00 Insecure pattern 'debug_true' in lagrange/pb/login/ntlogin.py:6
Found a known-risky pattern (debug_true). Review and replace if possible.
lagrange/pb/login/ntlogin.py:6 Debug true
low System graph security security conf 1.00 Insecure pattern 'debug_true' in lagrange/pb/message/rich_text/__init__.py:27
Found a known-risky pattern (debug_true). Review and replace if possible.
lagrange/pb/message/rich_text/__init__.py:27 Debug true
low System graph security security conf 1.00 Insecure pattern 'debug_true' in lagrange/pb/service/group.py:433
Found a known-risky pattern (debug_true). Review and replace if possible.
lagrange/pb/service/group.py:433 Debug true
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 17 places
Functions with the same first-5-line body hash: lagrange/client/message/elems.py:display, lagrange/client/message/elems.py:display, lagrange/client/message/elems.py:display, lagrange/client/message/elems.py:display This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see …
duplicatesduplication
low System graph quality Integrity conf 1.00 12 occurrences Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: lagrange/client/message/elems.py:text, lagrange/client/message/elems.py:text This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
12 occurrences
repo-level (12 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 6 occurrences Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: lagrange/client/network.py:send, lagrange/client/network.py:send, lagrange/client/network.py:send This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're s…
6 occurrences
repo-level (6 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 4 places
Functions with the same first-5-line body hash: lagrange/client/base.py:send_uni_packet, lagrange/client/base.py:send_uni_packet, lagrange/client/base.py:send_uni_packet, lagrange/client/base.py:send_uni_packet This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see http…
duplicatesduplication
low System graph software Dead code conf 1.00 Possibly dead Python function: down_friend_audio
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
lagrange/client/client.py:250
low System graph software Dead code conf 1.00 Possibly dead Python function: down_grp_audio
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
lagrange/client/client.py:247
low System graph software Dead code conf 1.00 Possibly dead Python function: fetch_grp_request
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
lagrange/client/client.py:478
low System graph software Dead code conf 1.00 Possibly dead Python function: handle_group_reaction
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
main.py:58
low System graph software Dead code conf 1.00 Possibly dead Python function: handle_grp_sign
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
main.py:36
low System graph software Dead code conf 1.00 Possibly dead Python function: handle_kick
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
main.py:31
low System graph software Dead code conf 1.00 Possibly dead Python function: kick_grp_member
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
lagrange/client/client.py:406
low System graph software Dead code conf 1.00 Possibly dead Python function: leave_grp
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
lagrange/client/client.py:403
low System graph software Dead code conf 1.00 Possibly dead Python function: pdm_build_hook_enabled
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pdm_build.py:16
low System graph software Dead code conf 1.00 Possibly dead Python function: pdm_build_initialize
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pdm_build.py:30
low System graph software Dead code conf 1.00 Possibly dead Python function: rename_grp_member
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
lagrange/client/client.py:393
low System graph software Dead code conf 1.00 Possibly dead Python function: rename_grp_name
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
lagrange/client/client.py:390
low System graph software Dead code conf 1.00 Possibly dead Python function: send_friend_msg
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
lagrange/client/client.py:220
low System graph software Dead code conf 1.00 Possibly dead Python function: send_grp_reaction
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
lagrange/client/client.py:416
low System graph software Dead code conf 1.00 Possibly dead Python function: send_nudge
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
lagrange/client/client.py:427
low System graph software Dead code conf 1.00 Possibly dead Python function: set_c2c_bot_hd
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
lagrange/client/client.py:543
low System graph software Dead code conf 1.00 Possibly dead Python function: set_essence
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
lagrange/client/client.py:441
low System graph software Dead code conf 1.00 Possibly dead Python function: set_grp_bot_hd
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
lagrange/client/client.py:536
low System graph software Dead code conf 1.00 Possibly dead Python function: set_grp_request
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
lagrange/client/client.py:484
low System graph software Dead code conf 1.00 Possibly dead Python function: set_mute_grp
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
lagrange/client/client.py:454
low System graph software Dead code conf 1.00 Possibly dead Python function: set_mute_member
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
lagrange/client/client.py:473
low System graph software Dead code conf 1.00 Possibly dead Python function: upload_friend_audio
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
lagrange/client/client.py:241
low System graph software Dead code conf 1.00 Possibly dead Python function: upload_friend_image
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
lagrange/client/client.py:232
low System graph software Dead code conf 1.00 Possibly dead Python function: upload_grp_audio
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
lagrange/client/client.py:238
low System graph quality Integrity conf 1.00 Stub function `push_handler` (body is just `pass`/`return`) — lagrange/client/base.py:435
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/35d3b381-1b85-4e26-8074-d09fb3338809/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/35d3b381-1b85-4e26-8074-d09fb3338809/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.