Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
91 of your 299 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 18.0s · analysis 105.19s · 24.4 MB · GitHub API rate-limit (preflight)

Open-LLM-VTuber/Open-LLM-VTuber

https://github.com/Open-LLM-VTuber/Open-LLM-VTuber · scanned 2026-06-04 03:23 UTC (1 day, 11 hours ago) · 10 languages

463 findings (287 legacy + 176 scanner) 13th percentile · Python · small (2-20K LoC) Scanner says 81 (lower by 35)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 1 day, 11 hours ago · v2 · 375 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
65.2
/100
Repobility
49
287 legacy
9-layer
81
88.9% cov · 88 gaps
Critical
16
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 100.0 0.15 15.00
security_score 0.0 0.25 0.00
testing_score 0.0 0.20 0.00
documentation_score 95.0 0.15 14.25
practices_score 78.0 0.15 11.70
code_quality 57.4 0.10 5.74
Overall 1.00 46.7
Severity distribution — click a segment to filter
Active filters: source: scanner × excluding tests × Reset all
Severity: Critical 16 High 141 Medium 68 Low 120 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 287 9-layer 88 Crowd 0 Layer: Quality 109 Security 19 Software 216 Cicd 25 Frontend 2 Api 4
Scan summary Repository scanned at 81.4/100 with 88.9% coverage. It contains 952 nodes across 4 cross-layer flows, written primarily in mixed languages. Engine surfaced 88 findings — concentrated in quality (31), software (26), cicd (21). Risk profile is high: 0 critical, 1 high, 19 medium. Recommended next step: open the quality layer findings first — that's where the highest-impact wins live.

Showing 81 of 375 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high 9-layer security auth conf 1.00 FastAPI POST `transcribe_audio` without auth dependency — src/open_llm_vtuber/routes.py:141
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/open_llm_vtuber/routes.py:141 authowaspauth.fastapi.unauth_mutation
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — web_tool/main.js:49
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
astral-sh/setup-uv@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/update-requirements.yml:19 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
stefanzweifel/git-auto-commit-action@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/update-requirements.yml:25 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
github/codeql-action/init@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/codeql.yml:62 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
github/codeql-action/analyze@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/codeql.yml:90 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/metadata-action@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-blacksmith.yml:54 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
useblacksmith/setup-docker-builder@v1 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-blacksmith.yml:85 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
useblacksmith/build-push-action@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-blacksmith.yml:140 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/setup-buildx-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-blacksmith.yml:191 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/update-requirements.yml supply-chaingithub-actionsleast-privilege
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/docker-blacksmith.yml supply-chaingithub-actionsleast-privilege
medium 9-layer security owasp conf 1.00 Insecure pattern 'subprocess_shell_true' in src/open_llm_vtuber/utils/install_utils.py:116
Found a known-risky pattern (subprocess_shell_true). Review and replace if possible.
src/open_llm_vtuber/utils/install_utils.py:116 owaspsubprocess_shell_true
medium 9-layer security owasp conf 1.00 Insecure pattern 'subprocess_shell_true' in upgrade_codes/upgrade_core/upgrade_utils.py:22
Found a known-risky pattern (subprocess_shell_true). Review and replace if possible.
upgrade_codes/upgrade_core/upgrade_utils.py:22 owaspsubprocess_shell_true
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — src/open_llm_vtuber/agent/stateless_llm/ollama_llm.py:65
`requests.post(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — src/open_llm_vtuber/agent/stateless_llm/stateless_llm_with_template.py:160
`requests.post(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — src/open_llm_vtuber/asr/utils.py:83
`requests.get(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — src/open_llm_vtuber/utils/install_utils.py:54
`urllib.request.urlretrieve(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer security coverage conf 1.00 No auth library detected
The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.
coverageauth
medium 9-layer quality tests conf 1.00 Very low test-to-source ratio
0 test file(s) for 127 source file(s) (ratio 0.00). Consider adding integration or unit tests for critical paths.
testscoverage
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/open_llm_vtuber/agent/agents/mem0_llm.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/update-requirements.yml:15 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/codeql.yml:58 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-blacksmith.yml:82 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/create_release.yml:28 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/create_release.yml:40 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-python@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/create_release.yml:60 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/upload-artifact@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/create_release.yml:132 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/upload-artifact@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/create_release.yml:140 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/upload-artifact@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/create_release.yml:148 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/upload-artifact@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/create_release.yml:156 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/upload-artifact@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/create_release.yml:227 supply-chaingithub-actionspinned-dependencies
low 9-layer quality integrity conf 1.00 Legacy-named symbol `check_backup` in upgrade.py:167
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `check_backup` in upgrade_codes/upgrade_core/constants.py:60
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `eleven_multilingual_v2` in src/open_llm_vtuber/config_manager/tts.py:593
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `eleven_multilingual_v2` in src/open_llm_vtuber/tts/elevenlabs_tts.py:21
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `eleven_multilingual_v2` in src/open_llm_vtuber/tts/tts_factory.py:181
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `model_copy` in src/open_llm_vtuber/websocket_handler.py:184
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `t2a_v2` in src/open_llm_vtuber/tts/minimax_tts.py:30
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `version_too_old` in upgrade_codes/config_sync.py:297
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: upgrade_codes/config_sync.py:merge_and_update_user_config, upgrade_codes/config_sync.py:merge This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separ…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/open_llm_vtuber/chat_group.py:remove_client_from_group, src/open_llm_vtuber/chat_group.py:remove_client This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/open_llm_vtuber/server.py:get_response, src/open_llm_vtuber/server.py:get_response This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/open_llm_vtuber/proxy_message_queue.py:conversation_active, src/open_llm_vtuber/proxy_message_queue.py:conversation_active This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolid…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/open_llm_vtuber/agent/output_types.py:to_dict, src/open_llm_vtuber/agent/output_types.py:to_dict This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they'r…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/open_llm_vtuber/agent/agents/basic_memory_agent.py:chat_with_memory, src/open_llm_vtuber/agent/agents/basic_memory_agent.py:chat This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Co…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/open_llm_vtuber/asr/asr_interface.py:transcribe_np, src/open_llm_vtuber/asr/groq_whisper_asr.py:transcribe_np This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or docume…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 4 places
Functions with the same first-5-line body hash: src/open_llm_vtuber/tts/azure_tts.py:generate_audio, src/open_llm_vtuber/tts/edge_tts.py:generate_audio, src/open_llm_vtuber/tts/bark_tts.py:generate_audio, src/open_llm_vtuber/tts/melo_tts.py:generate_audio This is *the* AI-coder failure mode (4× mo…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 4 places
Functions with the same first-5-line body hash: src/open_llm_vtuber/agent/transformers.py:decorator, src/open_llm_vtuber/agent/transformers.py:decorator, src/open_llm_vtuber/agent/transformers.py:decorator, src/open_llm_vtuber/agent/transformers.py:decorator This is *the* AI-coder failure mode (4×…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 4 places
Functions with the same first-5-line body hash: src/open_llm_vtuber/agent/transformers.py:wrapper, src/open_llm_vtuber/agent/transformers.py:wrapper, src/open_llm_vtuber/agent/transformers.py:wrapper, src/open_llm_vtuber/agent/transformers.py:wrapper This is *the* AI-coder failure mode (4× more du…
integrityduplicatedry
low 9-layer software dead-code conf 1.00 Possibly dead Python function: cleanup_disconnected_clients
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/open_llm_vtuber/chat_group.py:138 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: comment_diff_fn
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
upgrade_codes/upgrade_core/comment_diff_fn.py:41 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: create_group_for_client
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/open_llm_vtuber/chat_group.py:20 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: decorator
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/open_llm_vtuber/agent/transformers.py:165 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: field_compare_fn
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
upgrade_codes/config_sync.py:242 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: forward_with_broadcast
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/open_llm_vtuber/proxy_handler.py:296 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: has_punctuation
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/open_llm_vtuber/utils/sentence_divider.py:144 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: init_group_conversation_state
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/open_llm_vtuber/conversations/group_conversation.py:156 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: load_persona
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
prompts/prompt_loader.py:57 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: modify_latest_message
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/open_llm_vtuber/chat_history_manager.py:311 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: nparray_to_audio_file
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/open_llm_vtuber/asr/asr_interface.py:36 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: remove_emotion_keywords
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/open_llm_vtuber/live2d_model.py:174 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: remove_server
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/open_llm_vtuber/mcpp/server_registry.py:93 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: rename_history_file
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/open_llm_vtuber/chat_history_manager.py:354 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: replacer
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/open_llm_vtuber/config_manager/utils.py:42 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: send_message
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/open_llm_vtuber/live/bilibili_live.py:141 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: setup
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/open_llm_vtuber/utils/install_utils.py:133 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: transcribe_np
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/open_llm_vtuber/asr/fun_asr.py:103 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: transcribe_np
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/open_llm_vtuber/asr/sherpa_onnx_asr.py:215 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: transcribe_np
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/open_llm_vtuber/asr/openai_whisper_asr.py:21 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: transcribe_np
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/open_llm_vtuber/asr/azure_asr.py:127 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: transcribe_np
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/open_llm_vtuber/asr/faster_whisper_asr.py:29 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: transcribe_np
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/open_llm_vtuber/asr/groq_whisper_asr.py:20 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: transcribe_np
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/open_llm_vtuber/asr/whisper_cpp_asr.py:27 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: worker
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/open_llm_vtuber/tts/pyttsx3_tts.py:46 dead-code
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — web_tool/main.js:120
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer quality integrity conf 1.00 Stub function `handle_interrupt` (body is just `pass`/`return`) — src/open_llm_vtuber/agent/agents/letta_agent.py:57
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer api wiring conf 1.00 Unused endpoint: GET /live2d-models/info
`src/open_llm_vtuber/routes.py` declares `GET /live2d-models/info` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /web-tool
`src/open_llm_vtuber/routes.py` declares `GET /web-tool` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /web_tool
`src/open_llm_vtuber/routes.py` declares `GET /web_tool` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /asr
`src/open_llm_vtuber/routes.py` declares `POST /asr` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/42006152-1d92-47d5-9b25-d33bc637259d/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/42006152-1d92-47d5-9b25-d33bc637259d/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.