Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
94 of your 246 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 3.09s · analysis 7.24s · 5.6 MB · GitHub preflight 476ms

The-AI-Alliance/cube-standard

https://github.com/The-AI-Alliance/cube-standard · scanned 2026-06-05 18:25 UTC (4 days, 18 hours ago) · 10 languages

333 raw signals (167 security + 166 graph) 59th percentile · Python · medium (20-100K LoC)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 4 days, 18 hours ago · v2 · 155 actionable findings from 2 signal sources. 69 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
67.0
/100
Security checks
67
92 findings
System graph
67
88.9% cov · 63 findings
Critical
1
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 85.0 0.15 12.75
security_score 48.2 0.25 12.05
testing_score 87.0 0.20 17.40
documentation_score 81.0 0.15 12.15
practices_score 70.0 0.15 10.50
code_quality 34.5 0.10 3.45
Overall 1.00 68.3
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 1 High 33 Medium 23 Low 41 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 92 System graph 63 Crowd 0 Layer: Quality 89 Security 8 Software 49 Frontend 2 Network 2 Cicd 4 Api 1
Corpus Intelligence Cross-corpus context (cohort percentile, top patterns, fix plan) is shown only on repositories you own. Sign up and connect your repo to view it.
Scan summary Ranks in the 3rd percentile among small-sized repos. Strongest dependencies (90), testing (85); weakest practices (66), code quality (75). 185 findings (90 high). Most common pattern: stub-only-function.

Showing 97 of 155 actionable findings. 224 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks software dependencies conf 0.88 litellm: GHSA-r75f-5x8p-qvmc
LiteLLM has SQL Injection in Proxy API key verification
cube-tools/cube-web-tool/uv.lock
high Security checks quality Quality conf 1.00 ✓ Repobility Missing import: `stat` used but not imported
The file uses `stat.something(...)` but never imports `stat`. This raises NameError at runtime the first time the line executes.
.github/scripts/collect_metrics.py:199
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection.
Review and fix per the pattern semantics. See CWE-78 / for context.
cube-resources/cube-infra-toolkit/src/cube_infra_toolkit/_exec_relay_server.py:92
high Security checks software dependencies conf 0.88 cryptography: PYSEC-2026-35
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently, cryptography woul…
cube-tools/cube-browser-tool/uv.lock
high Security checks software dependencies conf 0.88 cryptography: PYSEC-2026-36
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This vulnerability is fixed in…
cube-tools/cube-browser-tool/uv.lock
high Security checks quality Quality conf 0.80 ✓ Repobility 2 occurrences FastAPI POST / has no auth
Handler `_dispatch` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
lines 318, 409
src/cube/server.py:318, 409 (2 hits)
high Security checks software dependencies conf 0.88 litellm: GHSA-v4p8-mg3p-g94g
LiteLLM: Authenticated command execution via MCP stdio test endpoints
cube-tools/cube-web-tool/uv.lock
high Security checks software dependencies conf 0.88 litellm: GHSA-wxxx-gvqv-xp7p
LiteLLM has a sandbox escape in custom-code guardrail
cube-tools/cube-web-tool/uv.lock
high Security checks software dependencies conf 0.88 litellm: GHSA-xqmj-j6mv-4862
LiteLLM: Server-Side Template Injection in /prompts/test endpoint
cube-tools/cube-web-tool/uv.lock
high Security checks software dependencies conf 0.88 lxml: PYSEC-2026-87
lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolve_entities='interna…
cube-tools/cube-browser-tool/uv.lock
high Security checks software dependencies conf 0.88 pillow: GHSA-pwv6-vv43-88gr
Pillow has an OOB Write with Invalid PSD Tile Extents (Integer Overflow)
cube-resources/cube-chat/uv.lock
high Security checks software dependencies conf 0.88 pillow: GHSA-whj4-6x5x-4v2j
FITS GZIP decompression bomb in Pillow
cube-resources/cube-chat/uv.lock
high Security checks software dependencies conf 0.88 pillow: PYSEC-2026-165
Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer overflow. This issue has been patched in version 12.2.0.
cube-resources/cube-chat/uv.lock
high Security checks software dependencies conf 0.90 ✓ Repobility 2 occurrences pre-commit hook `https://github.com/pre-commit/pre-commit-hooks` pinned to mutable rev `v4.6.0`
`.pre-commit-config.yaml` references `https://github.com/pre-commit/pre-commit-hooks` at `rev: v4.6.0`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine.
lines 8, 18
.pre-commit-config.yaml:8, 18 (2 hits)
high Security checks software dependencies conf 0.88 pyjwt: PYSEC-2026-175
PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient passes its uri argument directly to urllib.request.urlopen() which uses Python stdlib's default OpenerDirector registering HTTPHandler, HTTPSHandler, FTPHandler, FileHandler, and DataHandler. There is currently no docu…
uv.lock
high Security checks software dependencies conf 0.88 pyjwt: PYSEC-2026-175
PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient passes its uri argument directly to urllib.request.urlopen() which uses Python stdlib's default OpenerDirector registering HTTPHandler, HTTPSHandler, FTPHandler, FileHandler, and DataHandler. There is currently no docu…
cube-resources/cube-infra-azure/uv.lock
high Security checks software dependencies conf 0.88 pyjwt: PYSEC-2026-176
PyJWT is a JSON Web Token implementation in Python. From 2.9.0 to 2.12.1, there is a verifier-side algorithm allow-list bypass when jwt.decode() or jwt.decode_complete() are called with a PyJWK key. The token header alg is checked against the caller-supplied algorithms allow-list, but signature ver…
cube-tools/cube-browser-tool/uv.lock
high Security checks software dependencies conf 0.88 pyjwt: PYSEC-2026-177
PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.get_signing_key() forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited out…
uv.lock
high Security checks software dependencies conf 0.88 pyjwt: PYSEC-2026-177
PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.get_signing_key() forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited out…
cube-resources/cube-infra-azure/uv.lock
high Security checks software dependencies conf 0.88 pyjwt: PYSEC-2026-178
PyJWT is a JSON Web Token implementation in Python. From 2.8.0 to 2.12.1, when verifying detached JWS tokens using the unencoded-payload option ("b64": false, RFC 7797), PyJWT performs Base64URL decoding of the compact-serialization payload segment before enforcing the detached-payload rules. For b…
uv.lock
high Security checks software dependencies conf 0.88 pyjwt: PYSEC-2026-178
PyJWT is a JSON Web Token implementation in Python. From 2.8.0 to 2.12.1, when verifying detached JWS tokens using the unencoded-payload option ("b64": false, RFC 7797), PyJWT performs Base64URL decoding of the compact-serialization payload segment before enforcing the detached-payload rules. For b…
cube-resources/cube-infra-azure/uv.lock
high Security checks software dependencies conf 0.88 pyjwt: PYSEC-2026-179
PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the secre…
uv.lock
high Security checks software dependencies conf 0.88 pyjwt: PYSEC-2026-179
PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the secre…
cube-resources/cube-infra-azure/uv.lock
high Security checks software dependencies conf 0.88 2 occurrences python-multipart: GHSA-pp6c-gr5w-3c5g
python-multipart has Denial of Service via unbounded multipart part headers
2 files, 2 locations
cube-tools/cube-browser-tool/uv.lock
uv.lock
high Security checks software dependencies conf 0.88 starlette: PYSEC-2026-161
BadHost: Missing Host header validation poisons request.url.path, bypassing path-based security checks
uv.lock
high Security checks software dependencies conf 0.88 starlette: PYSEC-2026-161
BadHost: Missing Host header validation poisons request.url.path, bypassing path-based security checks
cube-resources/cube-chat/uv.lock
high Security checks software dependencies conf 0.88 urllib3: PYSEC-2026-141
urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.
uv.lock
high Security checks software dependencies conf 0.88 urllib3: PYSEC-2026-141
urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.
cube-resources/cube-infra-aws/uv.lock
high Security checks software dependencies conf 0.88 urllib3: PYSEC-2026-142
urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) when HTTPResponse.dr…
uv.lock
high Security checks software dependencies conf 0.88 urllib3: PYSEC-2026-142
urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) when HTTPResponse.dr…
cube-resources/cube-infra-aws/uv.lock
high System graph security auth conf 1.00 FastAPI POST `_dispatch` without auth dependency — src/cube/server.py:314
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/cube/server.py:314 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `_dispatch` without auth dependency — src/cube/server.py:405
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/cube/server.py:405 securityAuth fastapi unauth mutation
medium Security checks security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
high Security checks security auth conf 0.74 [AUC002] Low visible authorization coverage in route inventory: Only 33.3% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
Only 33.3% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
medium Security checks security auth conf 0.72 [AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements.
FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements.
low Security checks quality Error handling conf 1.00 3 occurrences [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.
3 files, 3 locations
cube-resources/cube-infra-daytona/src/cube_infra_daytona/container.py:168
src/cube/backends/local.py:164
src/cube/backends/toolkit.py:141
low Security checks security Injection conf 0.50 [SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.
Use subprocess with shell=False and a list of args. Never eval user input.
cube-resources/cube-infra-toolkit/src/cube_infra_toolkit/_exec_relay_server.py:92
low Security checks quality Quality conf 1.00 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws — wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated.
Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows.
src/cube/provision_store.py:72
high Security checks quality Quality conf 0.72 4 occurrences Agent control bridge may listen on a network interface without visible auth
Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN.
4 files, 4 locations
cube-resources/cube-infra-aws/src/cube_infra_aws/aws.py:56
cube-resources/cube-infra-azure/src/cube_infra_azure/azure.py:75
src/cube/integrations/nemogym.py:4
src/cube/server.py:4
medium Security checks software dependencies conf 0.88 2 occurrences aiohttp: GHSA-hg6j-4rv6-33pg
AIOHTTP is vulnerable to cross-origin redirect with per-request cookies
2 files, 2 locations
cube-tools/cube-web-tool/uv.lock
uv.lock
medium Security checks software dependencies conf 0.88 2 occurrences aiohttp: GHSA-jg22-mg44-37j8
AIOHTTP is Vulnerable to Deserialization of Untrusted Data
2 files, 2 locations
cube-tools/cube-web-tool/uv.lock
uv.lock
low Security checks quality Error handling conf 0.55 ✓ Repobility 18 occurrences Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
8 files, 18 locations
.github/scripts/collect_metrics.py:271, 316, 343, 369, 622 (5 hits)
cube-resources/cube-infra-toolkit/src/cube_infra_toolkit/container.py:415, 423, 625, 686 (4 hits)
src/cube/testing.py:181, 313, 317 (3 hits)
cube-resources/cube-infra-azure/src/cube_infra_azure/azure.py:1736, 1751 (2 hits)
cube-resources/cube-infra-daytona/src/cube_infra_daytona/container.py:187
cube-tools/cube-web-tool/src/cube_web_tool/fetch_tool.py:48
examples/counter-cube-remote/client_raw.py:112
examples/counter-cube-remote/client_sdk.py:80
Error handlingquality
medium Security checks software dependencies conf 0.88 2 occurrences idna: GHSA-65pc-fj4g-8rjx
Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix
2 files, 2 locations
cube-resources/cube-chat/uv.lock
uv.lock
medium Security checks software dependencies conf 0.88 pillow: GHSA-5xmw-vc9v-4wf2
Pillow has a heap buffer overflow with nested list coordinates
cube-resources/cube-chat/uv.lock
medium Security checks software dependencies conf 0.88 pillow: GHSA-r73j-pqj5-w3x7
Pillow has a PDF Parsing Trailer Infinite Loop (DoS)
cube-resources/cube-chat/uv.lock
medium Security checks quality Quality conf 0.78 Public web service has no security.txt
security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt.
.well-known/security.txt
medium Security checks software dependencies conf 0.88 pytest: GHSA-6w46-j5rx-g56g
pytest has vulnerable tmpdir handling
cube-resources/cube-chat/uv.lock
medium Security checks software dependencies conf 0.88 python-multipart: GHSA-mj87-hwqh-73pj
python-multipart affected by Denial of Service via large multipart preamble or epilogue data
cube-tools/cube-browser-tool/uv.lock
medium Security checks software dependencies conf 0.88 requests: GHSA-gc5v-m9x4-r6x2
Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function
cube-tools/cube-browser-tool/uv.lock
medium System graph cicd CI/CD security conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
aws-actions/configure-aws-credentials@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/collect_metrics.yaml:41 CI/CD securitySupply chainGithub actions
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/claude-md-audit.yml CI/CD securitySupply chainGithub actions
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/release.yml CI/CD securitySupply chainGithub actions
medium System graph security security conf 1.00 Insecure pattern 'subprocess_shell_true' in cube-resources/cube-infra-toolkit/src/cube_infra_toolkit/_exec_relay_server.py:94
Found a known-risky pattern (subprocess_shell_true). Review and replace if possible.
cube-resources/cube-infra-toolkit/src/cube_infra_toolkit/_exec_relay_server.py:94 Subprocess shell true
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — cube-resources/cube-infra-azure/src/cube_infra_azure/azure.py:938
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — cube-resources/cube-infra-toolkit/src/cube_infra_toolkit/toolkit.py:613
`urllib.request.urlretrieve(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — scripts/release.py:105
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — src/cube/cli.py:1069
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — src/cube/infra_local.py:129
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — src/cube/infra_utils.py:227
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph network Security conf 1.00 Privileged port 12 in use
Port 12 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
.github/workflows/claude-md-audit.yml Ports
medium System graph network Security conf 1.00 Privileged port 15 in use
Port 15 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
.github/workflows/claude-md-audit.yml Ports
low Security checks quality Quality conf 0.60 6 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
5 files, 6 locations
src/cube/backends/modal.py:10, 28 (2 hits)
cube-resources/cube-browser-playwright/src/cube_browser_playwright/playwright_session.py:44
cube-resources/cube-vm-backend/src/cube_vm_backend/local.py:24
cube-tools/cube-browser-tool/src/cube_browser_tool/playwright_tool.py:441
src/cube/tool.py:74
duplicationquality
low Security checks quality Documentation No LICENSE file
Add a LICENSE file to your repository. Use choosealicense.com to pick the right license (MIT for permissive, Apache 2.0 for patent protection, GPL for copyleft).
low Security checks software dependencies conf 0.88 pygments: GHSA-5239-wwwm-4pmq
Pygments has Regular Expression Denial of Service (ReDoS) due to Inefficient Regex for GUID Matching
cube-resources/cube-chat/uv.lock
low System graph quality Maintenance conf 1.00 42 TODO/FIXME markers
High count of TODO/FIXME/HACK markers — track them as issues so they're not forgotten.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: cube-resources/cube-infra-aws/src/cube_infra_aws/_utils.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: cube-resources/cube-infra-azure/src/cube_infra_azure/_utils.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/_includes/js/custom.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/_includes/mermaid_config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/clarif_fixture/benchmark_clarifications.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph cicd CI/CD security conf 1.00 3 occurrences GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
lines 19, 22, 89
.github/workflows/collect_metrics.yaml:19, 22, 89 (3 hits)
CI/CD securitySupply chainGithub actions
low System graph quality Integrity conf 1.00 19 occurrences Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: examples/toy_benchmark/counter.py:reset, examples/toy_benchmark/counter.py:reset This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
19 occurrences
repo-level (19 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: examples/toy_benchmark/counter.py:get_task_configs, examples/counter-cube/src/counter_cube/benchmark.py:get_task_configs, examples/toy_bench_auto_load_from_json/counter.py:get_task_configs This is *the* AI-coder failure mode (4× more duplication in v…
duplicatesduplication
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `model_copy` in src/cube/benchmark.py:607
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `model_copy` in src/cube/container.py:149
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `model_copy` in src/cube/core.py:112
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `model_copy` in tests/test_benchmark.py:366
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `model_copy` in tests/test_benchmark_composite.py:168
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `test_config_registry_lookup_returns_independent_deep_copy` in tests/test_core.py:304
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `test_messages_returns_copy` in cube-resources/cube-chat/tests/test_simple_chat_session.py:27
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `too_old` in src/cube/infra_local.py:921
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph software Dead code conf 1.00 Possibly dead Python function: do_GET
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
cube-tools/cube-computer-tool/scripts/smoke/attach_endpoint.py:43
low System graph software Dead code conf 1.00 Possibly dead Python function: log_message
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
cube-tools/cube-computer-tool/scripts/smoke/attach_endpoint.py:40
low System graph software Dead code conf 1.00 Possibly dead Python function: process_typewrite_match
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
cube-tools/cube-computer-tool/src/cube_computer_tool/pyautogui_utils.py:35
low System graph software Dead code conf 1.00 Possibly dead Python function: replace_press_less_than
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
cube-tools/cube-computer-tool/src/cube_computer_tool/pyautogui_utils.py:27
low System graph software Dead code conf 1.00 Possibly dead Python function: run_bash_script
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
cube-tools/cube-computer-tool/src/cube_computer_tool/guest_agent.py:221
low System graph software Dead code conf 1.00 Possibly dead Python function: run_python_script
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
cube-tools/cube-computer-tool/src/cube_computer_tool/guest_agent.py:194
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — docs/assets/js/just-the-docs.js:103
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph quality Integrity conf 1.00 Stub function `_setup` (body is just `pass`/`return`) — examples/toy_bench_auto_load_from_json/counter.py:115
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `_setup` (body is just `pass`/`return`) — scripts/smoke/capability_gate_smoke.py:77
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `close` (body is just `pass`/`return`) — examples/toy_benchmark/counter.py:210
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `reset` (body is just `pass`/`return`) — src/cube/tools/terminal.py:204
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph api Wiring conf 1.00 Unused endpoint: POST /
`src/cube/server.py` declares `POST /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph quality Complexity conf 1.00 Very large file: cube-resources/cube-infra-aws/src/cube_infra_aws/aws.py (1630 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: cube-resources/cube-infra-azure/src/cube_infra_azure/azure.py (2529 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: src/cube/benchmark.py (1200 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: src/cube/cli.py (1556 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/427d983d-a5bc-43ee-bedb-c5b68d62f339/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/427d983d-a5bc-43ee-bedb-c5b68d62f339/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.