Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
112 of your 124 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 4.47s · analysis 68.28s · 3.9 MB · GitHub preflight 447ms

RAG-Anything

https://github.com/HKUDS/RAG-Anything.git · scanned 2026-06-03 04:02 UTC (2 days, 4 hours ago) · 10 languages

535 findings (165 legacy + 370 scanner) 68th percentile · Python · medium (20-100K LoC) Scanner says 90 (lower by 20)

File as issue Image v2 schema
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 2 days, 4 hours ago · v6 · 228 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
78.1
/100
Repobility
66
165 legacy
9-layer
90
88.9% cov · 63 gaps
Critical
0
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 75.0 0.15 11.25
security_score 53.4 0.25 13.35
testing_score 87.0 0.20 17.40
documentation_score 83.0 0.15 12.45
practices_score 74.0 0.15 11.10
code_quality 45.0 0.10 4.50
Overall 1.00 70.0
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 0 High 100 Medium 45 Low 69 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 165 9-layer 63 Crowd 0 Layer: Software 83 Quality 133 Api 1 Frontend 1 Security 1 Cicd 9
Scan summary Repository scanned at 90.0/100 with 88.9% coverage. It contains 974 nodes across 0 cross-layer flows, written primarily in mixed languages. Engine surfaced 63 findings — concentrated in quality (32), software (19), cicd (9). Risk profile is low: 0 critical, 0 high, 5 medium. Recommended next step: open the quality layer findings first — that's where the highest-impact wins live.

Showing 185 of 228 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Legacy quality quality conf 1.00 ✓ Repobility Missing import: `html` used but not imported
The file uses `html.something(...)` but never imports `html`. This raises NameError at runtime the first time the line executes.
raganything/enhanced_markdown.py:299 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Missing import: `queue` used but not imported
The file uses `queue.something(...)` but never imports `queue`. This raises NameError at runtime the first time the line executes.
raganything/parser.py:838 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.
Review and fix per the pattern semantics. See CWE-755 / for context.
raganything/__init__.py:41 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.
Review and fix per the pattern semantics. See CWE-755 / for context.
examples/lmstudio_integration_example.py:131 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._make_embedding_func` used but never assigned in __init__
Method `initialize_rag` of class `OllamaRAGIntegration` reads `self._make_embedding_func`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
examples/ollama_integration_example.py:184 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._make_embedding_func` used but never assigned in __init__
Method `initialize_rag` of class `MiniMaxRAGIntegration` reads `self._make_embedding_func`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
examples/minimax_integration_example.py:223 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.create_fallback_evaluation` used but never assigned in __init__
Method `evaluate_single_answer` of class `LLMAnswerEvaluator` reads `self.create_fallback_evaluation`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
reproduce/llm_answer_evaluator.py:392 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.create_fallback_evaluation` used but never assigned in __init__
Method `evaluate_single_answer` of class `LLMAnswerEvaluator` reads `self.create_fallback_evaluation`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
reproduce/llm_answer_evaluator.py:373 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.embedding_func_factory` used but never assigned in __init__
Method `initialize_rag` of class `VLLMRAGIntegration` reads `self.embedding_func_factory`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
examples/vllm_integration_example.py:204 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.embedding_func_factory` used but never assigned in __init__
Method `initialize_rag` of class `LMStudioRAGIntegration` reads `self.embedding_func_factory`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
examples/lmstudio_integration_example.py:183 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.fix_json_format` used but never assigned in __init__
Method `evaluate_single_answer` of class `LLMAnswerEvaluator` reads `self.fix_json_format`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
reproduce/llm_answer_evaluator.py:384 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.fix_json_format` used but never assigned in __init__
Method `evaluate_single_answer` of class `LLMAnswerEvaluator` reads `self.fix_json_format`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
reproduce/llm_answer_evaluator.py:365 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.get_accuracy_evaluation_prompt` used but never assigned in __init__
Method `evaluate_single_answer` of class `LLMAnswerEvaluator` reads `self.get_accuracy_evaluation_prompt`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
reproduce/llm_answer_evaluator.py:301 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.get_comprehensive_evaluation_prompt` used but never assigned in __init__
Method `evaluate_single_answer` of class `LLMAnswerEvaluator` reads `self.get_comprehensive_evaluation_prompt`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
reproduce/llm_answer_evaluator.py:309 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.logger` used but never assigned in __init__
Method `evaluate_rag_results` of class `LLMAnswerEvaluator` reads `self.logger`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
reproduce/llm_answer_evaluator.py:478 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.logger` used but never assigned in __init__
Method `evaluate_rag_results` of class `LLMAnswerEvaluator` reads `self.logger`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
reproduce/llm_answer_evaluator.py:481 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.logger` used but never assigned in __init__
Method `evaluate_rag_results` of class `LLMAnswerEvaluator` reads `self.logger`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
reproduce/llm_answer_evaluator.py:470 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.logger` used but never assigned in __init__
Method `evaluate_single_answer` of class `LLMAnswerEvaluator` reads `self.logger`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
reproduce/llm_answer_evaluator.py:389 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.logger` used but never assigned in __init__
Method `evaluate_single_answer` of class `LLMAnswerEvaluator` reads `self.logger`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
reproduce/llm_answer_evaluator.py:370 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.logger` used but never assigned in __init__
Method `evaluate_single_answer` of class `LLMAnswerEvaluator` reads `self.logger`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
reproduce/llm_answer_evaluator.py:361 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.logger` used but never assigned in __init__
Method `evaluate_single_answer` of class `LLMAnswerEvaluator` reads `self.logger`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
reproduce/llm_answer_evaluator.py:338 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.logger` used but never assigned in __init__
Method `evaluate_single_answer` of class `LLMAnswerEvaluator` reads `self.logger`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
reproduce/llm_answer_evaluator.py:445 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.logger` used but never assigned in __init__
Method `evaluate_single_answer` of class `LLMAnswerEvaluator` reads `self.logger`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
reproduce/llm_answer_evaluator.py:425 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.logger` used but never assigned in __init__
Method `evaluate_single_answer` of class `LLMAnswerEvaluator` reads `self.logger`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
reproduce/llm_answer_evaluator.py:417 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.logger` used but never assigned in __init__
Method `evaluate_single_answer` of class `LLMAnswerEvaluator` reads `self.logger`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
reproduce/llm_answer_evaluator.py:318 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.logger` used but never assigned in __init__
Method `evaluate_single_answer` of class `LLMAnswerEvaluator` reads `self.logger`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
reproduce/llm_answer_evaluator.py:317 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.logger` used but never assigned in __init__
Method `create_fallback_evaluation` of class `LLMAnswerEvaluator` reads `self.logger`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
reproduce/llm_answer_evaluator.py:281 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.logger` used but never assigned in __init__
Method `fix_json_format` of class `LLMAnswerEvaluator` reads `self.logger`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
reproduce/llm_answer_evaluator.py:210 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.logger` used but never assigned in __init__
Method `setup_logging` of class `LLMAnswerEvaluator` reads `self.logger`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
reproduce/llm_answer_evaluator.py:44 qualitylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v2`
`uses: actions/checkout@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/linting.yaml:17 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v4`
`uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/pypi-publish.yml:15 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/download-artifact` pinned to mutable ref `@v4`
`uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/pypi-publish.yml:44 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/setup-python` pinned to mutable ref `@v2`
`uses: actions/setup-python@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/linting.yaml:20 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/setup-python` pinned to mutable ref `@v5`
`uses: actions/setup-python@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/pypi-publish.yml:16 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/upload-artifact` pinned to mutable ref `@v4`
`uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/pypi-publish.yml:27 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `pypa/gh-action-pypi-publish` pinned to mutable ref `@release/v1`
`uses: pypa/gh-action-pypi-publish@release/v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/pypi-publish.yml:50 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `stefanzweifel/git-auto-commit-action` pinned to mutable ref `@v5`
`uses: stefanzweifel/git-auto-commit-action@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/linting.yaml:33 dependencylegacy
high Legacy software dependency conf 0.88 aiohttp: GHSA-6mq8-rvhq-8wgg
AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb
requirements.txt dependencylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Phantom test coverage: test_chat
Test function `test_chat` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
examples/ollama_integration_example.py:159 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Phantom test coverage: test_chat_completion
Test function `test_chat_completion` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
examples/vllm_integration_example.py:157 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Phantom test coverage: test_chat_completion
Test function `test_chat_completion` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
examples/minimax_integration_example.py:195 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Phantom test coverage: test_chat_completion
Test function `test_chat_completion` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
examples/lmstudio_integration_example.py:134 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Phantom test coverage: test_connection
Test function `test_connection` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
examples/vllm_integration_example.py:124 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Phantom test coverage: test_connection
Test function `test_connection` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
examples/ollama_integration_example.py:108 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Phantom test coverage: test_connection
Test function `test_connection` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
examples/minimax_integration_example.py:150 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Phantom test coverage: test_connection
Test function `test_connection` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
examples/lmstudio_integration_example.py:102 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Phantom test coverage: test_embedding
Test function `test_embedding` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
examples/ollama_integration_example.py:137 qualitylegacy
high Legacy software dependency conf 0.90 ✓ Repobility pre-commit hook `https://github.com/astral-sh/ruff-pre-commit` pinned to mutable rev `v0.6.4`
`.pre-commit-config.yaml` references `https://github.com/astral-sh/ruff-pre-commit` at `rev: v0.6.4`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine.
.pre-commit-config.yaml:8 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility pre-commit hook `https://github.com/mgedmin/check-manifest` pinned to mutable rev `0.49`
`.pre-commit-config.yaml` references `https://github.com/mgedmin/check-manifest` at `rev: 0.49`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine.
.pre-commit-config.yaml:15 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility pre-commit hook `https://github.com/pre-commit/pre-commit-hooks` pinned to mutable rev `v5.0.0`
`.pre-commit-config.yaml` references `https://github.com/pre-commit/pre-commit-hooks` at `rev: v5.0.0`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine.
.pre-commit-config.yaml:2 dependencylegacy
high Legacy software dependency conf 0.88 protobuf: GHSA-7gcm-g887-7qv7
protobuf affected by a JSON recursion depth bypass
requirements.txt dependencylegacy
high Legacy software dependency conf 0.88 python-multipart: GHSA-59g5-xgcq-4qw3
Denial of service (DoS) via deformation `multipart/form-data` boundary
requirements.txt dependencylegacy
high Legacy software dependency conf 0.88 python-multipart: GHSA-pp6c-gr5w-3c5g
python-multipart has Denial of Service via unbounded multipart part headers
requirements.txt dependencylegacy
high Legacy software dependency conf 0.88 python-multipart: GHSA-wp53-j4wj-2cfg
Python-Multipart has Arbitrary File Write via Non-Default Configuration
requirements.txt dependencylegacy
high Legacy software dependency conf 0.88 setuptools: GHSA-cx63-2mw6-8hw5
setuptools vulnerable to Command Injection via package URL
requirements.txt dependencylegacy
high Legacy software dependency conf 0.88 setuptools: PYSEC-2022-43012
Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.
requirements.txt dependencylegacy
high Legacy software dependency conf 0.88 setuptools: PYSEC-2025-49
setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with…
requirements.txt dependencylegacy
high Legacy software dependency conf 0.88 uvicorn: PYSEC-2020-150
This affects all versions of package uvicorn. The request logger provided by the package is vulnerable to ASNI escape sequence injection. Whenever any HTTP request is received, the default behaviour of uvicorn is to log its details to either the console or a log file. When attackers request crafted…
requirements.txt dependencylegacy
high Legacy software dependency conf 0.88 uvicorn: PYSEC-2020-151
Uvicorn before 0.11.7 is vulnerable to HTTP response splitting. CRLF sequences are not escaped in the value of HTTP headers. Attackers can exploit this to add arbitrary headers to HTTP responses, or even return an arbitrary response body, whenever crafted input is used to construct HTTP headers.
requirements.txt dependencylegacy
medium Legacy software dependency conf 0.88 aiohttp: GHSA-6jhg-hg63-jvvf
AIOHTTP vulnerable to denial of service through large payloads
requirements.txt dependencylegacy
medium Legacy software dependency conf 0.88 aiohttp: GHSA-8495-4g3g-x7pr
aiohttp allows request smuggling due to incorrect parsing of chunk extensions
requirements.txt dependencylegacy
medium Legacy software dependency conf 0.88 aiohttp: GHSA-c427-h43c-vf67
AIOHTTP accepts duplicate Host headers
requirements.txt dependencylegacy
medium Legacy software dependency conf 0.88 aiohttp: GHSA-g84x-mcqj-x9qq
AIOHTTP vulnerable to DoS through chunked messages
requirements.txt dependencylegacy
medium Legacy software dependency conf 0.88 aiohttp: GHSA-jj3x-wxrx-4x23
AIOHTTP vulnerable to DoS when bypassing asserts
requirements.txt dependencylegacy
medium Legacy software dependency conf 0.88 aiohttp: GHSA-m5qp-6w8w-w647
AIOHTTP has a Multipart Header Size Bypass
requirements.txt dependencylegacy
medium Legacy software dependency conf 0.88 aiohttp: GHSA-p998-jp59-783m
AIOHTTP affected by UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows
requirements.txt dependencylegacy
medium Legacy software dependency conf 0.88 aiohttp: GHSA-w2fm-2cpv-w7v5
aiohttp allows unlimited trailer headers, leading to possible uncapped memory usage
requirements.txt dependencylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
examples/ollama_integration_example.py:155 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
examples/ollama_integration_example.py:132 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
examples/minimax_integration_example.py:164 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
examples/minimax_integration_example.py:227 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
examples/minimax_integration_example.py:205 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
examples/minimax_integration_example.py:190 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
examples/lmstudio_integration_example.py:236 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
examples/lmstudio_integration_example.py:288 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
examples/lmstudio_integration_example.py:214 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
examples/lmstudio_integration_example.py:195 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
examples/lmstudio_integration_example.py:156 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
examples/lmstudio_integration_example.py:120 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
examples/batch_processing_example.py:305 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
examples/batch_processing_example.py:482 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
examples/batch_processing_example.py:395 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
examples/batch_processing_example.py:312 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
examples/batch_processing_example.py:230 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
examples/batch_processing_example.py:183 qualitylegacy
medium Legacy software dependency conf 0.90 GitHub Action `actions/checkout@v2` is 4 major version(s) behind (latest v6.0.3)
`uses: actions/checkout@v2` is 4 major version(s) behind the latest published release v6.0.3. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
.github/workflows/linting.yaml:17 dependencylegacy
medium Legacy software dependency conf 0.90 GitHub Action `actions/checkout@v4` is 2 major version(s) behind (latest v6.0.3)
`uses: actions/checkout@v4` is 2 major version(s) behind the latest published release v6.0.3. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
.github/workflows/pypi-publish.yml:15 dependencylegacy
medium Legacy software dependency conf 0.90 GitHub Action `actions/download-artifact@v4` is 4 major version(s) behind (latest v8.0.1)
`uses: actions/download-artifact@v4` is 4 major version(s) behind the latest published release v8.0.1. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage…
.github/workflows/pypi-publish.yml:44 dependencylegacy
medium Legacy software dependency conf 0.90 GitHub Action `actions/setup-python@v2` is 4 major version(s) behind (latest v6.2.0)
`uses: actions/setup-python@v2` is 4 major version(s) behind the latest published release v6.2.0. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
.github/workflows/linting.yaml:20 dependencylegacy
medium Legacy software dependency conf 0.90 GitHub Action `actions/setup-python@v5` is 1 major version(s) behind (latest v6.2.0)
`uses: actions/setup-python@v5` is 1 major version(s) behind the latest published release v6.2.0. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
.github/workflows/pypi-publish.yml:16 dependencylegacy
medium Legacy software dependency conf 0.90 GitHub Action `actions/upload-artifact@v4` is 3 major version(s) behind (latest v7.0.1)
`uses: actions/upload-artifact@v4` is 3 major version(s) behind the latest published release v7.0.1. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage f…
.github/workflows/pypi-publish.yml:27 dependencylegacy
medium Legacy software dependency conf 0.90 GitHub Action `stefanzweifel/git-auto-commit-action@v5` is 2 major version(s) behind (latest v7.1.0)
`uses: stefanzweifel/git-auto-commit-action@v5` is 2 major version(s) behind the latest published release v7.1.0. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had …
.github/workflows/linting.yaml:33 dependencylegacy
medium Legacy software dependency conf 0.88 idna: GHSA-65pc-fj4g-8rjx
Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix
requirements.txt dependencylegacy
medium Legacy quality quality conf 1.00 ✓ Repobility Mutable default argument in `<lambda>` (list)
`def <lambda>(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
examples/modalprocessors_example.py:186 qualitylegacy
medium Legacy quality quality conf 1.00 ✓ Repobility Mutable default argument in `<lambda>` (list)
`def <lambda>(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
examples/modalprocessors_example.py:42 qualitylegacy
medium Legacy quality quality conf 1.00 ✓ Repobility Mutable default argument in `<lambda>` (list)
`def <lambda>(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
examples/modalprocessors_example.py:25 qualitylegacy
medium Legacy quality quality conf 1.00 ✓ Repobility Mutable default argument in `llm_model_func` (list)
`def llm_model_func(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
reproduce/index.py:119 qualitylegacy
medium Legacy quality quality conf 1.00 ✓ Repobility Mutable default argument in `llm_model_func` (list)
`def llm_model_func(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
reproduce/query.py:120 qualitylegacy
medium Legacy quality quality conf 1.00 ✓ Repobility Mutable default argument in `llm_model_func` (list)
`def llm_model_func(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
examples/insert_content_list_example.py:202 qualitylegacy
medium Legacy quality quality conf 1.00 ✓ Repobility Mutable default argument in `llm_model_func` (list)
`def llm_model_func(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
examples/raganything_example.py:123 qualitylegacy
medium Legacy quality quality conf 1.00 ✓ Repobility Mutable default argument in `vision_model_func` (list)
`def vision_model_func(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
reproduce/index.py:131 qualitylegacy
medium Legacy quality quality conf 1.00 ✓ Repobility Mutable default argument in `vision_model_func` (list)
`def vision_model_func(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
reproduce/query.py:132 qualitylegacy
medium Legacy quality quality conf 1.00 ✓ Repobility Mutable default argument in `vision_model_func` (list)
`def vision_model_func(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
examples/insert_content_list_example.py:214 qualitylegacy
medium Legacy quality quality conf 1.00 ✓ Repobility Mutable default argument in `vision_model_func` (list)
`def vision_model_func(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
examples/raganything_example.py:135 qualitylegacy
medium Legacy quality quality conf 0.78 Public web service has no security.txt
security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt.
.well-known/security.txt qualitylegacy
medium Legacy software dependency conf 0.88 pypdf: GHSA-3crg-w4f6-42mx
pypdf: Manipulated XMP metadata entity declarations can exhaust RAM
requirements.txt dependencylegacy
medium Legacy software dependency conf 0.88 pypdf: GHSA-4pxv-j86v-mhcw
pypdf: Possible long runtimes for wrong size values in incremental mode
requirements.txt dependencylegacy
medium Legacy software dependency conf 0.88 pypdf: GHSA-7gw9-cf7v-778f
pypdf: Manipulated FlateDecode predictor parameters can exhaust RAM
requirements.txt dependencylegacy
medium Legacy software dependency conf 0.88 pypdf: GHSA-jj6c-8h6c-hppx
pypdf has long runtimes for wrong size values in cross-reference and object streams
requirements.txt dependencylegacy
medium Legacy software dependency conf 0.88 pypdf: GHSA-x284-j5p8-9c5p
pypdf: Manipulated FlateDecode image dimensions can exhaust RAM
requirements.txt dependencylegacy
medium Legacy software dependency conf 0.88 python-multipart: GHSA-mj87-hwqh-73pj
python-multipart affected by Denial of Service via large multipart preamble or epilogue data
requirements.txt dependencylegacy
medium Legacy software dependency conf 0.90 ✓ Repobility requirements.txt: `huggingface_hub` has no version pin
Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
requirements.txt:1 dependencylegacy
medium Legacy software dependency conf 0.90 ✓ Repobility requirements.txt: `lightrag-hku` has no version pin
Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
requirements.txt:3 dependencylegacy
medium Legacy software dependency conf 0.90 ✓ Repobility requirements.txt: `mineru[core]` has no version pin
Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
requirements.txt:5 dependencylegacy
medium Legacy software dependency conf 0.90 ✓ Repobility requirements.txt: `tqdm` has no version pin
Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
requirements.txt:7 dependencylegacy
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
pypa/gh-action-pypi-publish@release/v1 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/pypi-publish.yml:50 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
stefanzweifel/git-auto-commit-action@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/linting.yaml:33 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/pypi-publish.yml supply-chaingithub-actionsleast-privilege
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — raganything/parser.py:267
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer security coverage conf 1.00 No auth library detected
The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.
coverageauth
low Legacy software dependency conf 0.88 aiohttp: GHSA-2vrm-gr82-f7m5
AIOHTTP has CRLF injection through multipart part content type header construction
requirements.txt dependencylegacy
low Legacy software dependency conf 0.88 aiohttp: GHSA-3wq7-rqq7-wx6j
AIOHTTP has late size enforcement for non-file multipart fields causes memory DoS
requirements.txt dependencylegacy
low Legacy software dependency conf 0.88 aiohttp: GHSA-54jq-c3m8-4m76
AIOHTTP vulnerable to brute-force leak of internal static file path components
requirements.txt dependencylegacy
low Legacy software dependency conf 0.88 aiohttp: GHSA-63hf-3vf5-4wqf
AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header injection/security bypass
requirements.txt dependencylegacy
low Legacy software dependency conf 0.88 aiohttp: GHSA-69f9-5gxw-wvc2
AIOHTTP's unicode processing of header values could cause parsing discrepancies
requirements.txt dependencylegacy
low Legacy software dependency conf 0.88 aiohttp: GHSA-9548-qrrj-x5pj
AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections
requirements.txt dependencylegacy
low Legacy software dependency conf 0.88 aiohttp: GHSA-966j-vmvw-g2g9
AIOHTTP leaks Cookie and Proxy-Authorization headers on cross-origin redirect
requirements.txt dependencylegacy
low Legacy software dependency conf 0.88 aiohttp: GHSA-fh55-r93g-j68g
AIOHTTP Vulnerable to Cookie Parser Warning Storm
requirements.txt dependencylegacy
low Legacy software dependency conf 0.88 aiohttp: GHSA-hcc4-c3v8-rx92
AIOHTTP Affected by Denial of Service (DoS) via Unbounded DNS Cache in TCPConnector
requirements.txt dependencylegacy
low Legacy software dependency conf 0.88 aiohttp: GHSA-mqqc-3gqh-h2x8
AIOHTTP has unicode match groups in regexes for ASCII protocol elements
requirements.txt dependencylegacy
low Legacy software dependency conf 0.88 aiohttp: GHSA-mwh4-6h8g-pg8w
AIOHTTP has HTTP response splitting via \r in reason phrase
requirements.txt dependencylegacy
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: raganything/prompts_zh.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: scripts/create_tiktoken_cache.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/upload-artifact@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/pypi-publish.yml:27 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/download-artifact@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/pypi-publish.yml:44 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/linting.yaml:17 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-python@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/linting.yaml:20 supply-chaingithub-actionspinned-dependencies
low 9-layer quality integrity conf 1.00 Legacy-named symbol `test_empty_extraction_returns_copy` in tests/test_omml_extractor.py:376
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: raganything/callbacks.py:on_parse_complete, raganything/callbacks.py:on_parse_complete This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: raganything/callbacks.py:on_text_insert_complete, raganything/callbacks.py:on_text_insert_complete This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're …
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: raganything/callbacks.py:on_multimodal_complete, raganything/callbacks.py:on_multimodal_complete This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're se…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: raganything/callbacks.py:on_query_complete, raganything/callbacks.py:on_query_complete This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: raganything/callbacks.py:on_query_error, raganything/callbacks.py:on_query_error This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: raganything/callbacks.py:on_document_complete, raganything/callbacks.py:on_document_complete This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separa…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: raganything/callbacks.py:on_document_error, raganything/callbacks.py:on_document_error This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: raganything/parser.py:parse_text_file, raganything/parser.py:parse_text_file This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: raganything/parser.py:read_from_block_recursive, raganything/parser.py:read_from_block This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: raganything/config.py:mineru_parse_method, raganything/config.py:mineru_parse_method This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: raganything/resilience.py:retry, raganything/resilience.py:async_retry This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: raganything/resilience.py:decorator, raganything/resilience.py:decorator This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: raganything/batch_parser.py:process_batch, raganything/batch_parser.py:process_batch_async This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: raganything/parser.py:parse_image, raganything/parser.py:parse_image, raganything/parser.py:parse_image This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why the…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: raganything/parser.py:parse_office_doc, raganything/parser.py:parse_office_doc, raganything/parser.py:parse_office_doc This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or d…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: raganything/batch.py:process_documents_batch, raganything/batch.py:process_documents_batch_async, raganything/batch.py:process_documents_with_rag_batch This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/a…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 4 places
Functions with the same first-5-line body hash: raganything/parser.py:parse_pdf, raganything/parser.py:parse_pdf, raganything/parser.py:parse_pdf, raganything/parser.py:parse_pdf This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Cons…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 4 places
Functions with the same first-5-line body hash: raganything/parser.py:parse_document, raganything/parser.py:parse_document, raganything/parser.py:parse_document, raganything/parser.py:parse_document This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 4 places
Functions with the same first-5-line body hash: raganything/parser.py:check_installation, raganything/parser.py:check_installation, raganything/parser.py:check_installation, raganything/parser.py:check_installation This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see …
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 4 places
Functions with the same first-5-line body hash: raganything/resilience.py:wrapper, raganything/resilience.py:wrapper, raganything/resilience.py:wrapper, raganything/resilience.py:wrapper This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygien…
integrityduplicatedry
low 9-layer software dead-code conf 1.00 Possibly dead Python function: async_call
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
raganything/resilience.py:378 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: check_parser_installation
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
raganything/raganything.py:474 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: decorator
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
raganything/resilience.py:188 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: enqueue_output
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
raganything/parser.py:831 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: fix_string_content
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
raganything/modalprocessors.py:678 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: link_replacer
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
raganything/parser.py:596 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: lmstudio_embedding_async
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
examples/lmstudio_integration_example.py:63 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: lmstudio_llm_model_func
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
examples/lmstudio_integration_example.py:45 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: process_document_example
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
examples/lmstudio_integration_example.py:199 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: process_documents_batch_async
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
raganything/batch.py:229 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: process_folder_complete
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
raganything/batch.py:34 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: query_examples
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
examples/lmstudio_integration_example.py:217 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: query_with_multimodal
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
raganything/query.py:844 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: replace_image_path
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
raganything/query.py:618 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: update_config
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
raganything/raganything.py:249 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: update_context_config
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
raganything/raganything.py:578 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: verify_parser_installation_once
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
raganything/raganything.py:483 dead-code
low 9-layer quality integrity conf 1.00 Stub function `_noop_mark_multimodal` (body is just `pass`/`return`) — examples/lmstudio_integration_example.py:188
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality integrity conf 1.00 Stub function `_noop_mark_multimodal` (body is just `pass`/`return`) — examples/vllm_integration_example.py:208
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality complexity conf 1.00 Very large file: raganything/modalprocessors.py (1614 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: raganything/parser.py (2660 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: raganything/processor.py (2258 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: reproduce/llm_answer_evaluator.py (1876 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low Legacy quality quality conf 1.00 ✓ Repobility [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
raganything/asset_urls.py:113 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.
Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context.
scripts/create_tiktoken_cache.py:13 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.
Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context.
examples/minimax_integration_example.py:153 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model.
Review and fix per the pattern semantics.
raganything/config.py:12 qualitylegacy
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/507e544d-338a-43d7-8a53-56003e3386c2/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/507e544d-338a-43d7-8a53-56003e3386c2/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.