Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo

Scan timing: clone 2.65s · analysis 30.19s · 5.0 MB · GitHub API rate-limit (preflight)

AMAP-ML/SkillClaw

https://github.com/AMAP-ML/SkillClaw · scanned 2026-06-03 02:41 UTC (6 days, 20 hours ago) · 10 languages

880 raw signals (141 security + 739 graph) 51st percentile · Python · medium (20-100K LoC) System graph score 86 (lower by 22)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 6 days, 20 hours ago · v8 · 162 actionable findings from 2 signal sources. 75 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
71.7
/100
Security checks
57
80 findings
System graph
86
100.0% cov · 82 findings
Critical
2
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 75.0 0.15 11.25
security_score 32.3 0.25 8.07
testing_score 90.0 0.20 18.00
documentation_score 85.0 0.15 12.75
practices_score 70.0 0.15 10.50
code_quality 37.6 0.10 3.76
Overall 1.00 64.3
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 2 High 62 Medium 14 Low 73 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 80 System graph 82 Crowd 0 Layer: Software 45 Quality 60 Security 28 Cicd 2 Frontend 1 Api 26
Scan summary Quality grade C+ (64/100). Dimensions: security 32, maintainability 75. 141 findings (46 security). 28,713 lines analyzed.

Showing 151 of 162 actionable findings. 237 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks software dependencies conf 0.88 h11: GHSA-vqfr-h8mv-ghfj
h11 accepts some malformed Chunked-Encoding bodies
requirements.txt
critical Security checks software dependencies conf 0.88 httpx: GHSA-h8pj-cxx2-jfg2
Improper Input Validation in httpx
requirements.txt
high Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences Missing import: `warnings` used but not imported
The file uses `warnings.something(...)` but never imports `warnings`. This raises NameError at runtime the first time the line executes.
2 files, 3 locations
skillclaw/dashboard_ingest.py:251, 300 (2 hits)
skillclaw/skill_manager.py:328
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /api/v1/skills/{skill_id}.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /api/v1/skills/{skill_id}.
skillclaw/dashboard_server.py:586
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /api/v1/skills/{skill_id}/activate.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /api/v1/skills/{skill_id}/activate.
skillclaw/dashboard_server.py:593
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /api/v1/validation/jobs/{job_id}/review.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /api/v1/validation/jobs/{job_id}/review.
skillclaw/dashboard_server.py:687
high Security checks quality Quality conf 1.00 ✓ Repobility 25 occurrences `self._connect` used but never assigned in __init__
Method `initialize` of class `DashboardStore` reads `self._connect`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
2 files, 25 locations
skillclaw/validation_store.py:72, 75, 78, 81, 96, 102, 108, 116, +8 more (16 hits)
skillclaw/dashboard_store.py:40, 141, 142, 327, 328, 372, 401, 403, +1 more (9 hits)
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI DELETE /v1/responses/{response_id} has no auth
Handler `delete_response` is registered with router/app.delete(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
skillclaw/api_server.py:1737
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/v1/ops/export-sessions has no auth
Handler `export_sessions` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
skillclaw/dashboard_server.py:669
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/v1/ops/pull has no auth
Handler `pull_skills` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
skillclaw/dashboard_server.py:643
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/v1/ops/push has no auth
Handler `push_skills` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
skillclaw/dashboard_server.py:655
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/v1/ops/sync has no auth
Handler `sync_skills` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
skillclaw/dashboard_server.py:662
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/v1/ops/trigger-evolve has no auth
Handler `trigger_evolve` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
skillclaw/dashboard_server.py:681
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/v1/skills/{skill_id}/activate has no auth
Handler `activate_skill` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
skillclaw/dashboard_server.py:594
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/v1/sync has no auth
Handler `sync_projection` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
skillclaw/dashboard_server.py:639
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/v1/validation/jobs/{job_id}/review has no auth
Handler `submit_review` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
skillclaw/dashboard_server.py:688
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /internal/reload-skills has no auth
Handler `reload_skills` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
skillclaw/api_server.py:1538
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /trigger has no auth
Handler `trigger_evolve` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
evolve_server/engines/workflow.py:1035
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /trigger has no auth
Handler `trigger_evolve` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
evolve_server/engines/agent.py:491
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /v1/chat/completions has no auth
Handler `chat_completions` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
skillclaw/api_server.py:1571
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /v1/messages has no auth
Handler `anthropic_messages` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
skillclaw/api_server.py:1771
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /v1/messages/count_tokens has no auth
Handler `anthropic_count_tokens` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
skillclaw/api_server.py:1755
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /v1/responses has no auth
Handler `responses` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
skillclaw/api_server.py:1619
high Security checks software dependencies conf 0.88 fastapi: PYSEC-2024-38
FastAPI is a web framework for building APIs with Python 3.8+ based on standard Python type hints. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very d…
requirements.txt
medium Security checks cicd CI/CD security conf 0.90 ✓ Repobility GitHub Action is tag-pinned rather than SHA-pinned
Action `astral-sh/setup-uv` pinned to mutable ref `@v5` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
.github/workflows/lint.yml:13 CI/CD securitySupply chainGitHub Actions
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility GitHub Action is tag-pinned rather than SHA-pinned
Action `actions/checkout` pinned to mutable ref `@v4` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
.github/workflows/lint.yml:12 CI/CD securitySupply chainGitHub Actions
high Security checks software dependencies conf 0.88 idna: PYSEC-2024-60
A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service condition. This vulne…
requirements.txt
high Security checks software dependencies conf 0.90 ✓ Repobility pre-commit hook `https://github.com/astral-sh/ruff-pre-commit` pinned to mutable rev `v0.12.2`
`.pre-commit-config.yaml` references `https://github.com/astral-sh/ruff-pre-commit` at `rev: v0.12.2`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine.
.pre-commit-config.yaml:2
high Security checks software dependencies conf 0.88 starlette: GHSA-f96h-pmfr-66vw
Starlette Denial of service (DoS) via multipart/form-data
requirements.txt
high Security checks software dependencies conf 0.88 starlette: PYSEC-2026-161
BadHost: Missing Host header validation poisons request.url.path, bypassing path-based security checks
requirements.txt
high Security checks software dependencies conf 0.88 tqdm: PYSEC-2017-74
The tqdm._version module in tqdm versions 4.4.1 and 4.10 allows local users to execute arbitrary code via a crafted repo with a malicious git log in the current working directory.
requirements-server.txt
high Security checks software dependencies conf 0.88 urllib3: GHSA-2xpw-w6gg-jr37
urllib3 streaming API improperly handles highly compressed data
requirements-server.txt
high Security checks software dependencies conf 0.88 urllib3: GHSA-38jv-5279-wg99
Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API)
requirements-server.txt
high Security checks software dependencies conf 0.88 urllib3: GHSA-gm62-xv2j-4w53
urllib3 allows an unbounded number of links in the decompression chain
requirements-server.txt
high Security checks software dependencies conf 0.88 urllib3: PYSEC-2020-148
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
requirements-server.txt
high Security checks software dependencies conf 0.88 urllib3: PYSEC-2021-108
An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redir…
requirements-server.txt
high Security checks software dependencies conf 0.88 urllib3: PYSEC-2023-192
urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak infor…
requirements-server.txt
high Security checks software dependencies conf 0.88 urllib3: PYSEC-2023-212
urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required b…
requirements-server.txt
high Security checks software dependencies conf 0.88 urllib3: PYSEC-2026-141
urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.
requirements-server.txt
high Security checks software dependencies conf 0.88 uvicorn: PYSEC-2020-150
This affects all versions of package uvicorn. The request logger provided by the package is vulnerable to ASNI escape sequence injection. Whenever any HTTP request is received, the default behaviour of uvicorn is to log its details to either the console or a log file. When attackers request crafted…
requirements.txt
high Security checks software dependencies conf 0.88 uvicorn: PYSEC-2020-151
Uvicorn before 0.11.7 is vulnerable to HTTP response splitting. CRLF sequences are not escaped in the value of HTTP headers. Attackers can exploit this to add arbitrary headers to HTTP responses, or even return an arbitrary response body, whenever crafted input is used to construct HTTP headers.
requirements.txt
high System graph security auth conf 1.00 FastAPI DELETE `delete_response` without auth dependency — skillclaw/api_server.py:1736
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
skillclaw/api_server.py:1736 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `activate_skill` without auth dependency — skillclaw/dashboard_server.py:593
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
skillclaw/dashboard_server.py:593 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `anthropic_count_tokens` without auth dependency — skillclaw/api_server.py:1754
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
skillclaw/api_server.py:1754 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `anthropic_messages` without auth dependency — skillclaw/api_server.py:1770
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
skillclaw/api_server.py:1770 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `chat_completions` without auth dependency — skillclaw/api_server.py:1570
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
skillclaw/api_server.py:1570 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `export_sessions` without auth dependency — skillclaw/dashboard_server.py:668
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
skillclaw/dashboard_server.py:668 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `pull_skills` without auth dependency — skillclaw/dashboard_server.py:642
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
skillclaw/dashboard_server.py:642 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `push_skills` without auth dependency — skillclaw/dashboard_server.py:654
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
skillclaw/dashboard_server.py:654 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `reload_skills` without auth dependency — skillclaw/api_server.py:1537
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
skillclaw/api_server.py:1537 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `responses` without auth dependency — skillclaw/api_server.py:1618
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
skillclaw/api_server.py:1618 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `submit_review` without auth dependency — skillclaw/dashboard_server.py:687
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
skillclaw/dashboard_server.py:687 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `sync_projection` without auth dependency — skillclaw/dashboard_server.py:638
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
skillclaw/dashboard_server.py:638 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `sync_skills` without auth dependency — skillclaw/dashboard_server.py:661
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
skillclaw/dashboard_server.py:661 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `trigger_evolve` without auth dependency — evolve_server/engines/agent.py:490
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
evolve_server/engines/agent.py:490 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `trigger_evolve` without auth dependency — evolve_server/engines/workflow.py:1034
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
evolve_server/engines/workflow.py:1034 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `trigger_evolve` without auth dependency — skillclaw/dashboard_server.py:680
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
skillclaw/dashboard_server.py:680 securityAuth fastapi unauth mutation
medium Security checks security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /v1/models.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /v1/models.
skillclaw/api_server.py:1548
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /v1/responses/{response_id}.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /v1/responses/{response_id}.
skillclaw/api_server.py:1736
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/v1/ops/export-sessions.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/v1/ops/export-sessions.
skillclaw/dashboard_server.py:668
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/v1/ops/trigger-evolve.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/v1/ops/trigger-evolve.
skillclaw/dashboard_server.py:680
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /v1/messages.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /v1/messages.
skillclaw/api_server.py:1770
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /v1/messages/count_tokens.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /v1/messages/count_tokens.
skillclaw/api_server.py:1754
medium Security checks security auth conf 0.72 [AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements.
FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements.
low Security checks quality Error handling conf 1.00 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.
skillclaw/utils.py:41
low Security checks quality Error handling conf 1.00 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.
skillclaw/launcher.py:52
low Security checks quality Quality conf 1.00 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws — wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated.
Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows.
evolve_server/storage/oss_helpers.py:126
high Security checks quality Quality conf 0.72 Agent control bridge may listen on a network interface without visible auth
Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN.
evolve_server/__main__.py:257
high Security checks quality Quality conf 0.72 Agent control bridge may listen on a network interface without visible auth
Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN.
skillclaw/config.py:6
low Security checks quality Error handling conf 0.55 ✓ Repobility 25 occurrences Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
2 files, 25 locations
skillclaw/dashboard_ingest.py:74, 183, 248, 821, 827, 834, 877, 898, +5 more (13 hits)
skillclaw/api_server.py:222, 258, 345, 352, 377, 382, 471, 485, +4 more (12 hits)
Error handlingquality
medium Security checks quality Quality conf 0.73 Codex session log reader may expose prompts or tool-call content
Codex session JSONL files can contain prompts, tool events, paths, and operational metadata, not only token counts. Token dashboards and exporters should avoid retaining or sharing raw session text.
skillclaw/api_server.py:1497
medium Security checks software dependencies conf 0.88 h2: GHSA-847f-9342-265h
h2 allows HTTP Request Smuggling due to illegal characters in headers
requirements.txt
medium Security checks software dependencies conf 0.88 idna: GHSA-65pc-fj4g-8rjx
Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix
requirements-server.txt
high Security checks quality Quality conf 0.80 localStorage write failures are swallowed silently
localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota.
skillclaw/dashboard_assets/app.js:1116
medium Security checks quality Quality conf 0.78 Public web service has no security.txt
security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt.
.well-known/security.txt
medium Security checks software dependencies conf 0.88 pydantic: GHSA-mr82-8j83-vxmv
Pydantic regular expression denial of service
requirements.txt
medium Security checks software dependencies conf 0.90 ✓ Repobility 8 occurrences requirements.txt: `boto3` has no version pin
Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
2 files, 8 locations
requirements-server.txt:2, 3, 4, 5 (4 hits)
requirements.txt:4, 5, 6, 7 (4 hits)
medium Security checks software dependencies conf 0.88 starlette: GHSA-2c2j-9gv5-cj73
Starlette has possible denial-of-service vector when parsing large files in multipart forms
requirements.txt
medium Security checks software dependencies conf 0.88 urllib3: GHSA-34jh-p97f-mpxf
urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects
requirements-server.txt
medium Security checks software dependencies conf 0.88 urllib3: GHSA-pq67-6m6q-mj2v
urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation
requirements-server.txt
medium Security checks software dependencies conf 0.88 urllib3: GHSA-wqvq-5m8c-6g24
CRLF injection in urllib3
requirements-server.txt
medium System graph security Coverage conf 1.00 No auth library detected
The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.
auth
low Security checks software Race condition conf 1.00 [SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacker swap the file between check and use (symlink attack). `mktemp` is deprecated for the same reason.
Use `os.open(path, os.O_CREAT | os.O_EXCL | os.O_WRONLY)` for atomic create-only. Use `tempfile.NamedTemporaryFile()` (not `mktemp`). For locking, use `fcntl.flock`.
skillclaw/object_store.py:96
low Security checks software Race condition conf 1.00 [SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacker swap the file between check and use (symlink attack). `mktemp` is deprecated for the same reason.
Use `os.open(path, os.O_CREAT | os.O_EXCL | os.O_WRONLY)` for atomic create-only. Use `tempfile.NamedTemporaryFile()` (not `mktemp`). For locking, use `fcntl.flock`.
evolve_server/storage/mock_bucket.py:97
low Security checks quality Quality conf 0.60 Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
evolve_server/pipeline/skill_verifier.py:60 duplicationquality
low Security checks software dependencies conf 0.88 tqdm: GHSA-g7vv-2v7x-gj9p
tqdm CLI arguments injection attack
requirements-server.txt
low System graph software Dead code candidate conf 1.00 File has no detected symbols: skillclaw/__main__.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph quality Integrity conf 1.00 12 occurrences Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: skillclaw/api_server.py:reload_skills, skillclaw/api_server.py:list_models This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
12 occurrences
repo-level (12 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 4 occurrences Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: skillclaw/object_store.py:get_object, skillclaw/object_store.py:get_object, skillclaw/object_store.py:get_object This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or documen…
4 occurrences
repo-level (4 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `bundle_v1` in evolve_server/engines/agent.py:264
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `bundle_v1` in evolve_server/engines/workflow.py:300
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `bundle_v1` in evolve_server/storage/oss_helpers.py:206
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `bundle_v1` in skillclaw/dashboard_ingest.py:90
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `bundle_v1` in skillclaw/dashboard_server.py:148
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `bundle_v1` in skillclaw/skill_hub.py:227
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `bundle_v1` in tests/test_dashboard.py:66
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `bundle_v1` in tests/test_skill_bundle_support.py:63
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `latest_backup` in skillclaw/claw_adapter.py:566
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `latest_backup` in skillclaw/cli.py:74
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `list_objects_v2` in skillclaw/object_store.py:164
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `restored_from_backup` in skillclaw/api_server.py:3171
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `restored_from_backup` in skillclaw/launcher.py:141
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `restored_from_backup` in skillclaw/nacos_skill_hub.py:509
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `test_session_snapshot_upload_uses_stable_deep_copy` in tests/test_session_upload_trigger.py:51
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph software Dead code conf 1.00 Possibly dead Python function: add_skills
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
skillclaw/skill_manager.py:714
low System graph software Dead code conf 1.00 Possibly dead Python function: all_ids
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
evolve_server/core/skill_registry.py:153
low System graph software Dead code conf 1.00 Possibly dead Python function: build_manifest_record
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
skillclaw/nacos_skill_hub.py:574
low System graph software Dead code conf 1.00 Possibly dead Python function: bundle_paths
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
skillclaw/skill_bundle.py:167
low System graph software Dead code conf 1.00 Possibly dead Python function: chat_complete
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
skillclaw/bedrock_client.py:195
low System graph software Dead code conf 1.00 Possibly dead Python function: delete_session_keys
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
evolve_server/storage/oss_helpers.py:106
low System graph software Dead code conf 1.00 Possibly dead Python function: fetch_skill_bundle_text
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
evolve_server/storage/oss_helpers.py:165
low System graph software Dead code conf 1.00 Possibly dead Python function: handler
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/demo_nacos_skill_lifecycle.py:52
low System graph software Dead code conf 1.00 Possibly dead Python function: list_after_publish
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/demo_nacos_skill_lifecycle.py:83
low System graph software Dead code conf 1.00 Possibly dead Python function: list_session_keys
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
evolve_server/storage/oss_helpers.py:31
low System graph software Dead code conf 1.00 Possibly dead Python function: make_bucket
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
evolve_server/storage/oss_helpers.py:20
low System graph software Dead code conf 1.00 Possibly dead Python function: purge_record_files
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
skillclaw/api_server.py:2201
low System graph software Dead code conf 1.00 Possibly dead Python function: read_json_object
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
evolve_server/storage/oss_helpers.py:67
low System graph software Dead code conf 1.00 Possibly dead Python function: retrieve
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
skillclaw/skill_manager.py:483
low System graph software Dead code conf 1.00 Possibly dead Python function: run_llm
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
skillclaw/utils.py:48
low System graph api Wiring conf 1.00 Unused endpoint: DELETE /v1/responses/{response_id}
`skillclaw/api_server.py` declares `DELETE /v1/responses/{response_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /
`skillclaw/dashboard_server.py` declares `GET /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/v1/evolve/status
`skillclaw/dashboard_server.py` declares `GET /api/v1/evolve/status` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/v1/health
`skillclaw/dashboard_server.py` declares `GET /api/v1/health` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/v1/overview
`skillclaw/dashboard_server.py` declares `GET /api/v1/overview` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/v1/sessions
`skillclaw/dashboard_server.py` declares `GET /api/v1/sessions` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/v1/sessions/{session_id}
`skillclaw/dashboard_server.py` declares `GET /api/v1/sessions/{session_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/v1/skills
`skillclaw/dashboard_server.py` declares `GET /api/v1/skills` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/v1/skills/{skill_id}
`skillclaw/dashboard_server.py` declares `GET /api/v1/skills/{skill_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/v1/validation/jobs
`skillclaw/dashboard_server.py` declares `GET /api/v1/validation/jobs` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /v1/models
`skillclaw/api_server.py` declares `GET /v1/models` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /v1/responses/{response_id}
`skillclaw/api_server.py` declares `GET /v1/responses/{response_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/v1/ops/export-sessions
`skillclaw/dashboard_server.py` declares `POST /api/v1/ops/export-sessions` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/v1/ops/pull
`skillclaw/dashboard_server.py` declares `POST /api/v1/ops/pull` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/v1/ops/push
`skillclaw/dashboard_server.py` declares `POST /api/v1/ops/push` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/v1/ops/sync
`skillclaw/dashboard_server.py` declares `POST /api/v1/ops/sync` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/v1/ops/trigger-evolve
`skillclaw/dashboard_server.py` declares `POST /api/v1/ops/trigger-evolve` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/v1/skills/{skill_id}/activate
`skillclaw/dashboard_server.py` declares `POST /api/v1/skills/{skill_id}/activate` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/v1/sync
`skillclaw/dashboard_server.py` declares `POST /api/v1/sync` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/v1/validation/jobs/{job_id}/review
`skillclaw/dashboard_server.py` declares `POST /api/v1/validation/jobs/{job_id}/review` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who con…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /internal/reload-skills
`skillclaw/api_server.py` declares `POST /internal/reload-skills` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /trigger
`evolve_server/engines/workflow.py` declares `POST /trigger` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /v1/chat/completions
`skillclaw/api_server.py` declares `POST /v1/chat/completions` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /v1/messages
`skillclaw/api_server.py` declares `POST /v1/messages` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /v1/messages/count_tokens
`skillclaw/api_server.py` declares `POST /v1/messages/count_tokens` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /v1/responses
`skillclaw/api_server.py` declares `POST /v1/responses` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph quality Complexity conf 1.00 Very large file: skillclaw/api_server.py (3438 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: skillclaw/claw_adapter.py (1708 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: skillclaw/dashboard_assets/app.js (2643 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: skillclaw/dashboard_ingest.py (1375 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: tests/test_dashboard.py (1512 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/6305a5e6-dcd4-4ac8-a363-2cfcd00740d3/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/6305a5e6-dcd4-4ac8-a363-2cfcd00740d3/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.