Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo

GenericAgent

https://github.com/lsdefine/GenericAgent.git · scanned 2026-05-17 02:55 UTC (14 hours, 29 minutes ago) · 10 languages

232 findings (24 legacy + 208 scanner) 55th percentile · Python · medium (20-100K LoC) Scanner says 82 (lower by 28)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 14 hours, 29 minutes ago · v2 · 129 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
75.1
/100
Repobility
68
24 legacy
9-layer
82
100.0% cov · 105 gaps
Critical
0
click to filter
Agents
6
0 votes
Crowd
0
reported
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 0 High 27 Medium 17 Low 80 Source: Legacy 24 9-layer 105 Crowd 0 Layer: Quality 54 Security 18 Software 33 Frontend 3 Data 1 Cicd 1 Api 19
Scan summary Repository scanned at 82.3/100 with 100.0% coverage. It contains 1452 nodes across 18 cross-layer flows, written primarily in mixed languages. Engine surfaced 105 findings — concentrated in quality (42), software (28), api (19). Risk profile is high: 0 critical, 13 high, 9 medium. Recommended next step: open the quality layer findings first — that's where the highest-impact wins live.

Showing 129 of 129 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Legacy security path_traversal conf 0.80 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.
Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads.
agentmain.py:208 path_traversallegacy
high Legacy security path_traversal conf 0.80 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.
Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads.
memory/vision_api.template.py:55 path_traversallegacy
high Legacy security path_traversal conf 0.80 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.
Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads.
memory/ocr_utils.py:52 path_traversallegacy
high Legacy security credential_exposure conf 0.85 [SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting.
Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs.
assets/configure_mykey.py:939 credential_exposurelegacy
high Legacy security credential_exposure conf 0.85 [SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting.
Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs.
llmcore.py:168 credential_exposurelegacy
high Legacy software xxe conf 1.00 [SEC027] XML External Entity (XXE) — Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs.
Pass `noent: false` to libxmljs. Avoid xml2js or pass explicit secure config. Prefer parsers that don't expand external entities at all.
frontends/stapp2.py:837 xxelegacy
high Legacy software ssrf conf 1.00 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches.
Validate the URL against an allowlist BEFORE fetching: ALLOWED = {'images.example.com', 'cdn.example.com'} host = urlparse(url).hostname if host not in ALLOWED: abort(400) Or use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request h…
llmcore.py:105 ssrflegacy
high Legacy software ssrf conf 1.00 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches.
Validate the URL against an allowlist BEFORE fetching: ALLOWED = {'images.example.com', 'cdn.example.com'} host = urlparse(url).hostname if host not in ALLOWED: abort(400) Or use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request h…
frontends/desktop/static/app.js:1885 ssrflegacy
high Legacy software ssrf conf 1.00 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches.
Validate the URL against an allowlist BEFORE fetching: ALLOWED = {'images.example.com', 'cdn.example.com'} host = urlparse(url).hostname if host not in ALLOWED: abort(400) Or use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request h…
TMWebDriver.py:17 ssrflegacy
high Legacy security llm_injection conf 0.82 LLM memory extraction can be prompt-injected into storing fake facts
Strict-JSON memory extraction from raw user and assistant text can be manipulated by a user message unless extracted facts are schema-validated and filtered before persistence.
frontends/qtapp.py:448 llm_injectionlegacy
high Legacy quality testing No test files found
Add a test directory (tests/ or __tests__/) with unit tests for core functionality. Use pytest (Python), Jest (JS/TS), or go test (Go). Start with tests for critical business logic and security-sensitive functions.
testinglegacy
high 9-layer quality integrity conf 1.00 Blocking `requests.post(...)` inside `async def _get_access_token` — frontends/dingtalkapp.py:35
Sync I/O inside an async function blocks the event loop. While `requests.post(...)` is running, *all* other coroutines on this loop are paused — silent throughput collapse under concurrency. Use the async equivalent (`httpx.AsyncClient`, `asyncio.sleep`, `aiofiles`) or wrap with `await asyncio.to_t…
frontends/dingtalkapp.py:35 integritysync-io-in-asyncperformance
high 9-layer quality integrity conf 1.00 Blocking `requests.post(...)` inside `async def _send_batch_message` — frontends/dingtalkapp.py:66
Sync I/O inside an async function blocks the event loop. While `requests.post(...)` is running, *all* other coroutines on this loop are paused — silent throughput collapse under concurrency. Use the async equivalent (`httpx.AsyncClient`, `asyncio.sleep`, `aiofiles`) or wrap with `await asyncio.to_t…
frontends/dingtalkapp.py:66 integritysync-io-in-asyncperformance
high 9-layer api wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:18765 (assets/tmwd_cdp_bridge/background.js:220)
`assets/tmwd_cdp_bridge/background.js:220` calls `GET http://127.0.0.1:18765` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:18765` If this points at an external API, prefix it with `https://` so the…
wiringdangling-fetchfetch
high 9-layer security auth conf 1.00 FastAPI POST `api_chat` without auth dependency — frontends/conductor.py:390
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
frontends/conductor.py:390 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `api_start_subagent` without auth dependency — frontends/conductor.py:346
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
frontends/conductor.py:346 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `api_subagent_action` without auth dependency — frontends/conductor.py:352
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
frontends/conductor.py:352 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_post` without auth dependency — assets/agent_bbs.py:157
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
assets/agent_bbs.py:157 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `startup` without auth dependency — assets/agent_bbs.py:145
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
assets/agent_bbs.py:145 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `upload_file` without auth dependency — assets/agent_bbs.py:195
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
assets/agent_bbs.py:195 authowaspauth.fastapi.unauth_mutation
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in assets/tmwd_cdp_bridge/background.js:177
Found a known-risky pattern (eval_used). Review and replace if possible.
assets/tmwd_cdp_bridge/background.js:177 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in frontends/desktop/src-tauri/src/lib.rs:282
Found a known-risky pattern (eval_used). Review and replace if possible.
frontends/desktop/src-tauri/src/lib.rs:282 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in ga.py:300
Found a known-risky pattern (eval_used). Review and replace if possible.
ga.py:300 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in ga.py:301
Found a known-risky pattern (exec_used). Review and replace if possible.
ga.py:301 owaspexec_used
high Legacy quality error_handling conf 1.00 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.
frontends/continue_cmd.py:171 error_handlinglegacy
high Legacy quality error_handling conf 1.00 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.
frontends/fsapp.py:704 error_handlinglegacy
high Legacy quality error_handling conf 1.00 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.
frontends/qqapp.py:40 error_handlinglegacy
medium Legacy quality error_handling conf 1.00 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
frontends/desktop/static/app.js:772 error_handlinglegacy
medium Legacy quality error_handling conf 1.00 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
assets/tmwd_cdp_bridge/background.js:124 error_handlinglegacy
medium Legacy quality error_handling conf 1.00 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
assets/tmwd_cdp_bridge/disable_dialogs.js:19 error_handlinglegacy
medium Legacy security crypto conf 1.00 [SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.
Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness.
frontends/desktop/static/app.js:804 cryptolegacy
medium Legacy quality practices No CI/CD configuration found
Add a CI/CD pipeline: create .github/workflows/ci.yml for GitHub Actions with steps to lint, test, and build on every push and pull request.
practiceslegacy
medium Legacy quality quality conf 0.82 Parallel implementation file sits beside a canonical file
AI-assisted edits often create a new sibling file instead of integrating the change into the existing module. That leaves two paths for future maintainers to understand and can hide the code that is actually wired into the app.
frontends/tuiapp_v2.py:1 qualitylegacy
medium Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified.
docs/installation_zh.md:38 dependencylegacy
medium Legacy quality quality conf 0.78 Suspicious implementation file appears unreferenced
A file created as a fixed/new/final/copy variant is not referenced by imports or path-like strings in the rest of the repository. This is a strong sign that an agent produced code beside the active application path.
frontends/tuiapp_v2.py:1 qualitylegacy
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — agentmain.py:194
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — frontends/desktop_bridge.py:571
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — ga_cli/cli.py:132
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — memory/adb_ui.py:80
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — memory/vision_api.template.py:81
`requests.post(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer security coverage conf 1.00 No auth library detected
The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.
coverageauth
medium 9-layer cicd coverage conf 1.00 No CI/CD pipelines detected
No GitHub Actions, GitLab CI, or CircleCI configs found. Without CI you can't gate deploys on tests/lints.
coverage
medium 9-layer data coverage conf 1.00 ORM models found but no DB engine detected
The repo defines tables/models but no DB connection string was found. Likely lives in env vars or a config file the scanner didn't read.
coverage
medium 9-layer quality tests conf 1.00 Very low test-to-source ratio
0 test file(s) for 61 source file(s) (ratio 0.00). Consider adding integration or unit tests for critical paths.
testscoverage
low Legacy quality quality conf 0.64 Duplicate top-level symbol appears in a patch-style file
A generated replacement file defining the same public function or class name as another module can mean the new logic is not actually wired into the running code.
frontends/tuiapp_v2.py:1 qualitylegacy
low Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
frontends/dcapp.py:272 qualitylegacy
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: ga_cli/__main__.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: mykey_template.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: mykey_template_en.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer quality integrity conf 1.00 Legacy-named symbol `_to_markdown_v2` in frontends/tgapp.py:89
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `desktop_pet_v2` in frontends/stapp.py:77
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `register_p2_im_message_receive_v1` in frontends/fsapp.py:689
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `tuiapp_v2` in frontends/tuiapp_v2.py:4
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: llmcore.py:ask, llmcore.py:ask This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: llmcore.py:make_messages, llmcore.py:make_messages This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: llmcore.py:chat, llmcore.py:chat This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: frontends/qtapp.py:paintEvent, frontends/qtapp.py:paintEvent This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: frontends/qtapp.py:enterEvent, frontends/qtapp.py:enterEvent This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: frontends/qtapp.py:leaveEvent, frontends/qtapp.py:leaveEvent This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: frontends/qtapp.py:eventFilter, frontends/qtapp.py:eventFilter This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: frontends/qtapp.py:resizeEvent, frontends/qtapp.py:resizeEvent This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: frontends/tgapp.py:prime, frontends/tgapp.py:prime This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: frontends/tgapp.py:add_chunk, frontends/tgapp.py:add_chunk This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: frontends/tgapp.py:finalize, frontends/tgapp.py:finalize This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: frontends/tgapp.py:finish_with_notice, frontends/tgapp.py:finish_with_notice This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: frontends/tuiapp.py:default_agent_factory, frontends/tuiapp_v2.py:default_agent_factory This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: frontends/tuiapp.py:current, frontends/tuiapp_v2.py:current This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: frontends/tuiapp_v2.py:on_mount, frontends/tuiapp_v2.py:on_mount This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: frontends/tuiapp_v2.py:on_option_list_option_selected, frontends/tuiapp_v2.py:on_option_list_option_selected This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document wh…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: memory/skill_search/skill_search/engine.py:from_dict, memory/skill_search/skill_search/engine.py:from_dict This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why …
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: frontends/tuiapp_v2.py:action_cancel, frontends/tuiapp_v2.py:action_cancel, frontends/tuiapp_v2.py:action_cancel This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or documen…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: frontends/tuiapp_v2.py:compose, frontends/tuiapp_v2.py:compose, frontends/tuiapp_v2.py:compose This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're sepa…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 4 places
Functions with the same first-5-line body hash: llmcore.py:raw_ask, llmcore.py:raw_ask, llmcore.py:raw_ask, llmcore.py:raw_ask This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer software dead-code conf 1.00 Possibly dead Python function: do_ask_user
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
ga.py:308 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: do_code_run
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
ga.py:281 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: do_file_patch
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
ga.py:358 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: do_file_read
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
ga.py:405 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: do_file_write
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
ga.py:372 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: do_no_tool
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
ga.py:452 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: do_start_long_term_update
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
ga.py:502 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: do_update_working_checkpoint
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
ga.py:435 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: do_web_execute_js
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
ga.py:330 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: do_web_scan
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
ga.py:315 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: enter_plan_mode
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
ga.py:427 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: fast_ask
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
llmcore.py:1029 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: handle_close
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
TMWebDriver.py:154 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: json_default
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
agent_loop.py:31 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: jump
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
TMWebDriver.py:281 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: log_request
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
TMWebDriver.py:108 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: replacer
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
ga.py:180 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: run_agent_turn
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
frontends/desktop_bridge.py:205 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: safeprint
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
llmcore.py:85 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: set_session
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
TMWebDriver.py:270 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: start_temp_monitor
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
simphtml.py:636 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: stream_reader
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
ga.py:41 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: to_allowed_set
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
frontends/chatapp_common.py:214 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: tool_after_callback
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
agent_loop.py:16 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: tool_before_callback
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
agent_loop.py:15 dead-code
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — assets/tmwd_cdp_bridge/background.js:3
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — frontends/desktop/static/app.js:1838
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer quality integrity conf 1.00 Stub function `action_noop` (body is just `pass`/`return`) — frontends/tuiapp_v2.py:1182
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer api wiring conf 1.00 Unused endpoint: ANY /api/longpoll
`TMWebDriver.py` declares `ANY /api/longpoll` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: ANY /api/result
`TMWebDriver.py` declares `ANY /api/result` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: ANY /link
`TMWebDriver.py` declares `ANY /link` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /
`frontends/conductor.py` declares `GET /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /authors
`assets/agent_bbs.py` declares `GET /authors` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /chat
`frontends/conductor.py` declares `GET /chat` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /count
`assets/agent_bbs.py` declares `GET /count` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /file/{rand_id}/{filename}
`assets/agent_bbs.py` declares `GET /file/{rand_id}/{filename}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /poll
`assets/agent_bbs.py` declares `GET /poll` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /posts
`assets/agent_bbs.py` declares `GET /posts` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /readme
`frontends/conductor.py` declares `GET /readme` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /subagent
`frontends/conductor.py` declares `GET /subagent` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /chat
`frontends/conductor.py` declares `POST /chat` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /file/upload
`assets/agent_bbs.py` declares `POST /file/upload` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /post
`assets/agent_bbs.py` declares `POST /post` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /register
`assets/agent_bbs.py` declares `POST /register` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /subagent
`frontends/conductor.py` declares `POST /subagent` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /subagent/{sid}
`frontends/conductor.py` declares `POST /subagent/{sid}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer quality complexity conf 1.00 Very large file: assets/configure_mykey.py (1284 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: frontends/desktop/static/app.js (2113 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: frontends/qtapp.py (2478 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: frontends/tuiapp_v2.py (3935 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: llmcore.py (1032 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
info 9-layer quality integrity conf 1.00 Commented-code block (5 lines) in frontends/desktop/static/app.js:1358
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
integritycommented-codedead-code
info 9-layer quality integrity conf 1.00 Commented-code block (5 lines) in mykey_template_en.py:10
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
integritycommented-codedead-code
info 9-layer quality integrity conf 1.00 Commented-code block (6 lines) in mykey_template.py:50
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
integritycommented-codedead-code
info 9-layer quality integrity conf 1.00 Commented-code block (8 lines) in frontends/tuiapp_v2.py:116
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
integritycommented-codedead-code
info 9-layer frontend coverage conf 1.00 No frontend routes/components detected
No React/Vue/Next routes were found. This is fine for backend-only repos.
coverage
{# ── 2026-05-17 Round 14: AI-agent bridge footer ────────────────────── Discoverability: the /agents/voting/ guide + MCP manifest exist but aren't linked from anywhere users actually land. Small, opt-in footer. #}
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/6356c847-6391-4ef0-ab26-f9c0d2936561/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/6356c847-6391-4ef0-ab26-f9c0d2936561/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.