DanOps-1/Gpt-Agreement-Payment

Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.

119 of your 180 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 4.24s · analysis 4.84s · 5.7 MB · GitHub preflight 430ms

https://github.com/DanOps-1/Gpt-Agreement-Payment · scanned 2026-05-28 02:30 UTC (1 week, 5 days ago) · 10 languages

1436 raw signals (167 security + 1269 graph) 66th percentile · Python · medium (20-100K LoC) System graph score 57 (higher by 16)

File as issue Image

UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 1 week, 5 days ago · v7 · 244 actionable findings from 2 signal sources. 128 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON

100.0% cov · 178 findings

Score breakdown â 2026-05-18-v5

Component	Sub-score	Weight	Contribution
`structure_score`	55.0	0.15	8.25
`security_score`	66.8	0.25	16.70
`testing_score`	88.0	0.20	17.60
`documentation_score`	100.0	0.15	15.00
`practices_score`	78.0	0.15	11.70
`code_quality`	34.5	0.10	3.45
Overall		1.00	72.7

Severity distribution — click a segment to filter

Active filters: layer: api × excluding tests × Reset all

Severity: Critical 1 High 62 Medium 8 Low 122 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 66 System graph 178 Crowd 0 Layer: Cicd 6 Quality 90 Security 53 Software 35 Frontend 4 Hardware 4 Api 52

Exclude dismissed / FP Exclude test files

Scan summary Quality grade B (73/100). Dimensions: security 67, maintainability 55. 167 findings (15 security). 71,969 lines analyzed.

Showing 52 of 244 actionable findings. 372 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high System graph api Wiring conf 1.00 Dangling fetch: POST /graphql/ (CTF-pay/scripts/paypal_node_rpa.js:681)

`CTF-pay/scripts/paypal_node_rpa.js:681` calls `POST /graphql/` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/graphql` If this points at an external API, prefix it with `https://` so the matcher skips it.

Dangling fetchFetch

high System graph api Wiring conf 1.00 Dangling fetch: POST https://www.meiguodizhi.com/api/v1/dz (CTF-pay/scripts/paypal_node_rpa.js:223)

`CTF-pay/scripts/paypal_node_rpa.js:223` calls `POST https://www.meiguodizhi.com/api/v1/dz` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/www.meiguodizhi.com/api/v1/dz` If this points at an external API, pre…

Dangling fetchFetch

low System graph api Wiring conf 1.00 Unused endpoint: DELETE /

`webui/backend/routes/promo_links.py` declares `DELETE /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: DELETE /{email}

`webui/backend/routes/outlook.py` declares `DELETE /{email}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: DELETE /{link_id}

`webui/backend/routes/promo_links.py` declares `DELETE /{link_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: GET /

`webui/backend/routes/link_state.py` declares `GET /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: GET /accounts

`webui/backend/routes/inventory.py` declares `GET /accounts` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: GET /api/healthz

`webui/server.py` declares `GET /api/healthz` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: GET /current

`webui/backend/routes/proxy.py` declares `GET /current` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: GET /ingest-info

`webui/backend/routes/whatsapp.py` declares `GET /ingest-info` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: GET /latest-otp

`webui/backend/routes/whatsapp.py` declares `GET /latest-otp` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: GET /latest-otp-session

`webui/backend/routes/whatsapp.py` declares `GET /latest-otp-session` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: GET /list

`webui/backend/routes/promo_links.py` declares `GET /list` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: GET /logs

`webui/backend/routes/run.py` declares `GET /logs` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: GET /me

`webui/backend/routes/auth.py` declares `GET /me` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: GET /qris/state

`webui/backend/routes/run.py` declares `GET /qris/state` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: GET /state

`webui/backend/routes/wizard.py` declares `GET /state` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: GET /stats

`webui/backend/routes/promo_links.py` declares `GET /stats` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: GET /stream

`webui/backend/routes/run.py` declares `GET /stream` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: GET /webui/api/healthz

`webui/server.py` declares `GET /webui/api/healthz` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: GET /webui/{full_path:path}

`webui/server.py` declares `GET /webui/{full_path:path}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: GET /{full_path:path}

`webui/server.py` declares `GET /{full_path:path}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: GET /{phone}

`webui/backend/routes/link_state.py` declares `GET /{phone}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: POST /

`webui/backend/routes/setup.py` declares `POST /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: POST /accounts/check

`webui/backend/routes/inventory.py` declares `POST /accounts/check` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: POST /accounts/cpa-autofill-push

`webui/backend/routes/inventory.py` declares `POST /accounts/cpa-autofill-push` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: POST /accounts/cpa-push

`webui/backend/routes/inventory.py` declares `POST /accounts/cpa-push` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: POST /accounts/delete

`webui/backend/routes/inventory.py` declares `POST /accounts/delete` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: POST /accounts/refresh-rt-status

`webui/backend/routes/inventory.py` declares `POST /accounts/refresh-rt-status` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: POST /convert-bulk

`webui/backend/routes/promo_links.py` declares `POST /convert-bulk` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: POST /device-code/poll

`webui/backend/routes/outlook.py` declares `POST /device-code/poll` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: POST /device-code/start

`webui/backend/routes/outlook.py` declares `POST /device-code/start` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: POST /export

`webui/backend/routes/config.py` declares `POST /export` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: POST /import

`webui/backend/routes/outlook.py` declares `POST /import` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: POST /ingest

`webui/backend/routes/whatsapp.py` declares `POST /ingest` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: POST /login

`webui/backend/routes/auth.py` declares `POST /login` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: POST /logout

`webui/backend/routes/auth.py` declares `POST /logout` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: POST /otp

`webui/backend/routes/run.py` declares `POST /otp` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: POST /preview

`webui/backend/routes/run.py` declares `POST /preview` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: POST /refresh-rt

`webui/backend/routes/outlook.py` declares `POST /refresh-rt` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: POST /revalidate-all

`webui/backend/routes/outlook.py` declares `POST /revalidate-all` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: POST /rotate-ip

`webui/backend/routes/proxy.py` declares `POST /rotate-ip` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: POST /set

`webui/backend/routes/link_state.py` declares `POST /set` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: POST /settings

`webui/backend/routes/whatsapp.py` declares `POST /settings` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: POST /sidecar/state

`webui/backend/routes/whatsapp.py` declares `POST /sidecar/state` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: POST /start

`webui/backend/routes/whatsapp.py` declares `POST /start` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: POST /state

`webui/backend/routes/wizard.py` declares `POST /state` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: POST /stop

`webui/backend/routes/whatsapp.py` declares `POST /stop` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: POST /unlink

`webui/backend/routes/link_state.py` declares `POST /unlink` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: POST /{link_id}/convert

`webui/backend/routes/promo_links.py` declares `POST /{link_id}/convert` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: POST /{link_id}/mark-used

`webui/backend/routes/promo_links.py` declares `POST /{link_id}/mark-used` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

low System graph api Wiring conf 1.00 Unused endpoint: POST /{link_id}/status

`webui/backend/routes/promo_links.py` declares `POST /{link_id}/status` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.

For AI agents + API integrations

Email me when this repo regresses

Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.

API access

This page is publicly accessible at: https://repobility.com/scan/6af2fc05-432f-4cf8-b415-4aa1a7b84868/

To check status programmatically (no auth required):

curl -s https://repobility.com/api/v1/public/scan/6af2fc05-432f-4cf8-b415-4aa1a7b84868/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.