Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
206 of your 376 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.
Upstream (GitHub) caused delay on this scan — not Repobility.
  • GitHub API rate-limited (HTTP 403) — preflight skipped, fell back to direct git clone.
  • Clone from GitHub took 87.99s for a 76.6 MB repo slow.
  • Repobility's analysis ran in 13.6s after the clone landed.

Shubhamsaboo/awesome-llm-apps

https://github.com/Shubhamsaboo/awesome-llm-apps · scanned 2026-06-05 05:31 UTC (9 hours, 12 minutes ago) · 10 languages

1041 findings (339 legacy + 702 scanner) 11/13 scanners ran 16th percentile · Python · large (100-500K LoC) Scanner says 46 (higher by 15)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 9 hours, 12 minutes ago · v2 · 690 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
56.7
/100
Repobility
67
339 legacy
9-layer
46
100.0% cov · 351 gaps
Critical
5
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 40.0 0.15 6.00
security_score 100.0 0.25 25.00
testing_score 17.0 0.20 3.40
documentation_score 76.0 0.15 11.40
practices_score 65.0 0.15 9.75
code_quality 55.0 0.10 5.50
Overall 1.00 61.0
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: severity: medium × excluding tests × Reset all
Severity: Critical 5 High 278 Medium 90 Low 239 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 339 9-layer 351 Crowd 0 Layer: Software 126 Quality 299 Security 91 Cicd 39 Frontend 47 Hardware 20 Api 68
Scan summary Repository scanned at 46.4/100 with 100.0% coverage. It contains 5389 nodes across 30 cross-layer flows, written primarily in mixed languages. Engine surfaced 351 findings — concentrated in quality (76), software (73), api (68). Risk profile is high: 1 critical, 70 high, 47 medium. Recommended next step: open the quality layer findings first — that's where the highest-impact wins live.

Showing 90 of 690 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

medium Legacy security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them.
authlegacy
medium Legacy quality error_handling conf 1.00 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.
advanced_ai_agents/multi_agent_apps/ai_news_and_podcast_agents/beifong/db/articles.py:111 error_handlinglegacy
medium Legacy quality error_handling conf 1.00 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.
advanced_ai_agents/multi_agent_apps/ai_news_and_podcast_agents/beifong/agents/scrape_agent.py:119 error_handlinglegacy
medium Legacy quality error_handling conf 1.00 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.
advanced_ai_agents/multi_agent_apps/agent_teams/multimodal_coding_agent_team/ai_coding_agent_o3.py:81 error_handlinglegacy
medium Legacy quality error_handling conf 1.00 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
generative_ui_agents/ai-mcp-app-builder/apps/threejs-server/server-utils.ts:38 error_handlinglegacy
medium Legacy quality quality conf 1.00 ✓ Repobility [MINED109] Mutable default argument in `__init__` (list): `def __init__(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
Use None as the default and create the collection inside the function: `def __init__(x=None): x = x or []`
advanced_ai_agents/single_agent_apps/windows_use_autonomous_agent/windows_use/agent/service.py:37 qualitylegacy
medium Legacy quality quality conf 1.00 ✓ Repobility [MINED109] Mutable default argument in `create_podcast` (dict): `def create_podcast(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
Use None as the default and create the collection inside the function: `def create_podcast(x=None): x = x or []`
advanced_ai_agents/multi_agent_apps/ai_news_and_podcast_agents/beifong/utils/text_to_audio_elevenslab.py:127 qualitylegacy
medium Legacy quality quality conf 1.00 ✓ Repobility [MINED109] Mutable default argument in `system_prompt` (list): `def system_prompt(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
Use None as the default and create the collection inside the function: `def system_prompt(x=None): x = x or []`
advanced_ai_agents/single_agent_apps/windows_use_autonomous_agent/windows_use/agent/prompt/service.py:15 qualitylegacy
medium Legacy quality quality conf 1.00 ✓ Repobility [MINED109] Mutable default argument in `text_to_speech_elevenlabs` (dict): `def text_to_speech_elevenlabs(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
Use None as the default and create the collection inside the function: `def text_to_speech_elevenlabs(x=None): x = x or []`
advanced_ai_agents/multi_agent_apps/ai_news_and_podcast_agents/beifong/utils/text_to_audio_elevenslab.py:47 qualitylegacy
medium Legacy software dependency conf 0.90 ✓ Repobility [MINED124] requirements.txt: `agno` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace `agno` with `agno==<version>` and manage upgrades through PRs / Dependabot.
starter_ai_agents/ai_reasoning_agent/requirements.txt:1 dependencylegacy
medium Legacy software dependency conf 0.90 ✓ Repobility [MINED124] requirements.txt: `duckduckgo-search` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace `duckduckgo-search` with `duckduckgo-search==<version>` and manage upgrades through PRs / Dependabot.
starter_ai_agents/xai_finance_agent/requirements.txt:2 dependencylegacy
medium Legacy software dependency conf 0.90 ✓ Repobility [MINED124] requirements.txt: `duckduckgo-search` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace `duckduckgo-search` with `duckduckgo-search==<version>` and manage upgrades through PRs / Dependabot.
starter_ai_agents/ai_breakup_recovery_agent/requirements.txt:5 dependencylegacy
medium Legacy software dependency conf 0.90 ✓ Repobility [MINED124] requirements.txt: `fastapi` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace `fastapi` with `fastapi==<version>` and manage upgrades through PRs / Dependabot.
starter_ai_agents/ai_reasoning_agent/requirements.txt:3 dependencylegacy
medium Legacy software dependency conf 0.90 ✓ Repobility [MINED124] requirements.txt: `google-search-results` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace `google-search-results` with `google-search-results==<version>` and manage upgrades through PRs / Dependabot.
starter_ai_agents/ai_travel_agent/requirements.txt:4 dependencylegacy
medium Legacy software dependency conf 0.90 ✓ Repobility [MINED124] requirements.txt: `icalendar` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace `icalendar` with `icalendar==<version>` and manage upgrades through PRs / Dependabot.
starter_ai_agents/ai_travel_agent/requirements.txt:5 dependencylegacy
medium Legacy software dependency conf 0.90 ✓ Repobility [MINED124] requirements.txt: `langchain-anthropic` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace `langchain-anthropic` with `langchain-anthropic==<version>` and manage upgrades through PRs / Dependabot.
starter_ai_agents/ai_meme_generator_agent_browseruse/requirements.txt:5 dependencylegacy
medium Legacy software dependency conf 0.90 ✓ Repobility [MINED124] requirements.txt: `langchain-openai` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace `langchain-openai` with `langchain-openai==<version>` and manage upgrades through PRs / Dependabot.
starter_ai_agents/ai_meme_generator_agent_browseruse/requirements.txt:4 dependencylegacy
medium Legacy software dependency conf 0.90 ✓ Repobility [MINED124] requirements.txt: `matplotlib` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace `matplotlib` with `matplotlib==<version>` and manage upgrades through PRs / Dependabot.
starter_ai_agents/ai_data_visualisation_agent/requirements.txt:7 dependencylegacy
medium Legacy software dependency conf 0.90 ✓ Repobility [MINED124] requirements.txt: `ollama` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace `ollama` with `ollama==<version>` and manage upgrades through PRs / Dependabot.
starter_ai_agents/ai_reasoning_agent/requirements.txt:2 dependencylegacy
medium Legacy software dependency conf 0.90 ✓ Repobility [MINED124] requirements.txt: `openai-agents` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace `openai-agents` with `openai-agents==<version>` and manage upgrades through PRs / Dependabot.
starter_ai_agents/openai_research_agent/requirements.txt:1 dependencylegacy
medium Legacy software dependency conf 0.90 ✓ Repobility [MINED124] requirements.txt: `openai` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace `openai` with `openai==<version>` and manage upgrades through PRs / Dependabot.
starter_ai_agents/openai_research_agent/requirements.txt:2 dependencylegacy
medium Legacy software dependency conf 0.90 ✓ Repobility [MINED124] requirements.txt: `openai` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace `openai` with `openai==<version>` and manage upgrades through PRs / Dependabot.
starter_ai_agents/ai_travel_agent/requirements.txt:3 dependencylegacy
medium Legacy software dependency conf 0.90 ✓ Repobility [MINED124] requirements.txt: `pandas` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace `pandas` with `pandas==<version>` and manage upgrades through PRs / Dependabot.
starter_ai_agents/ai_data_visualisation_agent/requirements.txt:6 dependencylegacy
medium Legacy software dependency conf 0.90 ✓ Repobility [MINED124] requirements.txt: `playwright` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace `playwright` with `playwright==<version>` and manage upgrades through PRs / Dependabot.
starter_ai_agents/web_scraping_ai_agent/requirements.txt:3 dependencylegacy
medium Legacy software dependency conf 0.90 ✓ Repobility [MINED124] requirements.txt: `requests` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace `requests` with `requests==<version>` and manage upgrades through PRs / Dependabot.
starter_ai_agents/ai_blog_to_podcast_agent/requirements.txt:4 dependencylegacy
medium Legacy software dependency conf 0.90 ✓ Repobility [MINED124] requirements.txt: `scrapegraphai` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace `scrapegraphai` with `scrapegraphai==<version>` and manage upgrades through PRs / Dependabot.
starter_ai_agents/web_scraping_ai_agent/requirements.txt:2 dependencylegacy
medium Legacy software dependency conf 0.90 ✓ Repobility [MINED124] requirements.txt: `streamlit` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace `streamlit` with `streamlit==<version>` and manage upgrades through PRs / Dependabot.
starter_ai_agents/mixture_of_agents/requirements.txt:1 dependencylegacy
medium Legacy software dependency conf 0.90 ✓ Repobility [MINED124] requirements.txt: `streamlit` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace `streamlit` with `streamlit==<version>` and manage upgrades through PRs / Dependabot.
starter_ai_agents/ai_data_visualisation_agent/requirements.txt:5 dependencylegacy
medium Legacy software dependency conf 0.90 ✓ Repobility [MINED124] requirements.txt: `streamlit` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace `streamlit` with `streamlit==<version>` and manage upgrades through PRs / Dependabot.
starter_ai_agents/ai_travel_agent/requirements.txt:1 dependencylegacy
medium Legacy software dependency conf 0.90 ✓ Repobility [MINED124] requirements.txt: `streamlit` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace `streamlit` with `streamlit==<version>` and manage upgrades through PRs / Dependabot.
starter_ai_agents/ai_meme_generator_agent_browseruse/requirements.txt:1 dependencylegacy
medium Legacy software dependency conf 0.90 ✓ Repobility [MINED124] requirements.txt: `streamlit` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace `streamlit` with `streamlit==<version>` and manage upgrades through PRs / Dependabot.
starter_ai_agents/web_scraping_ai_agent/requirements.txt:1 dependencylegacy
medium Legacy software dependency conf 0.90 ✓ Repobility [MINED124] requirements.txt: `together` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace `together` with `together==<version>` and manage upgrades through PRs / Dependabot.
starter_ai_agents/mixture_of_agents/requirements.txt:2 dependencylegacy
medium Legacy software dependency conf 0.90 ✓ Repobility [MINED124] requirements.txt: `uvicorn` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace `uvicorn` with `uvicorn==<version>` and manage upgrades through PRs / Dependabot.
starter_ai_agents/ai_reasoning_agent/requirements.txt:4 dependencylegacy
medium Legacy software dependency conf 0.90 ✓ Repobility [MINED124] requirements.txt: `yfinance` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace `yfinance` with `yfinance==<version>` and manage upgrades through PRs / Dependabot.
starter_ai_agents/xai_finance_agent/requirements.txt:3 dependencylegacy
medium Legacy security injection conf 0.50 [SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.
Use subprocess with shell=False and a list of args. Never eval user input.
advanced_ai_agents/multi_agent_apps/ai_news_and_podcast_agents/beifong/scheduler.py:97 injectionlegacy
medium Legacy quality quality conf 1.00 [SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeholder credentials shaped like `API_KEY = "your-api-key-here"` instead of pulling from env. These get committed verbatim — production code with a literal placeholder string is a near-certain bug, and the value also leaks what credential type the system expects to authentication crawlers. CWE-1188. Distinctive AI footprint: the exact phrase shape `your-X-here` is uncommon in hand
Replace with env lookup: `API_KEY = os.environ['SERVICE_API_KEY']`. Move actual key to a secret manager. Add a startup check that the env var is non-empty so missing config fails loudly instead of shipping the placeholder.
generative_ui_agents/ai-dashboard-canvas-agent/agent/server.py:22 qualitylegacy
medium Legacy quality quality conf 1.00 [SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass.
Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files.
advanced_ai_agents/multi_agent_apps/agent_teams/ai_travel_planner_agent_team/backend/services/db_service.py:117 qualitylegacy
medium Legacy quality quality conf 1.00 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws — wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated.
Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows.
advanced_ai_agents/single_agent_apps/earnings_call_analyst_agent/agent.py:111 qualitylegacy
medium Legacy quality quality conf 1.00 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws — wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated.
Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows.
advanced_ai_agents/multi_agent_apps/ai_news_and_podcast_agents/beifong/tools/jikan_search.py:48 qualitylegacy
medium Legacy quality quality conf 1.00 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws — wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated.
Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows.
advanced_ai_agents/multi_agent_apps/ai_news_and_podcast_agents/beifong/tools/embedding_search.py:16 qualitylegacy
medium Legacy cicd docker conf 0.94 Compose service `neo4j` image uses the latest tag
Pin to a maintained version tag or digest and update it deliberately through dependency automation.
rag_tutorials/knowledge_graph_rag_citations/docker-compose.yml:3 dockerlegacy
medium Legacy cicd docker conf 0.94 Compose service `ollama` image uses the latest tag
Pin to a maintained version tag or digest and update it deliberately through dependency automation.
rag_tutorials/knowledge_graph_rag_citations/docker-compose.yml:21 dockerlegacy
medium Legacy cicd docker conf 0.90 Docker build context has no .dockerignore
Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases.
.dockerignore dockerlegacy
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — advanced_ai_agents/multi_agent_apps/ai_news_and_podcast_agents/web/src/components/ChatMessage.js:320
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — advanced_ai_agents/multi_agent_apps/ai_news_and_podcast_agents/web/src/components/ScriptConfirmation.js:116
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — advanced_ai_agents/multi_agent_apps/ai_news_and_podcast_agents/web/src/pages/ArticleDetail.js:217
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — awesome_agent_skills/self-improving-agent-skills/frontend/src/app/layout.tsx:21
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — generative_ui_agents/ai-dashboard-canvas-agent/src/components/ui/chart.tsx:83
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — generative_ui_agents/ai-shadcn-component-generator/apps/ui/src/components/ui/chart.tsx:75
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — advanced_ai_agents/multi_agent_apps/agent_teams/ai_travel_planner_agent_team/client/app/api/plan/submit/route.ts:114
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — advanced_ai_agents/multi_agent_apps/agent_teams/ai_travel_planner_agent_team/client/app/api/plans/[id]/retry/route.ts:77
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — advanced_ai_agents/multi_agent_apps/agent_teams/ai_travel_planner_agent_team/client/app/plan/page.tsx:300
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — advanced_ai_agents/multi_agent_apps/agent_teams/ai_travel_planner_agent_team/client/middleware.ts:13
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — advanced_ai_agents/multi_agent_apps/ai_negotiation_battle_simulator/frontend/src/app/page.tsx:294
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — generative_ui_agents/ai-mcp-app-builder/apps/web/app/page.tsx:226
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — rag_tutorials/multimodal_agentic_rag/frontend/src/App.tsx:481
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: advanced_ai_agents/multi_agent_apps/agent_teams/ai_travel_planner_agent_team/backend/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: generative_ui_agents/ai-deep-research-agent/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: generative_ui_agents/ai-financial-coach-agent/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: generative_ui_agents/generative-ui-starter-project/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: generative_ui_agents/mcp-apps-generative-ui-showcase/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: generative_ui_agents/mcp-apps-generative-ui-showcase/mcp-server/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: rag_tutorials/knowledge_graph_rag_citations/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer quality integrity conf 1.00 Frontend route `/articles/:articleId` has no Link/navigate to it — advanced_ai_agents/multi_agent_apps/ai_news_and_podcast_agents/web/src/App.js
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium 9-layer quality integrity conf 1.00 Frontend route `/podcasts/:identifier` has no Link/navigate to it — advanced_ai_agents/multi_agent_apps/ai_news_and_podcast_agents/web/src/App.js
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium 9-layer quality integrity conf 1.00 Frontend route `/social-media/:postId` has no Link/navigate to it — advanced_ai_agents/multi_agent_apps/ai_news_and_podcast_agents/web/src/App.js
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium 9-layer quality integrity conf 1.00 Frontend route `/sources/:sourceId/edit` has no Link/navigate to it — advanced_ai_agents/multi_agent_apps/ai_news_and_podcast_agents/web/src/App.js
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium 9-layer quality integrity conf 1.00 Frontend route `/sources/:sourceId` has no Link/navigate to it — advanced_ai_agents/multi_agent_apps/ai_news_and_podcast_agents/web/src/App.js
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium 9-layer quality integrity conf 1.00 Frontend route `/studio/chat/:sessionId` has no Link/navigate to it — advanced_ai_agents/multi_agent_apps/ai_news_and_podcast_agents/web/src/App.js
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
anthropics/claude-code-action@beta can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/claude.yml:33 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/claude.yml supply-chaingithub-actionsleast-privilege
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in advanced_ai_agents/multi_agent_apps/ai_news_and_podcast_agents/web/src/components/ChatMessage.js:320
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
advanced_ai_agents/multi_agent_apps/ai_news_and_podcast_agents/web/src/components/ChatMessage.js:320 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in advanced_ai_agents/multi_agent_apps/ai_news_and_podcast_agents/web/src/components/ScriptConfirmation.js:116
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
advanced_ai_agents/multi_agent_apps/ai_news_and_podcast_agents/web/src/components/ScriptConfirmation.js:116 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in advanced_ai_agents/multi_agent_apps/ai_news_and_podcast_agents/web/src/pages/ArticleDetail.js:217
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
advanced_ai_agents/multi_agent_apps/ai_news_and_podcast_agents/web/src/pages/ArticleDetail.js:217 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in awesome_agent_skills/self-improving-agent-skills/frontend/src/app/layout.tsx:21
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
awesome_agent_skills/self-improving-agent-skills/frontend/src/app/layout.tsx:21 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in generative_ui_agents/ai-dashboard-canvas-agent/src/components/ui/chart.tsx:83
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
generative_ui_agents/ai-dashboard-canvas-agent/src/components/ui/chart.tsx:83 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in generative_ui_agents/ai-shadcn-component-generator/apps/ui/src/components/ui/chart.tsx:75
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
generative_ui_agents/ai-shadcn-component-generator/apps/ui/src/components/ui/chart.tsx:75 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'subprocess_shell_true' in advanced_ai_agents/multi_agent_apps/ai_news_and_podcast_agents/beifong/scheduler.py:99
Found a known-risky pattern (subprocess_shell_true). Review and replace if possible.
advanced_ai_agents/multi_agent_apps/ai_news_and_podcast_agents/beifong/scheduler.py:99 owaspsubprocess_shell_true
medium 9-layer cicd supply-chain conf 1.00 Install-time lifecycle script performs network/shell-sensitive actions
preinstall/install/postinstall/prepare scripts execute during dependency installation. Review them carefully for network calls, obfuscation, shell execution, or credential access.
generative_ui_agents/ai-mcp-app-builder/apps/mcp-use-server/package.json supply-chainnpminstall-scripts
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — advanced_ai_agents/multi_agent_apps/ai_news_and_podcast_agents/beifong/bootstrap_demo.py:26
`requests.get(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — advanced_ai_agents/multi_agent_apps/ai_news_and_podcast_agents/beifong/tools/jikan_search.py:53
`requests.get(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — advanced_ai_agents/multi_agent_apps/ai_news_and_podcast_agents/beifong/tools/wikipedia_search.py:32
`requests.get(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — advanced_ai_agents/multi_agent_apps/ai_speech_trainer_agent/frontend/Home.py:106
`requests.post(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — advanced_ai_agents/single_agent_apps/ai_fraud_investigation_agent/fraud_investigation_agent.py:634
`requests.get(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — advanced_ai_agents/single_agent_apps/earnings_call_analyst_agent/youtube_ingest.py:332
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — advanced_llm_apps/multimodal_video_moment_finder/backend/video_store.py:89
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — rag_tutorials/agentic_rag_math_agent/rag/query_router.py:61
`requests.post(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — rag_tutorials/rag-as-a-service/rag_app.py:40
`requests.post(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — starter_ai_agents/ai_music_generator_agent/music_generator_agent.py:56
`requests.get(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality tests conf 1.00 Very low test-to-source ratio
12 test file(s) for 833 source file(s) (ratio 0.01). Consider adding integration or unit tests for critical paths.
testscoverage
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/6c9e77ef-5e92-41e5-bcdf-514a334e8962/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/6c9e77ef-5e92-41e5-bcdf-514a334e8962/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.