Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
75 of your 86 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 22.76s · analysis 0.77s · 26.7 MB · GitHub preflight 507ms

lhfer/claude-howto-zh-cn

https://github.com/lhfer/claude-howto-zh-cn · scanned 2026-06-03 02:51 UTC (6 days, 15 hours ago) · 10 languages

563 raw signals (82 security + 481 graph) 11/13 scanners ran 97th percentile · Python · small (2-20K LoC)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 6 days, 15 hours ago · v7 · 45 actionable findings from 2 signal sources. 94 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
85.5
/100
Security checks
82
27 findings
System graph
89
100.0% cov · 18 findings
Critical
0
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 100.0 0.25 25.00
testing_score 97.0 0.20 19.40
documentation_score 100.0 0.15 15.00
practices_score 82.0 0.15 12.30
code_quality 65.0 0.10 6.50
Overall 1.00 87.2
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 0 High 5 Medium 6 Low 13 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 27 System graph 18 Crowd 0 Layer: Quality 27 Software 8 Cicd 4 Api 1 Frontend 4 Network 1
Scan summary Quality grade A- (87/100). Dimensions: security 100, maintainability 60. 82 findings (29 security). 6,652 lines analyzed.

Showing 24 of 45 actionable findings. 139 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Security checks quality Quality conf 1.00 ✓ Repobility [MINED104] Chmod 777: chmod 777 makes a file or directory world-readable, world-writable, AND world-executable. Local privilege escalation surface; audit-failing for most compliance frameworks.
Use the least-privilege mode the file actually needs (e.g. 640 for configs, 750 for executables). For directories that genuinely need shared write access, use a group with chmod g+w and chown the right group.
06-hooks/pre-tool-check.sh:103
high Security checks quality Quality conf 1.00 ✓ Repobility 13 occurrences [MINED108] `self.calculate_cyclomatic_complexity` used but never assigned in __init__: Method `calculate_maintainability_index` of class `ComplexityAnalyzer` reads `self.calculate_cyclomatic_complexity`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.calculate_cyclomatic_complexity = <default>` in __init__, or add a class-level default.
4 files, 13 locations
03-skills/code-review-specialist/scripts/compare-complexity.py:73, 74, 89, 90, 91 (5 hits)
03-skills/refactor/scripts/analyze-complexity.py:197, 257, 272 (3 hits)
scripts/build_epub.py:285, 356, 580 (3 hits)
03-skills/doc-generator/generate-docs.py:19, 22 (2 hits)
high Security checks software dependencies conf 0.90 ✓ Repobility 3 occurrences [MINED131] pre-commit hook `https://github.com/astral-sh/ruff-pre-commit` pinned to mutable rev `v0.8.2`: `.pre-commit-config.yaml` references `https://github.com/astral-sh/ruff-pre-commit` at `rev: v0.8.2`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine.
Pin to a commit SHA: `rev: <40-char-sha>` and bump it through `pre-commit autoupdate` (which writes to PRs that are reviewed).
lines 10, 26, 38
.pre-commit-config.yaml:10, 26, 38 (3 hits)
high Security checks quality Quality conf 0.72 Agent control bridge may listen on a network interface without visible auth
Bind local agent bridges to 127.0.0.1 by default. If remote access is required, require a bearer token or mTLS, enforce origin/CSRF checks for browser clients, and document the threat model.
scripts/vendor_assets.py:1
low Security checks quality Error handling conf 0.55 ✓ Repobility Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
03-skills/refactor/scripts/detect-smells.py:646 Error handlingquality
low Security checks quality Error handling conf 0.55 ✓ Repobility Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
03-skills/refactor/scripts/analyze-complexity.py:479 Error handlingquality
high Security checks software dependencies conf 0.70 Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
09-advanced-features/README.md:319
medium System graph cicd CI/CD security conf 1.00 24 occurrences GitHub Action is tag-pinned rather than SHA-pinned
astral-sh/setup-uv@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
5 files, 24 locations
.github/workflows/test.yml:38, 53, 79, 105, 135, 160 (12 hits)
.github/workflows/ci.yml:23, 65, 90, 104, 120 (5 hits)
.github/workflows/docs-check.yml:53, 67 (4 hits)
.github/workflows/release.yml:18, 24 (2 hits)
.github/workflows/pages.yml:32
CI/CD securitySupply chainGitHub Actions
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/release.yml CI/CD securitySupply chainGithub actions
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/pages.yml CI/CD securitySupply chainGithub actions
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — scripts/validate_localization.py:215
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — scripts/vendor_assets.py:73
`urllib.request.urlopen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph network Security conf 1.00 Privileged port 10 in use
Port 10 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
06-hooks/session-end.sh Ports
low Security checks quality Quality conf 0.60 Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
06-hooks/context-tracker.py:26 duplicationquality
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/website_templates/tailwind.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph cicd CI/CD security conf 1.00 49 occurrences GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
4 files, 49 locations
.github/workflows/docs-check.yml:31, 34, 50, 64, 81, 84, 138, 141, +5 more (21 hits)
.github/workflows/test.yml:35, 63, 76, 102, 120, 132, 157, 184, +1 more (18 hits)
.github/workflows/ci.yml:20, 44, 47, 62, 87, 117, 144 (7 hits)
.github/workflows/pages.yml:35, 41, 55 (3 hits)
CI/CD securitySupply chainGitHub Actions
low System graph quality Integrity conf 1.00 6 occurrences Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: scripts/build_website.py:replace_mermaid_blocks, scripts/build_website.py:repl This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
6 occurrences
repo-level (6 hits)
duplicatesduplication
low System graph software Dead code conf 1.00 Possibly dead Python function: create_epub
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/build_epub.py:1193
low System graph software Dead code conf 1.00 Possibly dead Python function: repl
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/build_website.py:335
low System graph software Dead code conf 1.00 Possibly dead Python function: replace_mermaid
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/build_epub.py:909
low System graph software Dead code conf 1.00 Possibly dead Python function: visit_FunctionDef
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
03-skills/doc-generator/generate-docs.py:11
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — 07-plugins/devops-automation/hooks/post-deploy.js:9
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — 07-plugins/devops-automation/hooks/pre-deploy.js:9
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — 07-plugins/pr-review/hooks/pre-review.js:9
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/6de89846-137e-4c31-b941-5b6dada154ea/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/6de89846-137e-4c31-b941-5b6dada154ea/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.