Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
114 of your 150 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.
Upstream (GitHub) caused delay on this scan — not Repobility.
  • GitHub API rate-limited (HTTP 403) — preflight skipped, fell back to direct git clone.
  • Clone from GitHub took 206.54s for a 211.7 MB repo slow.
  • Repobility's analysis ran in 8.26s after the clone landed.

crewAIInc/crewAI

https://github.com/crewAIInc/crewAI · scanned 2026-06-05 11:25 UTC (5 days, 12 hours ago) · 10 languages

150 findings 11/13 scanners ran 94th percentile · Python · large (100-500K LoC)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

47 actionable findings from 1 signal source. 78 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

Combined
91.4
/100
Security checks
91
47 findings
System graph
—% cov · 0 findings
Critical
0
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 85.0 0.15 12.75
security_score 100.0 0.25 25.00
testing_score 100.0 0.20 20.00
documentation_score 82.0 0.15 12.30
practices_score 91.0 0.15 13.65
code_quality 55.0 0.10 5.50
Overall 1.00 89.2
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 0 High 4 Medium 2 Low 3 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 47 System graph 0 Crowd 0 Layer: Quality 42 Security 1 Software 3 Cicd 1

Showing 8 of 47 actionable findings. 125 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Security checks quality Quality conf 1.00 ✓ Repobility 7 occurrences [MINED107] Missing import: `string` used but not imported: The file uses `string.something(...)` but never imports `string`. This raises NameError at runtime the first time the line executes.
Add `import string` at the top of the file.
7 files, 7 locations
lib/crewai-tools/src/crewai_tools/tools/serply_api_tool/serply_job_search_tool.py:76
lib/crewai-tools/src/crewai_tools/tools/serply_api_tool/serply_news_search_tool.py:83
lib/crewai-tools/src/crewai_tools/tools/serply_api_tool/serply_scholar_search_tool.py:88
lib/crewai-tools/src/crewai_tools/tools/serply_api_tool/serply_web_search_tool.py:96
lib/crewai/src/crewai/events/handler_graph.py:79
lib/crewai/src/crewai/flow/visualization/renderers/interactive.py:125
lib/crewai/src/crewai/state/event_record.py:175
high Security checks software dependencies conf 0.90 ✓ Repobility 2 occurrences [MINED131] pre-commit hook `https://github.com/astral-sh/uv-pre-commit` pinned to mutable rev `0.11.3`: `.pre-commit-config.yaml` references `https://github.com/astral-sh/uv-pre-commit` at `rev: 0.11.3`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine.
Pin to a commit SHA: `rev: <40-char-sha>` and bump it through `pre-commit autoupdate` (which writes to PRs that are reviewed).
lines 23, 62
.pre-commit-config.yaml:23, 62 (2 hits)
medium Security checks security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them.
low Security checks quality Error handling conf 0.55 ✓ Repobility 25 occurrences Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
8 files, 25 locations
lib/devtools/src/crewai_devtools/cli.py:537, 830, 835, 1069, 2004, 2113, 2201, 2273, +4 more (12 hits)
lib/cli/src/crewai_cli/cli.py:51, 117, 180, 277 (4 hits)
lib/cli/src/crewai_cli/checkpoint_cli.py:240, 284, 386 (3 hits)
lib/cli/src/crewai_cli/memory_tui.py:140, 390 (2 hits)
lib/cli/src/crewai_cli/create_flow.py:53
lib/cli/src/crewai_cli/kickoff_flow.py:22
lib/cli/src/crewai_cli/run_crew.py:73
lib/cli/src/crewai_cli/train_crew.py:31
Error handlingquality
medium Security checks quality Quality conf 0.78 Public web service has no security.txt
Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored.
.well-known/security.txt
high Security checks software dependencies conf 0.70 Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
docs/ko/installation.mdx:55
high Security checks software dependencies conf 0.70 Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
docs/ar/installation.mdx:62
low Security checks quality Quality conf 0.60 30 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
12 files, 15 locations
lib/crewai-tools/src/crewai_tools/tools/stagehand_tool/stagehand_tool.py:120, 121 (2 hits)
lib/crewai/src/crewai/a2a/extensions/a2ui/v0_9.py:53, 625 (2 hits)
lib/crewai/src/crewai/events/listeners/tracing/trace_listener.py:22, 95 (2 hits)
lib/cli/src/crewai_cli/memory_tui.py:26
lib/crewai-core/src/crewai_core/auth/providers/entra_id.py:15
lib/crewai-core/src/crewai_core/auth/providers/okta.py:14
lib/crewai-tools/src/crewai_tools/aws/s3/writer_tool.py:16
lib/crewai-tools/src/crewai_tools/rag/loaders/postgres_loader.py:32
duplicationquality
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/79a38bd6-8ae7-4ba7-866b-4c4ca1eeb85e/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/79a38bd6-8ae7-4ba7-866b-4c4ca1eeb85e/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.