Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
16 of your 189 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 2.91s · analysis 8.94s · 3.7 MB · GitHub preflight 420ms

numtide/llm-agents.nix

https://github.com/numtide/llm-agents.nix · scanned 2026-06-05 19:38 UTC (1 week, 2 days ago) · 10 languages

250 raw signals (182 security + 68 graph) 13th percentile · Python · small (2-20K LoC) System graph score 82 (lower by 28)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 1 week, 2 days ago · v2 · 169 actionable findings from 2 signal sources. 47 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
70.6
/100
Security checks
60
147 findings
System graph
82
88.9% cov · 22 findings
Critical
3
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 85.0 0.15 12.75
security_score 40.5 0.25 10.12
testing_score 0.0 0.20 0.00
documentation_score 90.0 0.15 13.50
practices_score 67.0 0.15 10.05
code_quality 69.7 0.10 6.97
Overall 1.00 53.4
Severity distribution — click a segment to filter
Active filters: severity: low × excluding tests × Reset all
Severity: Critical 3 High 51 Medium 90 Low 15 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 147 System graph 22 Crowd 0 Layer: Software 135 Security 6 Quality 20 Cicd 4 Api 1 Network 2 Frontend 1
Scan summary Quality grade C- (53/100). Dimensions: security 40, maintainability 85. 182 findings (142 security). 5,676 lines analyzed.

Showing 15 of 169 actionable findings. 216 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

low Security checks security Injection conf 1.00 [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.
Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders).
packages/codex-acp/update.py:61
low Security checks security Injection conf 1.00 [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.
Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders).
packages/claudebox/update.py:36
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 12 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `actions/checkout` pinned to mutable ref `@v6` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
3 files, 12 locations
.github/workflows/update-flake.yml:39, 65, 70, 140, 145 (9 hits)
.github/workflows/check-maintainers.yml:16 (2 hits)
.github/workflows/check-readme.yml:16
CI/CD securitySupply chainGitHub Actions
low Security checks software dependencies conf 0.88 @tootallnate/once: GHSA-vpq2-c234-7xj6
@tootallnate/once vulnerable to Incorrect Control Flow Scoping
packages/aionui/bun.lock
low Security checks software dependencies conf 0.88 axios: GHSA-xhjh-pmcv-23jw
Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams
packages/aionui/bun.lock
low Security checks quality Quality conf 0.60 16 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
12 files, 12 locations
packages/cli-proxy-api/update.py:2
packages/crush/update.py:2
packages/droid/update.py:2
packages/forgecode/update.py:2
packages/gno/update.py:3
packages/go-bin/update.py:5
packages/iflow-cli/update.py:2
packages/letta-code/update.py:2
duplicationquality
low Security checks software dependencies conf 0.88 electron: GHSA-8x5q-pvf5-64mp
Electron: Use-after-free in offscreen shared texture release() callback
packages/aionui/bun.lock
low Security checks software dependencies conf 0.88 electron: GHSA-9899-m83m-qhpj
Electron: USB device selection not validated against filtered device list
packages/aionui/bun.lock
low Security checks software dependencies conf 0.88 electron: GHSA-f37v-82c4-4x64
Electron: Crash in clipboard.readImage() on malformed clipboard image data
packages/aionui/bun.lock
low Security checks software dependencies conf 0.88 electron: GHSA-jfqx-fxh3-c62j
Electron: Unquoted executable path in app.setLoginItemSettings on Windows
packages/aionui/bun.lock
low Security checks software dependencies conf 0.88 hono: GHSA-hm8q-7f3q-5f36
Hono has improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()
packages/aionui/bun.lock
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/tuicr/check-tuicr.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: .github/ci/create_pr.py:parse_args, .github/ci/update.py:parse_args This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
duplicatesduplication
low System graph software Dead code conf 1.00 Possibly dead Python function: fetch_hash
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/updater/platforms.py:40
low System graph software Dead code conf 1.00 Possibly dead Python function: version_key
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
packages/junie/update.py:29
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/8582a95d-e4bd-4239-bbd9-99545eaf9f4b/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/8582a95d-e4bd-4239-bbd9-99545eaf9f4b/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.