Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
56 of your 74 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 2.88s · analysis 8.77s · 0.4 MB · GitHub preflight 453ms

twrecked/pyaarlo

https://github.com/twrecked/pyaarlo · scanned 2026-06-05 14:17 UTC (5 days, 4 hours ago) · 10 languages

199 raw signals (73 security + 126 graph) 48th percentile · Python · small (2-20K LoC) System graph score 98 (lower by 30)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 4 hours ago · v2 · 67 actionable findings from 2 signal sources. 67 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
86.7
/100
Security checks
76
22 findings
System graph
98
77.8% cov · 45 findings
Critical
3
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 75.0 0.15 11.25
security_score 84.5 0.25 21.12
testing_score 54.0 0.20 10.80
documentation_score 84.0 0.15 12.60
practices_score 42.0 0.15 6.30
code_quality 55.1 0.10 5.51
Overall 1.00 67.6
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 3 High 2 Medium 5 Low 43 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 22 System graph 45 Crowd 0 Layer: Quality 26 Security 5 Software 33 Api 1 Frontend 1 Cicd 1
Scan summary Quality grade B- (68/100). Dimensions: security 84, maintainability 75. 73 findings (10 security). 8,544 lines analyzed.

Showing 53 of 67 actionable findings. 134 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks quality Quality conf 1.00 ✓ Repobility [MINED030] Python Pickle Loads: pickle.loads() can execute arbitrary code via __reduce__.
Review and fix per the pattern semantics. See CWE-502 / for context.
pyaarlo/storage.py:31
critical Security checks quality Quality conf 1.00 [SEC081] Python: pickle.loads / marshal.loads on untrusted data: pickle.load(s) and marshal.load(s) execute arbitrary code on untrusted input. Ported from dlint DUO103 / DUO120 (BSD-3).
Use json, msgpack, or protobuf for untrusted data. If pickle is required, sign the payload with HMAC.
pyaarlo/storage.py:31
critical Security checks security secrets conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
README.md:481
high Security checks security path traversal conf 0.80 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.
Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads.
pyaarlo/ratls.py:65
high Security checks quality Quality conf 1.00 ✓ Repobility 25 occurrences `self.cfg` used but never assigned in __init__
Method `_v3_modes` of class `PyArlo` reads `self.cfg`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
lines 339, 348, 349, 350, 351, 352, 355, 358, +16 more
pyaarlo/__init__.py:339, 348, 349, 350, 351, 352, 355, 358, +16 more (25 hits)
low Security checks security Deserialization conf 1.00 [SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.
Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data.
pyaarlo/storage.py:31
medium Security checks security Crypto conf 1.00 [SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.
Enable SSL verification. Use verify=True (default) for requests. Pin certificates if needed.
pyaarlo/ratls.py:106
low Security checks quality Quality conf 1.00 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws — wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated.
Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows.
pyaarlo/util.py:67
low Security checks quality Error handling conf 0.55 ✓ Repobility 18 occurrences Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
8 files, 18 locations
pyaarlo/backend.py:141, 164, 246, 256, 609, 688 (6 hits)
pyaarlo/tfa.py:82, 145, 154, 162 (4 hits)
pyaarlo/main.py:146, 173 (2 hits)
pyaarlo/storage.py:32, 41 (2 hits)
pyaarlo/__init__.py:173
pyaarlo/background.py:36
pyaarlo/ratls.py:69
pyaarlo/util.py:71
Error handlingquality
medium Security checks software dependencies conf 0.90 ✓ Repobility 7 occurrences requirements.txt: `requests` has no version pin
Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
lines 1, 2, 3, 4, 6, 7, 8
requirements.txt:1, 2, 3, 4, 6, 7, 8 (7 hits)
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — pyaarlo/util.py:119
`requests.get(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph security Coverage conf 1.00 No auth library detected
The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.
auth
medium System graph cicd CI/CD security conf 1.00 No CI/CD pipelines detected
No GitHub Actions, GitLab CI, or CircleCI configs found. Without CI you can't gate deploys on tests/lints.
CI/CD securityCoverage
low Security checks quality Quality conf 0.60 3 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
3 files, 3 locations
pyaarlo/location.py:119
pyaarlo/super.py:96
tests/arlo.py:12
duplicationquality
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/conf.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: pyaarlo.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: pyaarlo/constant.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph quality Tests conf 1.00 Low test-to-source ratio
3 tests / 24 src (ratio 0.12).
low System graph quality Integrity conf 1.00 15 occurrences Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: pyaarlo/__init__.py:stop, pyaarlo/__init__.py:st This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
15 occurrences
repo-level (15 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 5 occurrences Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: pyaarlo/tfa.py:start, pyaarlo/tfa.py:start, pyaarlo/tfa.py:start This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
5 occurrences
repo-level (5 hits)
duplicatesduplication
low System graph software Dead code conf 1.00 Possibly dead Python function: add_attr_callback
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pyaarlo/__init__.py:749
low System graph software Dead code conf 1.00 Possibly dead Python function: arlotime_to_time
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pyaarlo/util.py:16
low System graph software Dead code conf 1.00 Possibly dead Python function: arm_away
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pyaarlo/location.py:304
low System graph software Dead code conf 1.00 Possibly dead Python function: arm_home
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pyaarlo/location.py:297
low System graph software Dead code conf 1.00 Possibly dead Python function: attribute
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pyaarlo/__init__.py:738
low System graph software Dead code conf 1.00 Possibly dead Python function: build_media_library
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pyaarlo/base.py:636
low System graph software Dead code conf 1.00 Possibly dead Python function: build_ratls
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pyaarlo/base.py:628
low System graph software Dead code conf 1.00 Possibly dead Python function: clear
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pyaarlo/storage.py:75
low System graph software Dead code conf 1.00 Possibly dead Python function: days_until
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pyaarlo/util.py:43
low System graph software Dead code conf 1.00 Possibly dead Python function: file_name
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pyaarlo/storage.py:44
low System graph software Dead code conf 1.00 Possibly dead Python function: hex_to_rgb
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pyaarlo/util.py:130
low System graph software Dead code conf 1.00 Possibly dead Python function: httptime_strftime
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pyaarlo/util.py:56
low System graph software Dead code conf 1.00 Possibly dead Python function: inject_response
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pyaarlo/__init__.py:727
low System graph software Dead code conf 1.00 Possibly dead Python function: keys_matching
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pyaarlo/storage.py:59
low System graph software Dead code conf 1.00 Possibly dead Python function: last_n_videos
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pyaarlo/camera.py:658
low System graph software Dead code conf 1.00 Possibly dead Python function: lookup_base_station_by_name
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pyaarlo/__init__.py:705
low System graph software Dead code conf 1.00 Possibly dead Python function: lookup_camera_by_name
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pyaarlo/__init__.py:633
low System graph software Dead code conf 1.00 Possibly dead Python function: lookup_doorbell_by_name
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pyaarlo/__init__.py:657
low System graph software Dead code conf 1.00 Possibly dead Python function: lookup_light_by_name
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pyaarlo/__init__.py:681
low System graph software Dead code conf 1.00 Possibly dead Python function: restart
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pyaarlo/base.py:537
low System graph software Dead code conf 1.00 Possibly dead Python function: rgb_to_hex
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pyaarlo/util.py:125
low System graph software Dead code conf 1.00 Possibly dead Python function: run_high
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pyaarlo/background.py:113
low System graph software Dead code conf 1.00 Possibly dead Python function: run_high_every
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pyaarlo/background.py:139
low System graph software Dead code conf 1.00 Possibly dead Python function: run_high_in
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pyaarlo/background.py:126
low System graph software Dead code conf 1.00 Possibly dead Python function: run_low_every
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pyaarlo/background.py:145
low System graph software Dead code conf 1.00 Possibly dead Python function: siren_off
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pyaarlo/base.py:523
low System graph software Dead code conf 1.00 Possibly dead Python function: siren_on
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pyaarlo/base.py:501
low System graph software Dead code conf 1.00 Possibly dead Python function: stand_by
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pyaarlo/location.py:290
low System graph software Dead code conf 1.00 Possibly dead Python function: unset
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pyaarlo/storage.py:71
low System graph quality Integrity conf 1.00 Stub function `add_attr_callback` (body is just `pass`/`return`) — pyaarlo/__init__.py:749
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `del_listener` (body is just `pass`/`return`) — pyaarlo/backend.py:1374
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Complexity conf 1.00 Very large file: pyaarlo/backend.py (1407 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: pyaarlo/camera.py (1510 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/987a866a-4e94-4b95-96c5-62d91b223b9a/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/987a866a-4e94-4b95-96c5-62d91b223b9a/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.