Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
75 of your 167 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 15.62s · analysis 17.73s · 32.0 MB · GitHub API rate-limit (preflight)

multica-ai/multica

https://github.com/multica-ai/multica · scanned 2026-06-09 04:34 UTC (17 hours, 54 minutes ago) · 10 languages

10675 raw signals (151 security + 10524 graph) 11/13 scanners ran 86th percentile · Typescript · large (100-500K LoC) System graph score 69 (higher by 16)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 17 hours, 53 minutes ago · v12 · 514 actionable findings from 2 signal sources. 136 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
75.1
/100
Security checks
82
50 findings
System graph
69
100.0% cov · 464 findings
Critical
2
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 100.0 0.25 25.00
testing_score 95.0 0.20 19.00
documentation_score 83.0 0.15 12.45
practices_score 84.0 0.15 12.60
code_quality 70.0 0.10 7.00
Overall 1.00 85.0
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: layer: quality × excluding tests × Reset all
Severity: Critical 2 High 15 Medium 28 Low 98 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 50 System graph 464 Crowd 0 Layer: Cicd 8 Quality 316 Software 57 Security 18 Api 1 Frontend 111 Hardware 3
Corpus Intelligence Cross-corpus context (cohort percentile, top patterns, fix plan) is shown only on repositories you own. Sign up and connect your repo to view it.
Scan summary Strongest dependencies (90), code quality (62); weakest documentation (36), security (40).

Showing 55 of 514 actionable findings. 650 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED013] Password In Url: https://user:password@host — leaks creds via logs, referrer, error messages.
Review and fix per the pattern semantics. See CWE-200 / A07:2021 for context.
3 files, 3 locations
scripts/init-worktree-env.sh:31
scripts/screenshot-pr-cards.mjs:14
server/cmd/backfill_task_usage_hourly/main.go:76
low Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED012] Curl Pipe Bash: curl ... | sh / bash — runs unverified network code.
Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context.
3 files, 3 locations
apps/web/features/landing/components/download/cli-section.tsx:9
packages/views/onboarding/steps/cli-install-instructions.tsx:12
packages/views/onboarding/templates/install-runtime-issue.ts:91
medium Security checks quality Error handling conf 1.00 3 occurrences [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
3 files, 3 locations
apps/mobile/components/chat/message-long-press.tsx:33
apps/mobile/components/issue/comment-context-menu.tsx:62
packages/core/auth/store.ts:119
high Security checks quality Quality conf 0.74 Codex auth.json is read or copied without visible secret-file hardening
Use the platform credential store where possible. If auth files must be touched, enforce 0600 permissions, avoid backups in the repo/workspace, redact logs, and document rotation if the file is exposed.
apps/web/features/landing/i18n/zh.ts:957
high Security checks quality Quality conf 0.74 Codex auth.json is read or copied without visible secret-file hardening
Use the platform credential store where possible. If auth files must be touched, enforce 0600 permissions, avoid backups in the repo/workspace, redact logs, and document rotation if the file is exposed.
apps/web/features/landing/i18n/en.ts:958
high Security checks quality Quality conf 0.80 localStorage write failures are swallowed silently
Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics.
apps/desktop/src/renderer/src/platform/i18n-adapter.ts:25
high Security checks quality Quality conf 0.82 Parallel implementation file sits beside a canonical file
Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point.
server/internal/handler/runtime_update.go:1
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/desktop/src/main/cli-bootstrap.ts:35
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/web/features/landing/components/contact-sales-page-client.tsx:111
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — e2e/chat-attachments.spec.ts:35
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — e2e/fixtures.ts:37
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/core/api/client.ts:352
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/views/issues/components/swimlane-view.test.tsx:1197
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/views/issues/components/swimlane-view.tsx:543
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Frontend route `:workspaceSlug/*` has no Link/navigate to it — apps/desktop/src/renderer/src/components/workspace-route-layout.test.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
Orphan pageWiring
low Security checks quality Error handling conf 1.00 3 occurrences [ERR003] Ignored Error (Go): Ignoring error return values.
Handle the error or use errcheck linter.
3 files, 3 locations
server/cmd/backfill_task_usage_hourly/main.go:114
server/cmd/server/health.go:160
server/cmd/server/health_realtime.go:53
low Security checks quality Quality conf 0.60 17 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
12 files, 13 locations
apps/mobile/app/(app)/[workspace]/project/new.tsx:138, 154 (2 hits)
apps/desktop/src/renderer/src/components/desktop-runtimes-page.tsx:6
apps/mobile/app/(app)/[workspace]/more/issues.tsx:91
apps/mobile/app/(app)/[workspace]/project/[id]/edit.tsx:1
apps/mobile/app/(auth)/verify.tsx:63
apps/mobile/components/project/pickers/project-lead-picker-body.tsx:70
apps/mobile/components/project/project-related-issues.tsx:75
apps/mobile/components/ui/project-priority-icon.tsx:38
duplicationquality
high Security checks quality Quality conf 0.62 3 occurrences Source file name looks like an AI patch artifact
Rename it to the domain concept it implements or merge it into the existing module it was meant to change.
3 files, 3 locations
packages/views/editor/extensions/markdown-copy.ts:1
server/cmd/multica/cmd_update.go:1
server/internal/daemon/auto_update.go:1
low System graph quality Integrity conf 1.00 15 env vars used in code but missing from .env.example
Drift between code and config docs. The first few: `DESKTOP_APP_SUFFIX`, `DESKTOP_RENDERER_PORT`, `DOCS_URL`, `EXPO_BUNDLE_IDENTIFIER_DEV`, `EXPO_BUNDLE_IDENTIFIER_PROD`, `EXPO_OS`, `EXPO_PUBLIC_WEB_URL`, `FRONTEND_ORIGIN` + 7 more. Add them (with a placeholder/comment) to .env.example so onboardin…
config drift
low System graph quality Maintenance conf 1.00 47 TODO/FIXME markers
High count of TODO/FIXME/HACK markers — track them as issues so they're not forgotten.
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `skipped_legacy` in apps/web/test/helpers.tsx:15
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `too_old` in packages/core/runtimes/cli-version.test.ts:10
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `too_old` in packages/core/runtimes/cli-version.ts:15
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Complexity conf 1.00 Very large file: apps/web/features/landing/i18n/en.ts (1806 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: apps/web/features/landing/i18n/ja.ts (1307 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: apps/web/features/landing/i18n/ko.ts (1332 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: apps/web/features/landing/i18n/zh.ts (1802 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: packages/core/api/client.ts (2103 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: packages/views/chat/components/chat-window.tsx (1409 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: packages/views/issues/components/issue-detail.tsx (2073 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: packages/views/issues/components/swimlane-view.tsx (1517 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: packages/views/squads/components/squad-detail-page.tsx (1412 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: server/cmd/multica/cmd_issue.go (1909 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: server/cmd/multica/cmd_issue_test.go (2060 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: server/internal/daemon/daemon.go (3725 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: server/internal/daemon/daemon_test.go (2159 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: server/internal/daemon/execenv/execenv_test.go (4286 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: server/internal/daemon/repocache/cache_test.go (1457 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: server/internal/handler/agent.go (1440 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: server/internal/handler/comment.go (1497 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: server/internal/handler/comment_list_test.go (1439 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: server/internal/handler/daemon.go (2429 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: server/internal/handler/daemon_test.go (3878 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: server/internal/handler/dashboard_test.go (1397 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: server/internal/handler/github_test.go (2391 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: server/internal/handler/handler_test.go (3906 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: server/internal/handler/issue.go (3021 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: server/internal/handler/skill.go (2063 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: server/internal/integrations/lark/dispatcher_test.go (1708 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: server/internal/service/task.go (2370 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: server/pkg/agent/codex.go (1876 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: server/pkg/agent/codex_test.go (2049 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: server/pkg/agent/hermes.go (1720 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: server/pkg/agent/hermes_test.go (1962 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: server/pkg/db/generated/agent.sql.go (2776 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/a3a23df1-c446-4e56-a160-ed8bb6252f50/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/a3a23df1-c446-4e56-a160-ed8bb6252f50/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.