Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
62 of your 129 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 2.45s · analysis 10.73s · 11.0 MB · GitHub API rate-limit (preflight)

duotify/GitHubClawToolkit

https://github.com/duotify/GitHubClawToolkit · scanned 2026-06-05 19:15 UTC (4 days, 16 hours ago) · 10 languages

382 raw signals (120 security + 262 graph) 9th percentile · Javascript · medium (20-100K LoC) System graph score 70 (lower by 28)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 4 days, 16 hours ago · v2 · 91 actionable findings from 2 signal sources. 160 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
60.2
/100
Security checks
51
47 findings
System graph
70
100.0% cov · 44 findings
Critical
1
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 40.0 0.15 6.00
security_score 71.4 0.25 17.85
testing_score 20.0 0.20 4.00
documentation_score 39.0 0.15 5.85
practices_score 40.0 0.15 6.00
code_quality 18.1 0.10 1.81
Overall 1.00 41.5
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 1 High 6 Medium 37 Low 32 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 47 System graph 44 Crowd 0 Layer: Software 38 Quality 31 Cicd 4 Frontend 14 Data 1 Security 1 Api 2
Scan summary Quality grade D (42/100). Dimensions: security 71, maintainability 40. 120 findings (58 security). 52,374 lines analyzed.

Showing 76 of 91 actionable findings. 251 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Security checks quality Quality conf 1.00 ✓ Repobility Missing import: `html` used but not imported
The file uses `html.something(...)` but never imports `html`. This raises NameError at runtime the first time the line executes.
.agents/skills/skill-creator/eval-viewer/generate_review.py:343
high Security checks quality Quality conf 1.00 ✓ Repobility Missing import: `html` used but not imported
The file uses `html.something(...)` but never imports `html`. This raises NameError at runtime the first time the line executes.
skills/skill-creator/eval-viewer/generate_review.py:343
critical System graph security Secrets conf 1.00 Possible secret in skills/gemini-summary/scripts/summarize.js
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
skills/gemini-summary/scripts/summarize.js:90
high Security checks quality Quality conf 1.00 ✓ Repobility 25 occurrences `self.path` used but never assigned in __init__
Method `do_GET` of class `ReviewHandler` reads `self.path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
2 files, 25 locations
skills/skill-creator/eval-viewer/generate_review.py:333, 344, 345, 346, 347, 348, 349, 353, +15 more (23 hits)
.agents/skills/skill-creator/eval-viewer/generate_review.py:333, 344 (2 hits)
high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /line/webhook has no auth
Express route POST /line/webhook declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
workers/line-bot/src/presentation/http/line-bot-worker.js:40
high Security checks software dependencies conf 0.88 picomatch: GHSA-c2c7-rcm5-vvqj
Picomatch has a ReDoS vulnerability via extglob quantifiers
workers/line-bot/bun.lock
medium Security checks quality Quality conf 1.00 [SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeholder credentials shaped like `API_KEY = "your-api-key-here"` instead of pulling from env. These get committed verbatim — production code with a literal placeholder string is a near-certain bug, and the value also leaks what credential type the system expects to authentication crawlers. CWE-1188. Distinctive AI footprint: the exact phrase shape `your-X-here` is uncommon in hand
Replace with env lookup: `API_KEY = os.environ['SERVICE_API_KEY']`. Move actual key to a secret manager. Add a startup check that the env var is non-empty so missing config fails loudly instead of shipping the placeholder.
skills/felo-superAgent/scripts/run_style_library.mjs:146
medium Security checks cicd CI/CD security conf 0.68 5 occurrences Agent auto-approve or skip-permissions mode is easy to enable
Codex/agent auto-approve, YOLO, or skip-permissions modes can be useful in isolated automation, but they remove the human checkpoint before command execution, network access, and file edits.
5 files, 5 locations
templates/codex-default/.github/workflows/issue-N.yml:154
templates/codex-felo/.github/workflows/issue-N.yml:158
templates/codex-gemini-api/.github/workflows/issue-N.yml:158
templates/copilot-felo/.github/workflows/issue-N.yml:162
templates/copilot-gemini-api/.github/workflows/issue-N.yml:162
CI/CD securityagent runtimepermissions
medium Security checks quality Quality Average file size is 663 lines (recommend <300)
Refactor large files by extracting related functions into separate modules. Target files with 300+ lines first. Use the Single Responsibility Principle — each module should have one clear purpose.
medium Security checks software dependencies conf 0.88 brace-expansion: GHSA-f886-m6hf-6m8v
brace-expansion: Zero-step sequence causes process hang and memory exhaustion
workers/line-bot/bun.lock
medium Security checks software dependencies conf 0.88 brace-expansion: GHSA-jxxr-4gwj-5jf2
brace-expansion: Large numeric range defeats documented `max` DoS protection
workers/line-bot/bun.lock
low Security checks quality Error handling conf 0.55 ✓ Repobility 4 occurrences Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
4 files, 4 locations
.agents/skills/skill-creator/scripts/package_skill.py:106
.agents/skills/skill-creator/scripts/run_eval.py:223
skills/skill-creator/scripts/package_skill.py:106
skills/skill-creator/scripts/run_eval.py:223
Error handlingquality
medium Security checks software dependencies conf 0.88 hono: GHSA-26pp-8wgv-hjvm
Hono missing validation of cookie name on write path in setCookie()
workers/line-bot/bun.lock
medium Security checks software dependencies conf 0.88 hono: GHSA-2gcr-mfcq-wcc3
Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths
workers/line-bot/bun.lock
medium Security checks software dependencies conf 0.88 hono: GHSA-3hrh-pfw6-9m5x
Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection
workers/line-bot/bun.lock
medium Security checks software dependencies conf 0.88 hono: GHSA-458j-xx4x-4375
hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SSR
workers/line-bot/bun.lock
medium Security checks software dependencies conf 0.88 hono: GHSA-69xw-7hcm-h432
hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection
workers/line-bot/bun.lock
medium Security checks software dependencies conf 0.88 hono: GHSA-9vqf-7f2p-gf9v
Hono: bodyLimit() can be bypassed for chunked / unknown-length requests
workers/line-bot/bun.lock
medium Security checks software dependencies conf 0.88 hono: GHSA-f577-qrjj-4474
Hono: JWT middleware accepts any Authorization scheme, not only Bearer
workers/line-bot/bun.lock
medium Security checks software dependencies conf 0.88 hono: GHSA-p77w-8qqv-26rm
Hono's Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage
workers/line-bot/bun.lock
medium Security checks software dependencies conf 0.88 hono: GHSA-qp7p-654g-cw7p
Hono has CSS Declaration Injection via Style Object Values in JSX SSR
workers/line-bot/bun.lock
medium Security checks software dependencies conf 0.88 hono: GHSA-r5rp-j6wh-rvv4
Hono: Non-breaking space prefix bypass in cookie name handling in getCookie()
workers/line-bot/bun.lock
medium Security checks software dependencies conf 0.88 hono: GHSA-wmmm-f939-6g9c
Hono: Middleware bypass via repeated slashes in serveStatic
workers/line-bot/bun.lock
medium Security checks software dependencies conf 0.88 hono: GHSA-xf4j-xp2r-rqqx
Hono: Path traversal in toSSG() allows writing files outside the output directory
workers/line-bot/bun.lock
medium Security checks software dependencies conf 0.88 hono: GHSA-xpcf-pg52-r92g
Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses
workers/line-bot/bun.lock
medium Security checks software dependencies conf 0.88 hono: GHSA-xrhx-7g5j-rcj5
Hono: IP Restriction bypasses static deny rules for non-canonical IPv6
workers/line-bot/bun.lock
medium Security checks software dependencies conf 0.88 ip-address: GHSA-v2v4-37r5-5v8g
ip-address has XSS in Address6 HTML-emitting methods
workers/line-bot/bun.lock
medium Security checks quality Documentation No README file found
Create a README.md with: project name and description, installation instructions, usage examples, configuration options, and contribution guidelines.
medium Security checks software dependencies conf 0.90 12 occurrences npm package `@google/genai` is 1 major version(s) behind (>=1.33.0 -> 2.8.0)
`@google/genai` is pinned/resolved at >=1.33.0 but the latest stable release on the npm registry is 2.8.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
12 files, 12 locations
skills/gemini-audio-transcriber/package.json
skills/gemini-deep-researcher/package.json
skills/gemini-image-describer/package.json
skills/gemini-summary/package.json
templates/codex-gemini-api/.agents/skills/gemini-audio-transcriber/package.json
templates/codex-gemini-api/.agents/skills/gemini-deep-researcher/package.json
templates/codex-gemini-api/.agents/skills/gemini-image-describer/package.json
templates/codex-gemini-api/.agents/skills/gemini-summary/package.json
medium Security checks software dependencies conf 0.88 picomatch: GHSA-3v7f-55p6-f55p
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching
workers/line-bot/bun.lock
high Security checks software dependencies conf 0.70 Remote install command pipes network code directly to a shell
Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified.
templates/antigravity-gcp/.github/workflows/issue-N.yml:127
medium Security checks software dependencies conf 0.88 ws: GHSA-58qx-3vcg-4xpx
ws: Uninitialized memory disclosure
workers/line-bot/bun.lock
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — skills/gemini-audio-transcriber/scripts/transcribe.js:27
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — skills/gemini-deep-researcher/scripts/research.js:26
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — skills/gemini-image-describer/scripts/describe.js:27
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — skills/gemini-summary/scripts/summarize.js:27
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — skills/google-stitch/scripts/google-stitch.js:6724
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — workers/line-bot/src/infrastructure/github/github-issues-client.js:72
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — workers/line-bot/src/infrastructure/line/line-api-client.js:264
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — workers/line-bot/test/worker.test.js:294
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph cicd CI/CD security conf 1.00 56 occurrences GitHub Action is tag-pinned rather than SHA-pinned
duotify/GitHubClawToolkit/actions/error-handler-action@v1 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
12 files, 48 locations
templates/gemini-nanobanana/.github/workflows/issue-N.yml:76, 153, 159, 166 (7 hits)
templates/codex-default/.github/workflows/issue-N.yml:170, 176, 183 (6 hits)
templates/copilot-felo/.github/workflows/issue-N.yml:178, 184, 192 (6 hits)
templates/copilot-gemini-api/.github/workflows/issue-N.yml:178, 184, 192 (6 hits)
templates/default/.github/workflows/issue-N.yml:178, 186 (4 hits)
templates/codex-felo/.github/workflows/issue-N.yml:174, 180, 188 (3 hits)
templates/codex-gemini-api/.github/workflows/issue-N.yml:174, 180, 188 (3 hits)
templates/gemini-summary/.github/workflows/issue-N.yml:140, 146, 153 (3 hits)
CI/CD securitySupply chainGitHub Actions
medium System graph cicd CI/CD security conf 1.00 16 occurrences GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
12 files, 12 locations
templates/antigravity-gcp/.github/workflows/issue-N.yml
templates/codex-default/.github/workflows/issue-N.yml
templates/codex-felo/.github/workflows/issue-N.yml
templates/codex-gemini-api/.github/workflows/issue-N.yml
templates/copilot-byok/.github/workflows/issue-N.yml
templates/copilot-felo/.github/workflows/issue-N.yml
templates/copilot-gemini-api/.github/workflows/issue-N.yml
templates/default/.github/workflows/issue-N.yml
CI/CD securitySupply chainGithub actions
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — skills/skill-creator/scripts/run_eval.py:85
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph data Coverage conf 1.00 ORM models found but no DB engine detected
The repo defines tables/models but no DB connection string was found. Likely lives in env vars or a config file the scanner didn't read.
medium System graph quality Tests conf 1.00 Very low test-to-source ratio
3 test file(s) for 44 source file(s) (ratio 0.07). Consider adding integration or unit tests for critical paths.
Coverage
low Security checks quality Quality conf 0.60 Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
workers/line-bot/src/infrastructure/line/line-api-client.js:2 duplicationquality
low Security checks software dependencies conf 0.88 hono: GHSA-hm8q-7f3q-5f36
Hono has improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()
workers/line-bot/bun.lock
low Security checks software dependencies conf 0.90 npm package `node-addon-api` is minor version(s) behind (^8.6.0 -> 8.8.0)
`node-addon-api` is pinned/resolved at ^8.6.0 but the latest stable release on the npm registry is 8.8.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
workers/line-bot/package.json
low Security checks software dependencies conf 0.90 npm package `node-gyp` is minor version(s) behind (^12.2.0 -> 12.4.0)
`node-gyp` is pinned/resolved at ^12.2.0 but the latest stable release on the npm registry is 12.4.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
workers/line-bot/package.json
low System graph software Dead code candidate conf 1.00 File has no detected symbols: workers/line-bot/src/config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: workers/line-bot/src/infrastructure/github/line-github-service.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: workers/line-bot/src/line.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: workers/line-bot/test/config.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: workers/line-bot/test/worker-name.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph cicd CI/CD security conf 1.00 43 occurrences GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
12 files, 35 locations
templates/codex-default/.github/workflows/issue-N.yml:77, 84 (4 hits)
templates/copilot-felo/.github/workflows/issue-N.yml:81, 88 (4 hits)
templates/copilot-gemini-api/.github/workflows/issue-N.yml:81, 88 (4 hits)
templates/default/.github/workflows/issue-N.yml:80, 87 (4 hits)
templates/gemini-nanobanana/.github/workflows/issue-N.yml:66, 73 (4 hits)
templates/line-bot/.github/workflows/install-line-bot.yml:64, 165, 242 (3 hits)
templates/antigravity-gcp/.github/workflows/issue-N.yml:60, 66 (2 hits)
templates/codex-felo/.github/workflows/issue-N.yml:80, 87 (2 hits)
CI/CD securitySupply chainGitHub Actions
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `bot_v2` in workers/line-bot/test/config.test.js:89
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `Name__v2` in workers/line-bot/test/worker-name.test.js:10
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph software Dead code conf 1.00 Possibly dead Python function: do_GET
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
skills/skill-creator/eval-viewer/generate_review.py:332
low System graph software Dead code conf 1.00 Possibly dead Python function: do_POST
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
skills/skill-creator/eval-viewer/generate_review.py:361
low System graph software Dead code conf 1.00 Possibly dead Python function: log_message
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
skills/skill-creator/eval-viewer/generate_review.py:382
low System graph software Dead code conf 1.00 Possibly dead Python function: run_single_query
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
skills/skill-creator/scripts/run_eval.py:35
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — skills/gemini-audio-transcriber/scripts/transcribe.js:2
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — skills/gemini-deep-researcher/scripts/research.js:1
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — skills/gemini-image-describer/scripts/describe.js:2
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — skills/gemini-lyria-3/scripts/generate-track.js:108
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — skills/gemini-nanobanana/scripts/gemini-nanobanana-cli.js:28
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — skills/gemini-summary/scripts/summarize.js:2
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — skills/google-stitch/scripts/google-stitch.js:47
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — templates/gemini-nanobanana/scripts/generate-image.ts:523
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — templates/gemini-summary/scripts/summarize-inline.ts:208
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — templates/line-bot/.github/scripts/build-chat-log.js:215
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — templates/vertexai-nanobanana/scripts/generate-image.ts:525
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — templates/vertexai-summary/scripts/summarize.ts:212
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph api Wiring conf 1.00 Unused endpoint: GET /
`workers/line-bot/src/presentation/http/line-bot-worker.js` declares `GET /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /line/webhook
`workers/line-bot/src/presentation/http/line-bot-worker.js` declares `POST /line/webhook` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who c…
Unused endpoint
low System graph quality Complexity conf 1.00 Very large file: skills/google-stitch/scripts/google-stitch.js (11453 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/aa637b46-604e-402b-9db4-b6cca914c0e3/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/aa637b46-604e-402b-9db4-b6cca914c0e3/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.