BigBodyCobain/Shadowbroker

Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.

66 of your 182 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

https://github.com/BigBodyCobain/Shadowbroker.git · scanned 2026-05-18 19:19 UTC (2 weeks, 3 days ago) · 10 languages

972 findings (182 legacy + 790 scanner) 8/10 scanners ran 76th percentile · Python · large (100-500K LoC) Scanner says 60 (higher by 23)

File as issue Image

UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 2 weeks, 3 days ago · v2 · 577 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON

100.0% cov · 395 gaps

Score breakdown â 2026-05-18-v5

Component	Sub-score	Weight	Contribution
`structure_score`	60.0	0.15	9.00
`security_score`	100.0	0.25	25.00
`testing_score`	97.0	0.20	19.40
`documentation_score`	81.0	0.15	12.15
`practices_score`	87.0	0.15	13.05
`code_quality`	45.0	0.10	4.50
Overall		1.00	83.1

security_score may be inflated — optional security scanners were skipped on this fast scan

Severity distribution — click a segment to filter

Active filters: layer: api × excluding tests × Reset all

Severity: Critical 5 High 111 Medium 62 Low 284 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 182 9-layer 395 Crowd 0 Layer: Quality 312 Security 72 Cicd 21 Software 79 Frontend 33 Hardware 5 Api 55

Exclude dismissed / FP Exclude test files

Corpus Intelligence Cross-corpus context (cohort percentile, top patterns, fix plan) is shown only on repositories you own. Sign up and connect your repo to view it.

Scan summary Repository scanned at 60.2/100 with 100.0% coverage. It contains 9858 nodes across 30 cross-layer flows, written primarily in mixed languages. Engine surfaced 395 findings — concentrated in quality (176), software (73), api (55). Risk profile is high: 2 critical, 49 high, 37 medium. Recommended next step: open the quality layer findings first — that's where the highest-impact wins live.

Showing 55 of 577 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high 9-layer api wiring conf 1.00 Dangling fetch: GET https://en.wikipedia.org/api/rest_v1/page/summary/${encodeURIComponent(title)} (frontend/src/components/WikiImage.tsx:39)

`frontend/src/components/WikiImage.tsx:39` calls `GET https://en.wikipedia.org/api/rest_v1/page/summary/${encodeURIComponent(title)}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/en.wikipedia.org/api/rest_v…

wiringdangling-fetchfetch

high 9-layer api wiring conf 1.00 Dangling fetch: GET https://en.wikipedia.org/api/rest_v1/page/summary/${encodeURIComponent(wikiTitle)} (frontend/src/components/NewsFeed.tsx:219)

`frontend/src/components/NewsFeed.tsx:219` calls `GET https://en.wikipedia.org/api/rest_v1/page/summary/${encodeURIComponent(wikiTitle)}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/en.wikipedia.org/api/re…

wiringdangling-fetchfetch

high 9-layer api wiring conf 1.00 Dangling fetch: GET https://nominatim.openstreetmap.org/search?q=${encodeURIComponent(q)}&format=json&limit=5 (frontend/src/app/LocateBar.tsx:103)

`frontend/src/app/LocateBar.tsx:103` calls `GET https://nominatim.openstreetmap.org/search?q=${encodeURIComponent(q)}&format=json&limit=5` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/nominatim.openstreetma…

wiringdangling-fetchfetch

high 9-layer api wiring conf 1.00 Dangling fetch: GET https://nominatim.openstreetmap.org/search?q=${encodeURIComponent(q)}&format=json&limit=5 (frontend/src/app/LocateBar.tsx:86)

`frontend/src/app/LocateBar.tsx:86` calls `GET https://nominatim.openstreetmap.org/search?q=${encodeURIComponent(q)}&format=json&limit=5` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/nominatim.openstreetmap…

wiringdangling-fetchfetch

high 9-layer api wiring conf 1.00 Dangling fetch: POST https://planetarycomputer.microsoft.com/api/stac/v1/search (frontend/src/hooks/useRegionDossier.ts:184)

`frontend/src/hooks/useRegionDossier.ts:184` calls `POST https://planetarycomputer.microsoft.com/api/stac/v1/search` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/planetarycomputer.microsoft.com/api/stac/v1/…

wiringdangling-fetchfetch

low 9-layer api wiring conf 1.00 Unused endpoint: DELETE /api/mesh/peers

`backend/main.py` declares `DELETE /api/mesh/peers` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/live-data

`backend/main.py` declares `GET /api/live-data` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/live-data/fast

`backend/main.py` declares `GET /api/live-data/fast` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/live-data/slow

`backend/main.py` declares `GET /api/live-data/slow` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/mesh/channels

`backend/main.py` declares `GET /api/mesh/channels` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/mesh/gate/list

`backend/main.py` declares `GET /api/mesh/gate/list` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/mesh/gate/{gate_id}

`backend/main.py` declares `GET /api/mesh/gate/{gate_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/mesh/gate/{gate_id}/messages

`backend/main.py` declares `GET /api/mesh/gate/{gate_id}/messages` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/mesh/infonet/event/{event_id}

`backend/main.py` declares `GET /api/mesh/infonet/event/{event_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/mesh/infonet/locator

`backend/main.py` declares `GET /api/mesh/infonet/locator` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/mesh/infonet/merkle

`backend/main.py` declares `GET /api/mesh/infonet/merkle` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/mesh/infonet/messages

`backend/main.py` declares `GET /api/mesh/infonet/messages` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/mesh/infonet/messages/wait

`backend/main.py` declares `GET /api/mesh/infonet/messages/wait` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/mesh/infonet/status

`backend/main.py` declares `GET /api/mesh/infonet/status` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/mesh/infonet/sync

`backend/main.py` declares `GET /api/mesh/infonet/sync` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/mesh/log

`backend/main.py` declares `GET /api/mesh/log` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/mesh/messages

`backend/main.py` declares `GET /api/mesh/messages` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/mesh/metrics

`backend/main.py` declares `GET /api/mesh/metrics` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/mesh/peers

`backend/main.py` declares `GET /api/mesh/peers` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/mesh/reputation

`backend/main.py` declares `GET /api/mesh/reputation` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/mesh/reputation/all

`backend/main.py` declares `GET /api/mesh/reputation/all` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/mesh/reputation/batch

`backend/main.py` declares `GET /api/mesh/reputation/batch` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/mesh/rns/status

`backend/main.py` declares `GET /api/mesh/rns/status` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/mesh/signals

`backend/main.py` declares `GET /api/mesh/signals` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/mesh/status

`backend/main.py` declares `GET /api/mesh/status` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/oracle/region-intel

`backend/main.py` declares `GET /api/oracle/region-intel` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/privacy/claims

`backend/main.py` declares `GET /api/privacy/claims` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/refresh

`backend/main.py` declares `GET /api/refresh` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/sigint/nearest-sdr

`backend/main.py` declares `GET /api/sigint/nearest-sdr` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/thermal/verify

`backend/main.py` declares `GET /api/thermal/verify` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: PATCH /api/mesh/peers

`backend/main.py` declares `PATCH /api/mesh/peers` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: POST /api/ais/feed

`backend/main.py` declares `POST /api/ais/feed` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: POST /api/layers

`backend/main.py` declares `POST /api/layers` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: POST /api/mesh/gate/create

`backend/main.py` declares `POST /api/mesh/gate/create` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: POST /api/mesh/gate/peer-pull

`backend/main.py` declares `POST /api/mesh/gate/peer-pull` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: POST /api/mesh/gate/peer-push

`backend/main.py` declares `POST /api/mesh/gate/peer-push` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: POST /api/mesh/gate/{gate_id}/message

`backend/main.py` declares `POST /api/mesh/gate/{gate_id}/message` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: POST /api/mesh/identity/revoke

`backend/main.py` declares `POST /api/mesh/identity/revoke` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: POST /api/mesh/identity/rotate

`backend/main.py` declares `POST /api/mesh/identity/rotate` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: POST /api/mesh/infonet/ingest

`backend/main.py` declares `POST /api/mesh/infonet/ingest` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: POST /api/mesh/infonet/peer-push

`backend/main.py` declares `POST /api/mesh/infonet/peer-push` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: POST /api/mesh/infonet/sync

`backend/main.py` declares `POST /api/mesh/infonet/sync` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: POST /api/mesh/peers

`backend/main.py` declares `POST /api/mesh/peers` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: POST /api/mesh/report

`backend/main.py` declares `POST /api/mesh/report` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: POST /api/mesh/send

`backend/main.py` declares `POST /api/mesh/send` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: POST /api/mesh/vote

`backend/main.py` declares `POST /api/mesh/vote` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: POST /api/sigint/transmit

`backend/main.py` declares `POST /api/sigint/transmit` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: POST /api/viewport

`backend/main.py` declares `POST /api/viewport` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: PUT /api/mesh/gate/{gate_id}/envelope_policy

`backend/main.py` declares `PUT /api/mesh/gate/{gate_id}/envelope_policy` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

low 9-layer api wiring conf 1.00 Unused endpoint: PUT /api/mesh/gate/{gate_id}/legacy_envelope_fallback

`backend/main.py` declares `PUT /api/mesh/gate/{gate_id}/legacy_envelope_fallback` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes…

wiringunused-endpoint

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.

For AI agents + API integrations

Email me when this repo regresses

Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.

API access

This page is publicly accessible at: https://repobility.com/scan/ace85012-9f8f-420e-9261-5db673c5b483/

To check status programmatically (no auth required):

curl -s https://repobility.com/api/v1/public/scan/ace85012-9f8f-420e-9261-5db673c5b483/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.