Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
62 of your 126 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 2.29s · analysis 77.24s · 1.4 MB · GitHub API rate-limit (preflight)

Genesis1231/Eva01

https://github.com/Genesis1231/Eva01 · scanned 2026-06-05 13:23 UTC (5 days, 6 hours ago) · 10 languages

228 raw signals (118 security + 110 graph) 24th percentile · Python · small (2-20K LoC) System graph score 89 (lower by 32)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 6 hours ago · v2 · 121 actionable findings from 2 signal sources. 52 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
78.1
/100
Security checks
67
72 findings
System graph
89
100.0% cov · 49 findings
Critical
3
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 75.0 0.15 11.25
security_score 69.3 0.25 17.32
testing_score 0.0 0.20 0.00
documentation_score 82.0 0.15 12.30
practices_score 59.0 0.15 8.85
code_quality 78.0 0.10 7.80
Overall 1.00 57.5
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 3 High 9 Medium 16 Low 63 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 72 System graph 49 Crowd 0 Layer: Quality 37 Security 8 Software 70 Cicd 2 Frontend 2 Api 2
Scan summary Quality grade C (58/100). Dimensions: security 69, maintainability 75. 118 findings (20 security). 8,182 lines analyzed.

Showing 91 of 121 actionable findings. 173 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks quality Quality conf 1.00 ✓ Repobility [MINED007] Sql String Concat: cursor.execute(f"... {user_input} ...") — SQL injection.
Review and fix per the pattern semantics. See CWE-89 / A03:2021 for context.
eva/database/vector_index.py:34
critical Security checks quality Quality conf 1.00 ✓ Repobility [MINED030] Python Pickle Loads: pickle.loads() can execute arbitrary code via __reduce__.
Review and fix per the pattern semantics. See CWE-502 / for context.
eva/senses/audio/speaker_identifier.py:163
critical Security checks quality Quality conf 1.00 [SEC081] Python: pickle.loads / marshal.loads on untrusted data: pickle.load(s) and marshal.load(s) execute arbitrary code on untrusted input. Ported from dlint DUO103 / DUO120 (BSD-3).
Use json, msgpack, or protobuf for untrusted data. If pickle is required, sign the payload with HMAC.
eva/senses/audio/speaker_identifier.py:163
high Security checks quality Quality conf 1.00 ✓ Repobility Missing import: `array` used but not imported
The file uses `array.something(...)` but never imports `array`. This raises NameError at runtime the first time the line executes.
eva/database/embeddings.py:79
low Security checks quality Quality conf 1.00 ✓ Repobility [MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.
Review and fix per the pattern semantics. See CWE-705 / for context.
main.py:13
high Security checks security Injection conf 0.50 [SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection.
Use parameterized queries: _db.execute('SELECT * FROM t WHERE id = %s', [id]). For dynamic table or column names, choose identifiers from a hard-coded allowlist and keep values in parameters.
eva/database/vector_index.py:57
high Security checks quality Quality conf 1.00 ✓ Repobility 25 occurrences `self.put` used but never assigned in __init__
Method `start_loop` of class `ActionBuffer` reads `self.put`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
7 files, 25 locations
eva/core/heart.py:41, 51, 52, 53, 58, 59, 60, 68, +2 more (10 hits)
eva/core/memory.py:146, 179, 184, 201, 202, 220 (6 hits)
eva/core/graph.py:118, 125, 126 (3 hits)
eva/core/moment.py:114, 143 (2 hits)
eva/core/tasks.py:42, 84 (2 hits)
eva/actions/action_buffer.py:119
eva/core/journal.py:81
high Security checks quality Quality conf 1.00 ✓ Repobility 5 occurrences Blocking call `input` inside async function `_register`
`input` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress.
lines 134, 159, 184, 190, 213
idconfig.py:134, 159, 184, 190, 213 (5 hits)
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 5 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `actions/checkout` pinned to mutable ref `@v4` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
lines 25, 26, 27, 31
.github/workflows/pages.yml:25, 26, 27, 31 (5 hits)
CI/CD securitySupply chainGitHub Actions
high Security checks software dependencies conf 0.88 keras: GHSA-4f3f-g24h-fr8m
Keras has an untrusted deserialization vulnerability
uv.lock
high Security checks software dependencies conf 0.88 keras: PYSEC-2026-73
Allocation of Resources Without Limits or Throttling in the HDF5 weight loading component in Google Keras 3.0.0 through 3.13.0 on all platforms allows a remote attacker to cause a Denial of Service (DoS) through memory exhaustion and a crash of the Python interpreter via a crafted .keras archive co…
uv.lock
high Security checks software dependencies conf 0.88 langchain-core: GHSA-pjwx-r37v-7724
LangChain vulnerable to unsafe deserialization of attacker-controlled objects through overly broad `load()` allowlists
requirements.txt
high Security checks software dependencies conf 0.88 langchain-core: GHSA-qh6h-p6c9-ff54
LangChain Core has Path Traversal vulnerabilites in legacy `load_prompt` functions
requirements.txt
high Security checks software dependencies conf 0.88 langchain-openai: PYSEC-2026-76
LangChain is a framework for building agents and LLM-powered applications. Prior to 1.1.14, langchain-openai's _url_to_size() helper (used by get_num_tokens_from_messages for image token counting) validated URLs for SSRF protection and then fetched them in a separate network operation with independ…
requirements.txt
medium Security checks security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
medium Security checks quality Practices conf 1.00 [CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.
Add a .gitignore appropriate for your language/framework.
low Security checks quality Error handling conf 1.00 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.
eva/senses/vision/face_identifier.py:153
low Security checks quality Error handling conf 1.00 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.
eva/actions/voice/model_edge.py:84
low Security checks security Deserialization conf 1.00 [SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.
Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data.
eva/senses/audio/speaker_identifier.py:163
medium Security checks software dependencies conf 0.88 aiohttp: GHSA-hg6j-4rv6-33pg
AIOHTTP is vulnerable to cross-origin redirect with per-request cookies
requirements.txt
medium Security checks software dependencies conf 0.88 aiohttp: GHSA-jg22-mg44-37j8
AIOHTTP is Vulnerable to Deserialization of Untrusted Data
requirements.txt
medium Security checks software dependencies conf 0.88 ajv: GHSA-2g4f-4pwh-qvx6
ajv has ReDoS when using `$data` option
frontend/package-lock.json
low Security checks quality Error handling conf 0.55 ✓ Repobility 3 occurrences Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
3 files, 3 locations
eva/core/heart.py:135
eva/core/journal.py:31
eva/core/moment.py:155
Error handlingquality
medium Security checks software dependencies conf 0.88 langchain-core: GHSA-926x-3r5x-gfhw
LangChain has incomplete f-string validation in prompt templates
requirements.txt
medium Security checks software dependencies conf 0.90 npm package `@vitejs/plugin-react` is 1 major version(s) behind (5.2.0 -> 6.0.2)
`@vitejs/plugin-react` is pinned/resolved at 5.2.0 but the latest stable release on the npm registry is 6.0.2 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs rais…
frontend/package.json
medium Security checks quality Quality conf 0.78 Public web service has no security.txt
security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt.
.well-known/security.txt
medium Security checks software dependencies conf 0.88 pytest: GHSA-6w46-j5rx-g56g
pytest has vulnerable tmpdir handling
requirements.txt
medium Security checks software dependencies conf 0.90 Python package `groq` is 1 major version(s) behind (0.37.1 -> 1.4.0)
`groq==0.37.1` is 1 major version(s) behind the latest stable release on PyPI (1.4.0). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises.
requirements.txt:92
medium Security checks software dependencies conf 0.88 python-dotenv: GHSA-mf9w-mj56-hr94
python-dotenv: Symlink following in set_key allows arbitrary file overwrite via cross-device rename fallback
requirements.txt
medium System graph quality Integrity conf 1.00 Frontend route `/canvas` has no Link/navigate to it — frontend/src/App.jsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
Orphan pageWiring
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/pages.yml CI/CD securitySupply chainGithub actions
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — eva/tools/_shared/video_analyzer.py:47
`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph security Coverage conf 1.00 No auth library detected
The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.
auth
medium System graph quality Tests conf 1.00 Very low test-to-source ratio
0 test file(s) for 104 source file(s) (ratio 0.00). Consider adding integration or unit tests for critical paths.
Coverage
low Security checks security auth conf 0.76 [AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.
No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.
low Security checks software dependencies conf 0.90 Python package `anthropic` is minor version(s) behind (0.104.0 -> 0.105.2)
`anthropic==0.104.0` is minor version(s) behind the latest stable release on PyPI (0.105.2). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises.
requirements.txt:26
low Security checks software dependencies conf 0.90 Python package `elevenlabs` is minor version(s) behind (2.37.0 -> 2.51.0)
`elevenlabs==2.37.0` is minor version(s) behind the latest stable release on PyPI (2.51.0). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises.
requirements.txt:68
low Security checks software dependencies conf 0.90 Python package `fastapi` is minor version(s) behind (0.135.1 -> 0.136.3)
`fastapi==0.135.1` is minor version(s) behind the latest stable release on PyPI (0.136.3). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises.
requirements.txt:74
low Security checks software dependencies conf 0.90 Python package `firecrawl-py` is minor version(s) behind (4.18.1 -> 4.28.2)
`firecrawl-py==4.18.1` is minor version(s) behind the latest stable release on PyPI (4.28.2). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises.
requirements.txt:80
low Security checks software dependencies conf 0.90 Python package `huggingface-hub` is minor version(s) behind (1.16.1 -> 1.18.0)
`huggingface-hub==1.16.1` is minor version(s) behind the latest stable release on PyPI (1.18.0). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises.
requirements.txt:117
low Security checks software dependencies conf 0.90 Python package `idna` is minor version(s) behind (3.16 -> 3.18)
`idna==3.16` is minor version(s) behind the latest stable release on PyPI (3.18). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises.
requirements.txt:123
low Security checks software dependencies conf 0.90 Python package `langchain-anthropic` is minor version(s) behind (1.3.4 -> 1.4.4)
`langchain-anthropic==1.3.4` is minor version(s) behind the latest stable release on PyPI (1.4.4). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises.
requirements.txt:141
low Security checks software dependencies conf 0.90 Python package `langchain-core` is minor version(s) behind (1.2.18 -> 1.4.0)
`langchain-core==1.2.18` is minor version(s) behind the latest stable release on PyPI (1.4.0). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises.
requirements.txt:143
low Security checks software dependencies conf 0.90 2 occurrences Python package `langchain-deepseek` is minor version(s) behind (1.0.1 -> 1.1.0)
`langchain-deepseek==1.0.1` is minor version(s) behind the latest stable release on PyPI (1.1.0). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises.
lines 158, 164
requirements.txt:158, 164 (2 hits)
low Security checks software dependencies conf 0.90 Python package `langchain-openai` is minor version(s) behind (1.1.10 -> 1.2.2)
`langchain-openai==1.1.10` is minor version(s) behind the latest stable release on PyPI (1.2.2). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises.
requirements.txt:166
low Security checks software dependencies conf 0.90 Python package `langchain-perplexity` is minor version(s) behind (1.1.0 -> 1.3.1)
`langchain-perplexity==1.1.0` is minor version(s) behind the latest stable release on PyPI (1.3.1). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises.
requirements.txt:171
low Security checks software dependencies conf 0.90 Python package `langchain` is minor version(s) behind (1.2.10 -> 1.3.4)
`langchain==1.2.10` is minor version(s) behind the latest stable release on PyPI (1.3.4). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises.
requirements.txt:139
low Security checks software dependencies conf 0.90 Python package `langgraph-checkpoint-sqlite` is minor version(s) behind (3.0.3 -> 3.1.0)
`langgraph-checkpoint-sqlite==3.0.3` is minor version(s) behind the latest stable release on PyPI (3.1.0). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises.
requirements.txt:184
low Security checks software dependencies conf 0.90 Python package `langgraph-prebuilt` is minor version(s) behind (1.0.8 -> 1.1.0)
`langgraph-prebuilt==1.0.8` is minor version(s) behind the latest stable release on PyPI (1.1.0). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises.
requirements.txt:186
low Security checks software dependencies conf 0.90 Python package `langgraph-sdk` is minor version(s) behind (0.3.14 -> 0.4.2)
`langgraph-sdk==0.3.14` is minor version(s) behind the latest stable release on PyPI (0.4.2). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises.
requirements.txt:190
low Security checks software dependencies conf 0.90 Python package `langgraph` is minor version(s) behind (1.0.10 -> 1.2.4)
`langgraph==1.0.10` is minor version(s) behind the latest stable release on PyPI (1.2.4). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises.
requirements.txt:175
low Security checks software dependencies conf 0.90 Python package `mpmath` is minor version(s) behind (1.3.0 -> 1.4.1)
`mpmath==1.3.0` is minor version(s) behind the latest stable release on PyPI (1.4.1). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises.
requirements.txt:202
low Security checks software dependencies conf 0.90 Python package `onnxruntime` is minor version(s) behind (1.23.2 -> 1.26.0)
`onnxruntime==1.23.2` is minor version(s) behind the latest stable release on PyPI (1.26.0). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises.
requirements.txt:219
low System graph software Dead code candidate conf 1.00 File has no detected symbols: config/log.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: eva/subconscious/_mood/labels.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/postcss.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/feed/events.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/src/main.jsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/tailwind.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: frontend/vite.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph quality Integrity conf 1.00 3 occurrences Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: eva/database/embeddings.py:init, eva/database/embeddings.py:init This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
3 occurrences
repo-level (3 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 4 occurrences Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: eva/database/embeddings.py:embed_many, eva/database/embeddings.py:embed_many, eva/database/embeddings.py:embed_many This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or docu…
4 occurrences
repo-level (4 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `eleven_flash_v2` in eva/actions/voice/model_elevenlabs.py:28
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph software Dead code conf 1.00 Possibly dead Python function: add_action
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
eva/actions/system.py:21
low System graph software Dead code conf 1.00 Possibly dead Python function: analyze_screenshot
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
eva/senses/vision/describer.py:66
low System graph software Dead code conf 1.00 Possibly dead Python function: callback
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
config/record_void.py:78
low System graph software Dead code conf 1.00 Possibly dead Python function: capture
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
eva/senses/vision/vision_sense.py:55
low System graph software Dead code conf 1.00 Possibly dead Python function: clear_session_people
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
eva/core/memory.py:232
low System graph software Dead code conf 1.00 Possibly dead Python function: forget
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
eva/core/moment.py:133
low System graph software Dead code conf 1.00 Possibly dead Python function: handle_tool_error
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
eva/tools/__init__.py:25
low System graph software Dead code conf 1.00 Possibly dead Python function: identify
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
eva/senses/vision/vision_sense.py:43
low System graph software Dead code conf 1.00 Possibly dead Python function: identify
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
eva/senses/vision/face_identifier.py:52
low System graph software Dead code conf 1.00 Possibly dead Python function: interrupt_from_thread
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
eva/actions/voice/voice_actor.py:69
low System graph software Dead code conf 1.00 Possibly dead Python function: is_busy
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
eva/core/graph.py:131
low System graph software Dead code conf 1.00 Possibly dead Python function: make_show_tool
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
eva/tools/show.py:9
low System graph software Dead code conf 1.00 Possibly dead Python function: make_speak_tool
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
eva/tools/speak.py:8
low System graph software Dead code conf 1.00 Possibly dead Python function: model_id
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
eva/database/embeddings.py:187
low System graph software Dead code conf 1.00 Possibly dead Python function: off
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
eva/actions/action_buffer.py:77
low System graph software Dead code conf 1.00 Possibly dead Python function: peek
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
eva/senses/sense_buffer.py:100
low System graph software Dead code conf 1.00 Possibly dead Python function: provider_id
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
eva/database/embeddings.py:184
low System graph software Dead code conf 1.00 Possibly dead Python function: pull_all
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
eva/senses/sense_buffer.py:111
low System graph software Dead code conf 1.00 Possibly dead Python function: recall
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
eva/core/moment.py:91
low System graph software Dead code conf 1.00 Possibly dead Python function: receive_audio
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
eva/senses/audio/audio_sense.py:119
low System graph software Dead code conf 1.00 Possibly dead Python function: reinforce
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
eva/core/moment.py:123
low System graph software Dead code conf 1.00 Possibly dead Python function: remember
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
eva/core/moment.py:70
low System graph software Dead code conf 1.00 Possibly dead Python function: update_prompt
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
eva/utils/prompt/__init__.py:24
low System graph software Dead code conf 1.00 Possibly dead Python function: validate_language
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
config/language.py:19
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — frontend/src/services/WebSocketService.js:33
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph api Wiring conf 1.00 Unused endpoint: USE /api/post
`frontend/vite-plugin-feed.js` declares `USE /api/post` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: USE /api/stream
`frontend/vite-plugin-feed.js` declares `USE /api/stream` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/b414004c-c064-48b5-baa2-3aa625880003/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/b414004c-c064-48b5-baa2-3aa625880003/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.