Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo

hermes-agent

https://github.com/NousResearch/hermes-agent.git · scanned 2026-05-17 02:56 UTC (13 hours, 21 minutes ago) · 10 languages

914 findings (102 legacy + 812 scanner) 7/10 scanners ran 86th percentile · Python · huge (>500K LoC) Scanner says 69 (higher by 17)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 13 hours, 22 minutes ago · v1 · 914 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
75.4
/100
Repobility
82
102 legacy
9-layer
69
100.0% cov · 812 gaps
Critical
0
click to filter
Agents
6
0 votes
Crowd
0
reported
Severity distribution — click a segment to filter
Active filters: layer: software × excluding tests × Reset all
Severity: Critical 0 High 98 Medium 96 Low 390 Source: Legacy 102 9-layer 812 Crowd 0 Layer: Security 107 Quality 615 Software 96 Cicd 18 Frontend 25 Hardware 3 Api 50
Corpus Intelligence Cross-corpus context (cohort percentile, top patterns, fix plan) is shown only on repositories you own. Sign up and connect your repo to view it.
Scan summary Repository scanned at 69.0/100 with 100.0% coverage. It contains 48717 nodes across 30 cross-layer flows, written primarily in mixed languages. Engine surfaced 812 findings — concentrated in quality (593), software (74), security (62). Risk profile is high: 0 critical, 60 high, 36 medium. Recommended next step: open the quality layer findings first — that's where the highest-impact wins live.

Showing 96 of 914 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Legacy software ssrf conf 1.00 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches.
Validate the URL against an allowlist BEFORE fetching: ALLOWED = {'images.example.com', 'cdn.example.com'} host = urlparse(url).hostname if host not in ALLOWED: abort(400) Or use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request h…
agent/anthropic_adapter.py:827 ssrflegacy
high Legacy software ssrf conf 1.00 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches.
Validate the URL against an allowlist BEFORE fetching: ALLOWED = {'images.example.com', 'cdn.example.com'} host = urlparse(url).hostname if host not in ALLOWED: abort(400) Or use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request h…
agent/account_usage.py:116 ssrflegacy
high Legacy software ssrf conf 1.00 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches.
Validate the URL against an allowlist BEFORE fetching: ALLOWED = {'images.example.com', 'cdn.example.com'} host = urlparse(url).hostname if host not in ALLOWED: abort(400) Or use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request h…
acp_adapter/server.py:141 ssrflegacy
high Legacy software resource_exhaustion conf 1.00 [SEC035] Unbounded Resource Allocation — DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust memory, or trigger expensive computation. CWE-770/400. Examples: CVE-2023-44487 (HTTP/2 Rapid Reset), countless YAML/XML billion-laughs variants.
Cap user-controlled sizes BEFORE allocation: size = min(int(request.args.get('n', 100)), MAX_SIZE) Set framework-level limits: Flask: app.config['MAX_CONTENT_LENGTH'] = 10 * 1024 * 1024 FastAPI: use middleware to enforce request size Django: DATA_UPLOAD_MAX_MEMORY_SIZE in settings.py …
optional-skills/research/darwinian-evolver/scripts/show_snapshot.py:36 resource_exhaustionlegacy
medium Legacy software redos conf 1.00 [SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process. CWE-1333. Real CVEs: CVE-2017-16129 (minimatch), CVE-2021-3807 (ansi-regex), and dozens more.
Three options, pick one: 1. Rewrite the pattern to avoid nested quantifiers. E.g. `(a+)+` is functionally equivalent to `a+` for matching purposes. 2. Use Google's re2 (`pip install google-re2`): linear-time, drop-in replacement for `re` for most use cases. 3. Set a hard timeout: `s…
hermes_cli/commands.py:279 redoslegacy
medium Legacy software redos conf 1.00 [SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process. CWE-1333. Real CVEs: CVE-2017-16129 (minimatch), CVE-2021-3807 (ansi-regex), and dozens more.
Three options, pick one: 1. Rewrite the pattern to avoid nested quantifiers. E.g. `(a+)+` is functionally equivalent to `a+` for matching purposes. 2. Use Google's re2 (`pip install google-re2`): linear-time, drop-in replacement for `re` for most use cases. 3. Set a hard timeout: `s…
gateway/platforms/yuanbao.py:604 redoslegacy
medium Legacy software redos conf 1.00 [SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process. CWE-1333. Real CVEs: CVE-2017-16129 (minimatch), CVE-2021-3807 (ansi-regex), and dozens more.
Three options, pick one: 1. Rewrite the pattern to avoid nested quantifiers. E.g. `(a+)+` is functionally equivalent to `a+` for matching purposes. 2. Use Google's re2 (`pip install google-re2`): linear-time, drop-in replacement for `re` for most use cases. 3. Set a hard timeout: `s…
agent/redact.py:180 redoslegacy
medium Legacy software log_injection conf 1.00 [SEC034] Log Injection / Log Forging — unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (SIEM, splunk). Combined with template injection this can escalate to RCE (CVE-2021-44228 log4shell). CWE-117.
Strip control characters before logging: safe = user_input.replace('\n','').replace('\r','').replace('\x00','') logger.info('User action: %s', safe) Always use parameterized logging (`%s` + args), never f-strings or string concat — that's also what mitigates log4shell-style attacks. For structu…
trajectory_compressor.py:1000 log_injectionlegacy
medium Legacy software resource_exhaustion conf 1.00 [SEC037] Uncontrolled Recursion — stack/depth exhaustion: Parsing arbitrary-depth user input (XML, JSON, YAML) without a depth limit, or recursive function over user-controlled structure. Attacker sends `{"a":{"a":{"a":...10000 levels...}}}` to blow the stack. Real CVEs: CVE-2019-16935 (Python xmlrpc), CVE-2020-25659 (PyYAML before 5.4). CWE-674/1325.
Use `defusedxml.ElementTree` instead of `xml.etree.ElementTree` — it rejects deeply-nested + billion-laughs payloads. For JSON: set a depth limit explicitly: import json data = json.loads(s) # then validate structure depth manually For YAML: always use `yaml.safe_load`. For recursive code over…
hermes_cli/web_server.py:2942 resource_exhaustionlegacy
medium Legacy software resource_exhaustion conf 1.00 [SEC037] Uncontrolled Recursion — stack/depth exhaustion: Parsing arbitrary-depth user input (XML, JSON, YAML) without a depth limit, or recursive function over user-controlled structure. Attacker sends `{"a":{"a":{"a":...10000 levels...}}}` to blow the stack. Real CVEs: CVE-2019-16935 (Python xmlrpc), CVE-2020-25659 (PyYAML before 5.4). CWE-674/1325.
Use `defusedxml.ElementTree` instead of `xml.etree.ElementTree` — it rejects deeply-nested + billion-laughs payloads. For JSON: set a depth limit explicitly: import json data = json.loads(s) # then validate structure depth manually For YAML: always use `yaml.safe_load`. For recursive code over…
gateway/platforms/wecom_callback.py:313 resource_exhaustionlegacy
medium Legacy software resource_exhaustion conf 1.00 [SEC037] Uncontrolled Recursion — stack/depth exhaustion: Parsing arbitrary-depth user input (XML, JSON, YAML) without a depth limit, or recursive function over user-controlled structure. Attacker sends `{"a":{"a":{"a":...10000 levels...}}}` to blow the stack. Real CVEs: CVE-2019-16935 (Python xmlrpc), CVE-2020-25659 (PyYAML before 5.4). CWE-674/1325.
Use `defusedxml.ElementTree` instead of `xml.etree.ElementTree` — it rejects deeply-nested + billion-laughs payloads. For JSON: set a depth limit explicitly: import json data = json.loads(s) # then validate structure depth manually For YAML: always use `yaml.safe_load`. For recursive code over…
agent/curator.py:652 resource_exhaustionlegacy
medium Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
plugins/memory/hindsight/__init__.py:678 dependencylegacy
medium Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
hermes_cli/memory_setup.py:108 dependencylegacy
medium Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
hermes_cli/uninstall.py:669 dependencylegacy
medium Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
README.zh-CN.md:34 dependencylegacy
medium Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
README.md:36 dependencylegacy
medium Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
plugins/memory/byterover/plugin.yaml:6 dependencylegacy
medium Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
plugins/memory/byterover/__init__.py:10 dependencylegacy
medium Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
plugins/memory/byterover/README.md:9 dependencylegacy
medium Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
optional-skills/devops/cli/references/cli-reference.md:6 dependencylegacy
medium Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
optional-skills/devops/cli/references/authentication.md:6 dependencylegacy
medium Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
.github/ISSUE_TEMPLATE/setup_help.yml:35 dependencylegacy
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: hermes_cli/default_soul.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/test_minisweagent_path.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tools/computer_use_tool.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: ui-tui/packages/hermes-ink/index.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: ui-tui/packages/hermes-ink/src/entry-exports.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: ui-tui/packages/hermes-ink/src/ink/colorize.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: ui-tui/packages/hermes-ink/src/ink/components/CursorAdvanceContext.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: ui-tui/packages/hermes-ink/src/ink/components/CursorDeclarationContext.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: ui-tui/packages/hermes-ink/src/ink/components/Text.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: ui-tui/packages/hermes-ink/src/ink/constants.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: ui-tui/packages/hermes-ink/src/ink/cursor.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: ui-tui/packages/hermes-ink/src/ink/devtools.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: ui-tui/packages/hermes-ink/src/ink/events/event-handlers.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: ui-tui/packages/hermes-ink/src/ink/global.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: ui-tui/packages/hermes-ink/src/ink/instances.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: ui-tui/packages/hermes-ink/src/ink/layout/node.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: ui-tui/packages/hermes-ink/src/ink/terminal.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: ui-tui/packages/hermes-ink/src/ink/termio.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: ui-tui/packages/hermes-ink/src/ink/wrap-text.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: ui-tui/packages/hermes-ink/src/ink/wrapAnsi.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: ui-tui/packages/hermes-ink/text-input.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: ui-tui/packages/hermes-ink/text-input.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: ui-tui/vitest.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: web/eslint.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: web/src/components/NouiTypography.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: web/src/contexts/page-header-context.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: web/src/contexts/system-actions-context.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: web/src/i18n/af.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: web/src/i18n/de.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: web/src/i18n/en.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: web/src/i18n/es.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: web/src/i18n/fr.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: web/src/i18n/ga.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: web/src/i18n/hu.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: web/src/i18n/it.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: web/src/i18n/ja.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: web/src/i18n/ko.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: web/src/i18n/pt.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: web/src/i18n/ru.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: web/src/i18n/tr.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: web/src/i18n/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: web/src/i18n/uk.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: web/src/i18n/zh-hant.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: web/src/i18n/zh.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: web/src/main.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: web/src/plugins/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: web/src/themes/presets.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: web/src/themes/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: website/docusaurus.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: website/sidebars.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code conf 1.00 Possibly dead Python function: apply_transformation
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
cli.py:12797 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: clear_messages
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
hermes_state.py:2237 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: crawl_source
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/build_skills_index.py:66 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: dec
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
tui_gateway/server.py:438 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: env_bool
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
utils.py:285 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: env_int
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
utils.py:274 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: expires_unix_seconds
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
agent/google_oauth.py:455 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: go
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
tui_gateway/server.py:5933 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: handle_enter
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
cli.py:11815 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: log_message
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
agent/google_oauth.py:748 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: process_entry
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
trajectory_compressor.py:948 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: process_loop
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
cli.py:13531 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: read_claude_managed_key
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
agent/anthropic_adapter.py:757 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: register_subparser
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
agent/lsp/cli.py:22 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: run_after_agent_ready
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
tui_gateway/server.py:3014 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: run_background
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
cli.py:8174 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: run_lsp_command
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
agent/lsp/cli.py:70 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: save_b64_video
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
agent/video_gen_provider.py:213 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: save_bytes_video
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
agent/video_gen_provider.py:233 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: save_trajectory
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
agent/trajectory.py:30 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: secret_cb
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
tui_gateway/server.py:1660 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: spinner_loop
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
cli.py:13511 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: stream_callback
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
cli.py:10939 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: sub_link
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
website/scripts/generate-skill-docs.py:239 dead-code
{# ── 2026-05-17 Round 14: AI-agent bridge footer ────────────────────── Discoverability: the /agents/voting/ guide + MCP manifest exist but aren't linked from anywhere users actually land. Small, opt-in footer. #}
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/babdf5bb-90da-4ecd-a31d-8963b056e767/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/babdf5bb-90da-4ecd-a31d-8963b056e767/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.