Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
173 of your 321 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 3.03s · analysis 29.95s · 5.0 MB · GitHub preflight 437ms

xbrxr03/clawos

https://github.com/xbrxr03/clawos · scanned 2026-06-05 18:23 UTC (4 days, 18 hours ago) · 10 languages

787 raw signals (303 security + 484 graph) 48th percentile · Python · medium (20-100K LoC) System graph score 76 (lower by 14)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 4 days, 18 hours ago · v2 · 383 actionable findings from 2 signal sources. 162 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
61.6
/100
Security checks
48
161 findings
System graph
76
100.0% cov · 222 findings
Critical
0
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 21.1 0.25 5.28
testing_score 78.0 0.20 15.60
documentation_score 93.7 0.15 14.05
practices_score 86.0 0.15 12.90
code_quality 49.0 0.10 4.90
Overall 1.00 61.7
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 0 High 158 Medium 52 Low 122 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 161 System graph 222 Crowd 0 Layer: Quality 151 Security 117 Software 55 Cicd 1 Frontend 3 Api 56
Scan summary Quality grade C+ (62/100). Dimensions: security 21, maintainability 60. 303 findings (93 security). 86,250 lines analyzed.

Showing 332 of 383 actionable findings. 545 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Security checks quality Quality conf 1.00 ✓ Repobility 8 occurrences Missing import: `queue` used but not imported
The file uses `queue.something(...)` but never imports `queue`. This raises NameError at runtime the first time the line executes.
8 files, 8 locations
archive/legacy/capabilityd/service.py:93
clawctl/commands/cookbook.py:52
clawctl/commands/skill.py:83
clawos_core/platform.py:156
services/dashd/api.py:2870
services/memd/service.py:525
skills/notebooks/main.py:405
tools/web/fetch.py:44
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /{event_id}.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /{event_id}.
services/calendard/service.py:46
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /{note_id}.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /{note_id}.
services/noted/service.py:66
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /api/v1/entities/{entity_id}.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /api/v1/entities/{entity_id}.
services/braind/main.py:459
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /{event_id}.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /{event_id}.
services/calendard/service.py:38
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /{note_id}.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /{note_id}.
services/noted/service.py:42
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /api/approvals/{approval_id}/approve.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /api/approvals/{approval_id}/approve.
archive/legacy/dashboard-backend/service.py:242
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /api/approvals/{approval_id}/deny.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /api/approvals/{approval_id}/deny.
archive/legacy/dashboard-backend/service.py:247
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /api/v1/workflows/{workflow_id}/execute.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /api/v1/workflows/{workflow_id}/execute.
services/visuald/main.py:226
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /api/workflows/{workflow_id}/run.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /api/workflows/{workflow_id}/run.
archive/legacy/dashboard-backend/service.py:662
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PUT /{note_id}.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PUT /{note_id}.
services/noted/service.py:50
low Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.
Review and fix per the pattern semantics. See CWE-705 / for context.
3 files, 3 locations
clawctl/commands/dashboard.py:273
dashboard/nexus-command/serve.py:49
scripts/mcp-demo.py:105
low Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED012] Curl Pipe Bash: curl ... | sh / bash — runs unverified network code.
Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context.
3 files, 3 locations
bootstrap/model_provision.py:50
clawctl/commands/model.py:21
packaging/iso/hooks/01-install-deps.sh:31
high Security checks security path traversal conf 0.80 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.
Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads.
clients/desktop/launch_command_center.py:50
low Security checks security Injection conf 1.00 3 occurrences [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.
Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders).
3 files, 3 locations
clawos_core/platform.py:115
scripts/verify_repo.py:98
services/braind/significance_filter.py:110
high Security checks quality Quality conf 1.00 ✓ Repobility 25 occurrences `self._scan_file_types` used but never assigned in __init__
Method `scan` of class `CapabilityScanner` reads `self._scan_file_types`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
3 files, 25 locations
workflows/discovery.py:73, 78, 96, 109, 179, 180, 198, 202, +1 more (9 hits)
workflows/durable_engine.py:213, 216, 222, 225, 226, 231, 245, 264 (8 hits)
workflows/engine.py:166, 171, 188, 203, 237, 292, 293 (8 hits)
high Security checks quality Quality conf 1.00 ✓ Repobility 5 occurrences Blocking call `input` inside async function `run_repl`
`input` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress.
3 files, 5 locations
services/dashd/api.py:1392, 1431 (2 hits)
services/memd/service.py:794, 799 (2 hits)
clients/cli/repl.py:170
high Security checks security auth conf 0.78 Consent is collected in UI without visible backend audit persistence
A frontend journey appears to ask for consent to share identity/KYC/biometric data, but backend code does not show a consent audit model with scope, purpose, legal text version, timestamp, IP, or user-agent evidence.
dashboard/frontend/src/pages/Registry.tsx:191
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI DELETE /api/models/{model_name} has no auth
Handler `api_delete_model` is registered with router/app.delete(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
archive/legacy/dashboard-backend/service.py:290
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI DELETE /{note_id} has no auth
Handler `api_delete_note` is registered with router/app.delete(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
services/noted/service.py:67
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /a2a/tasks/send has no auth
Handler `receive_task` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
services/a2ad/service.py:204
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/agents/{workspace_id}/reset has no auth
Handler `api_agent_reset` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
archive/legacy/dashboard-backend/service.py:613
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/approvals/{approval_id}/approve has no auth
Handler `api_approve` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
archive/legacy/dashboard-backend/service.py:243
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/approvals/{approval_id}/deny has no auth
Handler `api_deny` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
archive/legacy/dashboard-backend/service.py:248
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/delegate has no auth
Handler `api_delegate` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
archive/legacy/dashboard-backend/service.py:569
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/models/{model_name}/pull has no auth
Handler `api_pull_model` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
archive/legacy/dashboard-backend/service.py:283
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/nexus/chat has no auth
Handler `api_nexus_chat` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
archive/legacy/dashboard-backend/service.py:625
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/tasks/submit has no auth
Handler `api_submit_task` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
archive/legacy/dashboard-backend/service.py:186
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/v1/action has no auth
Handler `execute_action` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
services/desktopd/main.py:753
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/v1/screenshot has no auth
Handler `take_screenshot` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
services/desktopd/main.py:741
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/v1/speak has no auth
Handler `speak_endpoint` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
services/voiced/main.py:581
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/v1/task has no auth
Handler `execute_task` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
services/desktopd/main.py:776
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/v1/transcribe has no auth
Handler `transcribe_endpoint` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
services/voiced/main.py:605
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /api/workflows/{workflow_id}/run has no auth
Handler `api_workflow_run` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
archive/legacy/dashboard-backend/service.py:663
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /create has no auth
Handler `api_create_event` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
services/calendard/service.py:26
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /create has no auth
Handler `api_create_note` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
services/noted/service.py:32
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /mcp has no auth
Handler `mcp_endpoint` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
services/mcpd/main.py:633
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /reminders has no auth
Handler `create_reminder` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
services/reminderd/main.py:255
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /send has no auth
Handler `api_send` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
services/maild/service.py:30
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /submit has no auth
Handler `submit_endpoint` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
services/agentd/service.py:211
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /trigger has no auth
Handler `trigger_wake` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
services/waketrd/main.py:58
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /voiced-webhook has no auth
Handler `voiced_webhook` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
services/waketrd/main.py:142
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI PUT /{note_id} has no auth
Handler `api_update_note` is registered with router/app.put(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
services/noted/service.py:51
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 17 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `actions/checkout` pinned to mutable ref `@v4` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
3 files, 17 locations
.github/workflows/ci.yml:14, 15, 27, 28, 39, 49, 52, 76 (9 hits)
.github/workflows/release.yml:13, 14, 18, 50 (5 hits)
.github/workflows/security.yml:14, 15, 24 (3 hits)
CI/CD securitySupply chainGitHub Actions
high Security checks quality Quality conf 1.00 ✓ Repobility Phantom test coverage: test_microphone
Test function `test_microphone` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
services/voiced/service.py:319
high Security checks quality Quality conf 1.00 ✓ Repobility Phantom test coverage: test_pipeline
Test function `test_pipeline` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
services/voiced/service.py:344
high Security checks quality Quality conf 1.00 ✓ Repobility Phantom test coverage: test_provider
Test function `test_provider` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
services/dashd/api.py:1226
high Security checks quality Quality conf 1.00 ✓ Repobility Phantom test coverage: test_provider_profile
Test function `test_provider_profile` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
clawos_core/catalog.py:623
high Security checks quality Quality conf 1.00 ✓ Repobility Phantom test coverage: test_wake_word
Test function `test_wake_word` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
services/voiced/service.py:363
high Security checks security auth conf 0.83 4 occurrences Secret-like setting is echoed into a password input value
Settings screens sometimes render API keys, tokens, or passwords back into HTML/JSX password fields. That still exposes the secret to page source, browser extensions, screenshots, and DOM scraping.
3 files, 4 locations
dashboard/frontend/src/pages/setup/screens/OpenClawOnboardModal.tsx:390, 410 (2 hits)
dashboard/frontend/src/pages/Research.tsx:290
dashboard/frontend/src/pages/Settings.tsx:325
high System graph quality Integrity conf 1.00 Blocking `urllib.request.urlopen(...)` inside `async def extract_and_append` — services/memd/service.py:799
Sync I/O inside an async function blocks the event loop. While `urllib.request.urlopen(...)` is running, *all* other coroutines on this loop are paused — silent throughput collapse under concurrency. Use the async equivalent (`httpx.AsyncClient`, `asyncio.sleep`, `aiofiles`) or wrap with `await asy…
services/memd/service.py:799 Sync io in asyncPerformance
high System graph quality Integrity conf 1.00 Blocking `urllib.request.urlopen(...)` inside `async def morning_briefing` — services/dashd/api.py:1392
Sync I/O inside an async function blocks the event loop. While `urllib.request.urlopen(...)` is running, *all* other coroutines on this loop are paused — silent throughput collapse under concurrency. Use the async equivalent (`httpx.AsyncClient`, `asyncio.sleep`, `aiofiles`) or wrap with `await asy…
services/dashd/api.py:1392 Sync io in asyncPerformance
high System graph quality Integrity conf 1.00 Blocking `urllib.request.urlopen(...)` inside `async def morning_briefing` — services/dashd/api.py:1431
Sync I/O inside an async function blocks the event loop. While `urllib.request.urlopen(...)` is running, *all* other coroutines on this loop are paused — silent throughput collapse under concurrency. Use the async equivalent (`httpx.AsyncClient`, `asyncio.sleep`, `aiofiles`) or wrap with `await asy…
services/dashd/api.py:1431 Sync io in asyncPerformance
high System graph api Wiring conf 1.00 Dangling fetch: GET /api${path} (dashboard/frontend/src/lib/api.js:3)
`dashboard/frontend/src/lib/api.js:3` calls `GET /api${path}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/api/<p>` If this points at an external API, prefix it with `https://` so the matcher skips it.
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api${s} (services/dashd/static/assets/command-center-pages-oUjTN8mv.js:4)
`services/dashd/static/assets/command-center-pages-oUjTN8mv.js:4` calls `GET /api${s}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/api/<p>` If this points at an external API, prefix it with `https://` so the matc…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/setup/openclaw/${path} (dashboard/frontend/src/pages/setup/screens/OpenClawOnboardModal.tsx:23)
`dashboard/frontend/src/pages/setup/screens/OpenClawOnboardModal.tsx:23` calls `GET /api/setup/openclaw/${path}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/setup/openclaw/<p>` If this points at an external API, …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/setup/openclaw/${t} (services/dashd/static/assets/setup-Cez0JBY1.js:6)
`services/dashd/static/assets/setup-Cez0JBY1.js:6` calls `GET /api/setup/openclaw/${t}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/setup/openclaw/<p>` If this points at an external API, prefix it with `https://`…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/setup/openclaw/${path} (dashboard/frontend/src/pages/setup/screens/OpenClawOnboardModal.tsx:14)
`dashboard/frontend/src/pages/setup/screens/OpenClawOnboardModal.tsx:14` calls `POST /api/setup/openclaw/${path}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/setup/openclaw/<p>` If this points at an external API,…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/setup/openclaw/${t} (services/dashd/static/assets/setup-Cez0JBY1.js:6)
`services/dashd/static/assets/setup-Cez0JBY1.js:6` calls `POST /api/setup/openclaw/${t}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/setup/openclaw/<p>` If this points at an external API, prefix it with `https://…
Dangling fetchFetch
high System graph security auth conf 1.00 FastAPI DELETE `api_delete_event` without auth dependency — services/calendard/service.py:46
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/calendard/service.py:46 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI DELETE `api_delete_model` without auth dependency — archive/legacy/dashboard-backend/service.py:289
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
archive/legacy/dashboard-backend/service.py:289 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI DELETE `api_delete_note` without auth dependency — services/noted/service.py:66
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/noted/service.py:66 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI DELETE `delete_sandbox` without auth dependency — services/sandboxd/v2/main.py:397
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/sandboxd/v2/main.py:397 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI DELETE `delete_session` without auth dependency — services/researchd/service.py:161
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/researchd/service.py:161 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `api_agent_reset` without auth dependency — archive/legacy/dashboard-backend/service.py:612
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
archive/legacy/dashboard-backend/service.py:612 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `api_approve` without auth dependency — archive/legacy/dashboard-backend/service.py:242
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
archive/legacy/dashboard-backend/service.py:242 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `api_create_event` without auth dependency — services/calendard/service.py:25
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/calendard/service.py:25 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `api_create_note` without auth dependency — services/noted/service.py:31
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/noted/service.py:31 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `api_delegate` without auth dependency — archive/legacy/dashboard-backend/service.py:568
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
archive/legacy/dashboard-backend/service.py:568 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `api_deny` without auth dependency — archive/legacy/dashboard-backend/service.py:247
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
archive/legacy/dashboard-backend/service.py:247 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `api_nexus_chat` without auth dependency — archive/legacy/dashboard-backend/service.py:624
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
archive/legacy/dashboard-backend/service.py:624 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `api_pull_model` without auth dependency — archive/legacy/dashboard-backend/service.py:282
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
archive/legacy/dashboard-backend/service.py:282 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `api_send` without auth dependency — services/maild/service.py:29
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/maild/service.py:29 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `api_submit_task` without auth dependency — archive/legacy/dashboard-backend/service.py:185
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
archive/legacy/dashboard-backend/service.py:185 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `api_workflow_run` without auth dependency — archive/legacy/dashboard-backend/service.py:662
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
archive/legacy/dashboard-backend/service.py:662 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `apply` without auth dependency — services/setupd/service.py:1192
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/setupd/service.py:1192 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `cancel` without auth dependency — services/setupd/service.py:1207
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/setupd/service.py:1207 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `create_agent` without auth dependency — services/agentd/v2/main.py:499
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/agentd/v2/main.py:499 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `create_crew` without auth dependency — services/agentd/v2/main.py:532
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/agentd/v2/main.py:532 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `create_entity` without auth dependency — services/braind/main.py:440
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/braind/main.py:440 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `create_memory` without auth dependency — services/braind/main.py:483
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/braind/main.py:483 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `create_reminder` without auth dependency — services/reminderd/main.py:254
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/reminderd/main.py:254 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `create_sandbox` without auth dependency — services/sandboxd/v2/main.py:325
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/sandboxd/v2/main.py:325 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `create_task` without auth dependency — services/agentd/v2/main.py:559
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/agentd/v2/main.py:559 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `create_workflow` without auth dependency — services/visuald/main.py:211
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/visuald/main.py:211 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `execute_action` without auth dependency — services/desktopd/main.py:752
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/desktopd/main.py:752 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `execute_code` without auth dependency — services/sandboxd/v2/main.py:353
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/sandboxd/v2/main.py:353 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `execute_crew` without auth dependency — services/agentd/v2/main.py:582
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/agentd/v2/main.py:582 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `execute_task` without auth dependency — services/desktopd/main.py:775
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/desktopd/main.py:775 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `execute_workflow` without auth dependency — services/visuald/main.py:226
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/visuald/main.py:226 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `fetch_sources` without auth dependency — services/researchd/service.py:115
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/researchd/service.py:115 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `import_openclaw` without auth dependency — services/setupd/service.py:1166
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/setupd/service.py:1166 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `inspect` without auth dependency — services/setupd/service.py:1104
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/setupd/service.py:1104 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `mark_done` without auth dependency — services/researchd/service.py:150
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/researchd/service.py:150 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `mcp_endpoint` without auth dependency — services/mcpd/main.py:632
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/mcpd/main.py:632 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `omi_transcript` without auth dependency — services/dashd/api.py:2407
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/dashd/api.py:2407 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `openclaw_configure` without auth dependency — services/setupd/service.py:1266
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/setupd/service.py:1266 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `openclaw_install` without auth dependency — services/setupd/service.py:1248
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/setupd/service.py:1248 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `openclaw_skills` without auth dependency — services/setupd/service.py:1373
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/setupd/service.py:1373 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `openclaw_start` without auth dependency — services/setupd/service.py:1324
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/setupd/service.py:1324 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `pause_session` without auth dependency — services/researchd/service.py:130
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/researchd/service.py:130 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `plan` without auth dependency — services/setupd/service.py:1109
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/setupd/service.py:1109 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `prepare_model` without auth dependency — services/setupd/service.py:1172
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/setupd/service.py:1172 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `receive_task` without auth dependency — services/a2ad/service.py:203
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/a2ad/service.py:203 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `receive_task` without auth dependency — services/clawd/service.py:93
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/clawd/service.py:93 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `receive_task` without auth dependency — services/memd/service.py:703
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/memd/service.py:703 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `record_call` without auth dependency — services/observd/main.py:407
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/observd/main.py:407 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `repair` without auth dependency — services/setupd/service.py:1202
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/setupd/service.py:1202 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `resume_session` without auth dependency — services/researchd/service.py:140
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/researchd/service.py:140 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `retry` without auth dependency — services/setupd/service.py:1197
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/setupd/service.py:1197 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `search_memories` without auth dependency — services/braind/main.py:501
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/braind/main.py:501 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `select_pack` without auth dependency — services/setupd/service.py:1114
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/setupd/service.py:1114 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `setup_autonomy` without auth dependency — services/setupd/service.py:1150
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/setupd/service.py:1150 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `setup_install_milestone` without auth dependency — services/setupd/service.py:1158
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/setupd/service.py:1158 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `setup_options` without auth dependency — services/setupd/service.py:1142
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/setupd/service.py:1142 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `setup_presence` without auth dependency — services/setupd/service.py:1134
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/setupd/service.py:1134 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `speak_endpoint` without auth dependency — services/voiced/main.py:580
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/voiced/main.py:580 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `start_research` without auth dependency — services/researchd/service.py:81
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/researchd/service.py:81 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `take_screenshot` without auth dependency — services/desktopd/main.py:740
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/desktopd/main.py:740 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `transcribe_endpoint` without auth dependency — services/voiced/main.py:604
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/voiced/main.py:604 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `trigger_wake` without auth dependency — services/waketrd/main.py:57
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/waketrd/main.py:57 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `voice_greet` without auth dependency — services/setupd/service.py:1186
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/setupd/service.py:1186 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `voice_test` without auth dependency — services/setupd/service.py:1180
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/setupd/service.py:1180 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `voiced_webhook` without auth dependency — services/waketrd/main.py:141
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/waketrd/main.py:141 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `write_file` without auth dependency — services/sandboxd/v2/main.py:371
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/sandboxd/v2/main.py:371 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI PUT `api_update_note` without auth dependency — services/noted/service.py:50
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
services/noted/service.py:50 securityAuth fastapi unauth mutation
high System graph security security conf 1.00 Insecure pattern 'eval_used' in workflows/pr_review/workflow.py:28
Found a known-risky pattern (eval_used). Review and replace if possible.
workflows/pr_review/workflow.py:28 Eval used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in scripts/security_audit.py:46
Found a known-risky pattern (exec_used). Review and replace if possible.
scripts/security_audit.py:46 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in skills/marketplace/sandbox.py:155
Found a known-risky pattern (exec_used). Review and replace if possible.
skills/marketplace/sandbox.py:155 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in skills/notebooks/main.py:280
Found a known-risky pattern (exec_used). Review and replace if possible.
skills/notebooks/main.py:280 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in workflows/pr_review/workflow.py:27
Found a known-risky pattern (exec_used). Review and replace if possible.
workflows/pr_review/workflow.py:27 Exec used
high System graph security security conf 1.00 Insecure pattern 'tls_verify_false' in workflows/pr_review/workflow.py:26
Found a known-risky pattern (tls_verify_false). Review and replace if possible.
workflows/pr_review/workflow.py:26 Tls verify false
medium Security checks security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/a2a/signing-key.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/a2a/signing-key.
services/dashd/api.py:2487
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/agents.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/agents.
archive/legacy/dashboard-backend/service.py:593
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/mcp/servers.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/mcp/servers.
services/dashd/api.py:2494
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/tasks/{task_id}.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/tasks/{task_id}.
services/dashd/api.py:1127
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /api/agents/{workspace_id}/reset.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /api/agents/{workspace_id}/reset.
archive/legacy/dashboard-backend/service.py:612
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /api/approve/{request_id}.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /api/approve/{request_id}.
services/dashd/api.py:1147
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /api/chat.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /api/chat.
services/dashd/api.py:1136
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /api/nexus/chat.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /api/nexus/chat.
archive/legacy/dashboard-backend/service.py:624
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /api/research/sessions/{session_id}/pause.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /api/research/sessions/{session_id}/pause.
services/dashd/api.py:2272
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /api/tasks/submit.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /api/tasks/submit.
services/dashd/api.py:1104
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /api/models/{model_name}.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /api/models/{model_name}.
archive/legacy/dashboard-backend/service.py:289
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /{event_id}.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /{event_id}.
services/calendard/service.py:46
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /{note_id}.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /{note_id}.
services/noted/service.py:66
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /{session_id}.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /{session_id}.
services/researchd/service.py:161
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /api/approvals.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /api/approvals.
archive/legacy/dashboard-backend/service.py:237
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /api/peers.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /api/peers.
archive/legacy/dashboard-backend/service.py:559
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /api/tokens.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /api/tokens.
archive/legacy/dashboard-backend/service.py:545
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /export/ical.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /export/ical.
services/calendard/service.py:54
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/approvals/{approval_id}/approve.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/approvals/{approval_id}/approve.
archive/legacy/dashboard-backend/service.py:242
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/approvals/{approval_id}/deny.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/approvals/{approval_id}/deny.
archive/legacy/dashboard-backend/service.py:247
medium Security checks security auth conf 0.72 [AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements.
FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements.
low Security checks quality Error handling conf 1.00 3 occurrences [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.
3 files, 3 locations
clawctl/commands/dashboard.py:252
clawctl/commands/status.py:113
dashboard/nexus-command/serve.py:22
medium Security checks quality Error handling conf 1.00 3 occurrences [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
3 files, 3 locations
dashboard/frontend/src/hooks/useClawOS.js:93
dashboard/frontend/src/pages/Memory.tsx:61
dashboard/frontend/src/pages/Traces.tsx:66
medium Security checks security path traversal conf 1.00 [SEC012] ZipSlip — Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory.
Validate extracted paths with os.path.realpath() and ensure they stay within the target directory.
skills/marketplace/installer.py:116
medium Security checks security Crypto conf 1.00 [SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.
Enable SSL verification. Use verify=True (default) for requests. Pin certificates if needed.
workflows/pr_review/workflow.py:26
medium Security checks quality Quality conf 1.00 [SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0).
Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser).
services/dashd/static/assets/Brain-HCR_Wu1E.js:1
medium Security checks quality Quality conf 1.00 [SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0).
Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser).
dashboard/frontend/src/pages/setup/atoms.tsx:62
low Security checks quality Quality conf 1.00 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws — wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated.
Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows.
scripts/verify_repo.py:85
low Security checks quality Quality conf 1.00 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws — wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated.
Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows.
clawctl/commands/status.py:69
high Security checks quality Quality conf 0.72 Agent control bridge may listen on a network interface without visible auth
Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN.
install.sh:331
high Security checks quality Quality conf 0.72 Agent control bridge may listen on a network interface without visible auth
Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN.
archive/legacy/dashboard-backend/service.py:5
low Security checks quality Error handling conf 0.55 ✓ Repobility 25 occurrences Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
9 files, 25 locations
openclaw_integration/installer.py:31, 104, 126, 151, 165, 277 (6 hits)
bootstrap/hardware_probe.py:237, 341, 348, 357 (4 hits)
openclaw_integration/compression.py:40, 58, 130, 147 (4 hits)
bootstrap/model_provision.py:19, 27, 96 (3 hits)
bootstrap/service_enable.py:34, 111 (2 hits)
frameworks/runner.py:45, 50 (2 hits)
openclaw_integration/responses_api.py:32, 88 (2 hits)
bootstrap/memory_init.py:36
Error handlingquality
medium Security checks software dependencies conf 0.88 esbuild: GHSA-67mh-4wv8-2f99
esbuild enables any website to send any requests to the development server and read the response
dashboard/frontend/package-lock.json
high Security checks quality Quality conf 0.74 7 occurrences Frontend API reference is not matched by discovered backend routes
A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys.
5 files, 7 locations
dashboard/frontend/src/lib/commandCenterApi.ts:605, 868 (2 hits)
dashboard/frontend/src/pages/setup/screens/OpenClawOnboardModal.tsx:14, 23 (2 hits)
clients/dashboard/index.html:666
services/dashd/static/assets/setup-Cez0JBY1.js:6
services/dashd/static/assets/workflows-BhVdju9M.js:1
high Security checks software dependencies conf 0.90 3 occurrences GitHub Action `actions/checkout@v4` is 2 major version(s) behind (latest v6.0.3)
`uses: actions/checkout@v4` is 2 major version(s) behind the latest published release v6.0.3. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
3 files, 3 locations
.github/workflows/ci.yml:14
.github/workflows/release.yml:13
.github/workflows/security.yml:14
high Security checks software dependencies conf 0.90 3 occurrences GitHub Action `actions/setup-node@v4` is 2 major version(s) behind (latest v6.4.0)
`uses: actions/setup-node@v4` is 2 major version(s) behind the latest published release v6.4.0. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
3 files, 3 locations
.github/workflows/ci.yml:76
.github/workflows/release.yml:18
.github/workflows/security.yml:24
high Security checks software dependencies conf 0.90 3 occurrences GitHub Action `actions/setup-python@v5` is 1 major version(s) behind (latest v6.2.0)
`uses: actions/setup-python@v5` is 1 major version(s) behind the latest published release v6.2.0. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
3 files, 3 locations
.github/workflows/ci.yml:15
.github/workflows/release.yml:14
.github/workflows/security.yml:15
high Security checks software dependencies conf 0.90 GitHub Action `actions/upload-artifact@v4` is 3 major version(s) behind (latest v7.0.1)
`uses: actions/upload-artifact@v4` is 3 major version(s) behind the latest published release v7.0.1. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage f…
.github/workflows/release.yml:50
high Security checks software dependencies conf 0.90 GitHub Action `actions/upload-artifact@v4` is 3 major version(s) behind (latest v7.0.1)
`uses: actions/upload-artifact@v4` is 3 major version(s) behind the latest published release v7.0.1. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage f…
.github/workflows/ci.yml:39
high Security checks quality Quality conf 0.80 4 occurrences localStorage write failures are swallowed silently
localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota.
4 files, 4 locations
dashboard/frontend/src/components/GettingStartedCard.tsx:82
dashboard/frontend/src/pages/setup/SetupPage.tsx:101
dashboard/frontend/src/pages/setup/screens/SummaryScreen.tsx:60
services/dashd/static/assets/setup-Cez0JBY1.js:6
medium Security checks software dependencies conf 0.90 npm package `@vitejs/plugin-react` is 2 major version(s) behind (4.7.0 -> 6.0.2)
`@vitejs/plugin-react` is pinned/resolved at 4.7.0 but the latest stable release on the npm registry is 6.0.2 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs rais…
dashboard/frontend/package.json
medium Security checks software dependencies conf 0.88 postcss: GHSA-qx2v-qp2m-jg93
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output
dashboard/frontend/package-lock.json
medium Security checks quality Quality conf 0.70 Public web app has no Content Security Policy
A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox.
index.html
medium Security checks quality Quality conf 0.78 Public web service has no security.txt
security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt.
.well-known/security.txt
medium Security checks software dependencies conf 0.88 react-router: GHSA-2j2x-hqr9-3h42
React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation
dashboard/frontend/package-lock.json
high Security checks software dependencies conf 0.70 12 occurrences Remote install command pipes network code directly to a shell
Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified.
12 files, 12 locations
RELEASE_NOTES_v0.1.0.md:73
clawctl/commands/cookbook.py:401
clawctl/commands/model.py:21
docs/INSTALL_URL_SETUP.md:46
docs/LAUNCH/hn_submission.md:12
docs/LAUNCH/twitter_thread.md:9
docs/SECURITY_AUDIT.md:15
landing/og-card.html:192
medium Security checks software dependencies conf 0.88 uuid: GHSA-w5hq-g745-h8pq
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
dashboard/frontend/package-lock.json
medium Security checks software dependencies conf 0.88 vite: GHSA-4w7w-66w2-5vf9
Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling
dashboard/frontend/package-lock.json
medium Security checks software dependencies conf 0.88 ws: GHSA-58qx-3vcg-4xpx
ws: Uninitialized memory disclosure
dashboard/frontend/package-lock.json
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — services/dashd/static/assets/vendor-DqHgBUmG.js:33
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — dashboard/frontend/src/App.tsx:271
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — dashboard/frontend/src/lib/api.js:3
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — dashboard/frontend/src/pages/setup/screens/OpenClawOnboardModal.tsx:14
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — services/dashd/static/assets/Brain-HCR_Wu1E.js:1
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — services/dashd/static/assets/command-center-pages-oUjTN8mv.js:4
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — services/dashd/static/assets/index-CIDWrdio.js:2
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — services/dashd/static/assets/License-BUrkrK0b.js:1
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — services/dashd/static/assets/setup-Cez0JBY1.js:6
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — services/dashd/static/assets/Skills-zu6tmI3E.js:1
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — services/dashd/static/assets/workflows-BhVdju9M.js:1
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph security security conf 1.00 Insecure pattern 'subprocess_shell_true' in scripts/security_audit.py:30
Found a known-risky pattern (subprocess_shell_true). Review and replace if possible.
scripts/security_audit.py:30 Subprocess shell true
medium System graph security security conf 1.00 Insecure pattern 'subprocess_shell_true' in workflows/pr_review/workflow.py:25
Found a known-risky pattern (subprocess_shell_true). Review and replace if possible.
workflows/pr_review/workflow.py:25 Subprocess shell true
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — bootstrap/model_provision.py:109
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — clawctl/commands/doctor.py:23
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — clawctl/commands/logs.py:29
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — clawctl/commands/model.py:39
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — clawctl/commands/start.py:32
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — clawctl/commands/stop.py:14
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — clawctl/main.py:490
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — clawos_core/circuit_breaker.py:102
`requests.post(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — clawos_core/util/git.py:29
`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — clients/cli/repl.py:246
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — frameworks/installer.py:89
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — frameworks/runner.py:22
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — nexus/cli.py:281
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — openclaw_integration/installer.py:54
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — openclaw_integration/launcher.py:50
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — runtimes/agent/tools/files.py:85
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — runtimes/voice/microphone.py:46
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — scripts/security_audit.py:155
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — scripts/verify_repo.py:110
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — services/desktopd/main.py:431
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — services/setupd/service.py:65
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — services/voiced/service.py:256
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — tools/shell/do/runner.py:133
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
low Security checks quality Quality conf 0.68 Archive or legacy directory is mixed into the active repository root
Archive, old, backup, or legacy directories at the root often hide obsolete implementations that AI agents can copy from or accidentally rewire.
archive:1
low Security checks quality Quality conf 0.60 7 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
7 files, 7 locations
clawctl/commands/status.py:18
dashboard/frontend/src/pages/Federation.tsx:6
dashboard/frontend/src/pages/MCPManager.tsx:9
dashboard/frontend/src/pages/Registry.tsx:210
services/dashd/static/sw.js:1
services/voiced/service.py:71
workflows/write_readme/workflow.py:40
duplicationquality
low Security checks software dependencies conf 0.90 npm package `@tauri-apps/api` is minor version(s) behind (2.10.1 -> 2.11.0)
`@tauri-apps/api` is pinned/resolved at 2.10.1 but the latest stable release on the npm registry is 2.11.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
dashboard/frontend/package.json
low Security checks software dependencies conf 0.90 npm package `@tauri-apps/cli` is minor version(s) behind (^2.0.0-rc.16 -> 2.11.2)
`@tauri-apps/cli` is pinned/resolved at ^2.0.0-rc.16 but the latest stable release on the npm registry is 2.11.2 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs rai…
desktop/command-center/package.json
low Security checks software dependencies conf 0.90 npm package `autoprefixer` is minor version(s) behind (10.4.27 -> 10.5.0)
`autoprefixer` is pinned/resolved at 10.4.27 but the latest stable release on the npm registry is 10.5.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
dashboard/frontend/package.json
low Security checks software dependencies conf 0.90 npm package `three` is minor version(s) behind (0.179.0 -> 0.184.0)
`three` is pinned/resolved at 0.179.0 but the latest stable release on the npm registry is 0.184.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
dashboard/frontend/package.json
low Security checks quality Quality conf 0.64 Public docs site has no llms.txt
AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions.
llms.txt
low Security checks quality Quality conf 0.50 Public web app has no humans.txt
humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links.
humans.txt
low Security checks quality Quality conf 0.74 Public web app has no robots.txt
Public websites should publish a robots.txt file so crawlers and AI agents can discover crawl rules and sitemap locations without guessing.
robots.txt
low Security checks quality Quality conf 0.72 Public web app has no sitemap
A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss.
sitemap.xml
low System graph software Dead code candidate conf 1.00 File has no detected symbols: clawctl/commands/health_dash.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: clawos_core/key_registry.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: dashboard/frontend/src/app/AppShell.stories.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: dashboard/frontend/src/design/tokens.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: dashboard/frontend/src/main.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: dashboard/frontend/src/pages/setup/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: dashboard/frontend/src/shims/three-webgpu.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: dashboard/frontend/src/vite-env.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: dashboard/frontend/vite.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/gen_comparison_png.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/gen_social_assets.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: services/a2ad/main.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: services/dashd/main.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: services/metricd/main.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: services/picoclawd/main.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: services/setupd/main.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tools/browser_tools.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph frontend Frontend quality conf 1.00 Icon-only button without accessible name — dashboard/frontend/src/pages/Brain.tsx:536
A `<button>` whose only child is a single glyph or symbol needs `title=` or `aria-label=` so screen readers (and tooltips on hover) work. Why: P3 in CHECKLIST.md — icon-only buttons skipped a title. Rule id: fq.button.no-label
Fq button no label
low System graph frontend Frontend quality conf 1.00 Icon-only button without accessible name — dashboard/frontend/src/pages/setup/screens/OpenClawOnboardModal.tsx:326
A `<button>` whose only child is a single glyph or symbol needs `title=` or `aria-label=` so screen readers (and tooltips on hover) work. Why: P3 in CHECKLIST.md — icon-only buttons skipped a title. Rule id: fq.button.no-label
Fq button no label
low System graph quality Tests conf 1.00 Low test-to-source ratio
75 tests / 489 src (ratio 0.15).
low System graph quality Integrity conf 1.00 19 occurrences Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: clawctl/main.py:main, clawctl/main.py:main This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
19 occurrences
repo-level (19 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: clawos_core/circuit_breaker.py:to_dict, clawos_core/circuit_breaker.py:to_dict, clawos_core/circuit_breaker.py:to_dict This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or d…
duplicatesduplication
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `agentd_v2` in clawctl/commands/dashboard.py:45
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `agentd_v2` in clawctl/commands/status.py:37
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `agentd_v2` in services/agentd/v2/main.py:33
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `agentd_v2` in services/dashd/api.py:560
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `clawos_setup_step_v2` in dashboard/frontend/src/App.tsx:37
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `clawos_setup_step_v2` in dashboard/frontend/src/pages/setup/SetupPage.tsx:44
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `clawos_setup_step_v2` in services/dashd/static/assets/index-CIDWrdio.js:2
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `clawos_setup_step_v2` in services/dashd/static/assets/setup-Cez0JBY1.js:6
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `nOld` in tests/services/test_auto_skill.py:183
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `sandboxd_v2` in services/sandboxd/v2/main.py:37
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph software Dead code conf 1.00 Possibly dead Python function: as_payload
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
clawos_core/catalog.py:686
low System graph software Dead code conf 1.00 Possibly dead Python function: cleanup_loop
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
clawos_core/service_registry.py:116
low System graph software Dead code conf 1.00 Possibly dead Python function: close_all_pools
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
clawos_core/database.py:212
low System graph software Dead code conf 1.00 Possibly dead Python function: close_idle
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
adapters/browser/session_manager.py:75
low System graph software Dead code conf 1.00 Possibly dead Python function: create_simple_lifespan
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
clawos_core/fastapi_lifespan.py:78
low System graph software Dead code conf 1.00 Possibly dead Python function: decorator
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
clawos_core/performance.py:126
low System graph software Dead code conf 1.00 Possibly dead Python function: describe_pipeline
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
archive/legacy/capabilityd/service.py:104
low System graph software Dead code conf 1.00 Possibly dead Python function: ensure_dirs
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
clawos_core/constants.py:173
low System graph software Dead code conf 1.00 Possibly dead Python function: format_uptime
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
clawctl/commands/dashboard.py:135
low System graph software Dead code conf 1.00 Possibly dead Python function: health_check
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
clawos_core/bootstrap.py:161
low System graph software Dead code conf 1.00 Possibly dead Python function: initialize_all
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
clawos_core/bootstrap.py:82
low System graph software Dead code conf 1.00 Possibly dead Python function: list_capabilities
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
archive/legacy/capabilityd/service.py:111
low System graph software Dead code conf 1.00 Possibly dead Python function: list_services
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
clawos_core/service_registry.py:288
low System graph software Dead code conf 1.00 Possibly dead Python function: protect
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
clawos_core/circuit_breaker.py:207
low System graph software Dead code conf 1.00 Possibly dead Python function: register_after_hook
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
adapters/policy/local_policy_adapter.py:34
low System graph software Dead code conf 1.00 Possibly dead Python function: register_before_hook
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
adapters/policy/local_policy_adapter.py:31
low System graph software Dead code conf 1.00 Possibly dead Python function: shutdown_all
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
adapters/browser/session_manager.py:86
low System graph software Dead code conf 1.00 Possibly dead Python function: solve
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
archive/legacy/capabilityd/service.py:86
low System graph quality Integrity conf 1.00 Stub function `close` (body is just `pass`/`return`) — services/toolbridge/mcp_client.py:35
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `require_auth` (body is just `pass`/`return`) — services/dashd/api.py:94
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph api Wiring conf 1.00 Unused endpoint: ANY /
`services/dashd/api.py` declares `ANY /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: DELETE /api/models/{model_name}
`archive/legacy/dashboard-backend/service.py` declares `DELETE /api/models/{model_name}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who co…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/agents
`archive/legacy/dashboard-backend/service.py` declares `GET /api/agents` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/attention
`services/dashd/api.py` declares `GET /api/attention` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/audit
`archive/legacy/dashboard-backend/service.py` declares `GET /api/audit` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/briefings/morning
`services/dashd/api.py` declares `GET /api/briefings/morning` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/briefings/today
`services/dashd/api.py` declares `GET /api/briefings/today` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/docs
`services/dashd/api.py` declares `GET /api/docs` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/health
`services/dashd/api.py` declares `GET /api/health` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/jarvis/config
`services/dashd/api.py` declares `GET /api/jarvis/config` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/jarvis/health
`services/dashd/api.py` declares `GET /api/jarvis/health` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/learned
`archive/legacy/dashboard-backend/service.py` declares `GET /api/learned` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/memory
`archive/legacy/dashboard-backend/service.py` declares `GET /api/memory` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/memory/{workspace}
`services/dashd/api.py` declares `GET /api/memory/{workspace}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/missions
`services/dashd/api.py` declares `GET /api/missions` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/models
`archive/legacy/dashboard-backend/service.py` declares `GET /api/models` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/openapi.json
`services/dashd/api.py` declares `GET /api/openapi.json` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/packs
`services/dashd/api.py` declares `GET /api/packs` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/presence
`services/dashd/api.py` declares `GET /api/presence` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/providers
`services/dashd/api.py` declares `GET /api/providers` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint

Showing first 300 of 332. Refine filters or use the findings page for deep search.

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/c909edc4-e5b0-4649-b779-d5b64f392b1d/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/c909edc4-e5b0-4649-b779-d5b64f392b1d/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.