Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo

Scan timing: clone 7.75s · analysis 12.64s · 30.7 MB · GitHub API rate-limit (preflight)

mem0ai/mem0

https://github.com/mem0ai/mem0 · scanned 2026-05-31 01:24 UTC (1 week, 6 days ago) · 10 languages

946 raw signals (277 security + 669 graph) 11/13 scanners ran 93rd percentile · Typescript · large (100-500K LoC) System graph score 48 (higher by 40)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 1 week, 6 days ago · v2 · last Δ -0.3 (diff) · 365 actionable findings from 2 signal sources. 202 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
65.1
/100
Security checks
82
111 findings
System graph
48
100.0% cov · 254 findings
Critical
13
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 100.0 0.25 25.00
testing_score 100.0 0.20 20.00
documentation_score 93.0 0.15 13.95
practices_score 84.0 0.15 12.60
code_quality 68.0 0.10 6.80
Overall 1.00 87.3
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 13 High 52 Medium 26 Low 189 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 111 System graph 254 Crowd 0 Layer: Software 75 Quality 111 Security 51 Cicd 17 Frontend 44 Network 1 Hardware 7 Api 59
Scan summary Quality grade A- (87/100). Dimensions: security 100, maintainability 60. 277 findings (53 security). 150,037 lines analyzed.

Showing 280 of 365 actionable findings. 567 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED107] Missing import: `email` used but not imported: The file uses `email.something(...)` but never imports `email`. This raises NameError at runtime the first time the line executes.
Add `import email` at the top of the file.
3 files, 3 locations
cli/python/src/mem0_cli/commands/init_cmd.py:370
mem0/vector_stores/faiss.py:541
server/telemetry.py:96
low Security checks security secrets conf 0.90 3 occurrences [SEC002] Hardcoded API Key: Hardcoded API key found in source code.
Use environment variables. Add the pattern to .gitignore.
3 files, 3 locations
cli/node/src/telemetry.ts:18
cli/python/src/mem0_cli/telemetry.py:22
mem0-plugin/scripts/telemetry.py:40
critical Security checks cicd CI/CD security conf 0.96 Compose service contains a literal secret environment value
Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file.
server/docker-compose.yaml:31 CI/CD securitycontainers
low Security checks cicd CI/CD security conf 0.35 ✓ Repobility Workflow references repository secrets in a pull_request workflow
Fork pull_request runs do not receive normal repository secrets on GitHub Actions. Review this as a reliability/intent signal, not as direct fork-secret exfiltration. Raise severity only for pull_request_target or another trusted-context path that runs untrusted PR code with secrets.
.github/workflows/openclaw-checks.yml:72 CI/CD securityworkflow secretsGitHub Actions
low Security checks cicd CI/CD security conf 0.35 ✓ Repobility Workflow references repository secrets in a pull_request workflow
Fork pull_request runs do not receive normal repository secrets on GitHub Actions. Review this as a reliability/intent signal, not as direct fork-secret exfiltration. Raise severity only for pull_request_target or another trusted-context path that runs untrusted PR code with secrets.
.github/workflows/ts-sdk-ci.yml:145 CI/CD securityworkflow secretsGitHub Actions
critical System graph security Secrets conf 1.00 Possible secret in cli/node/src/telemetry.ts
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
cli/node/src/telemetry.ts:18
critical System graph security Secrets conf 1.00 Possible secret in cli/python/src/mem0_cli/telemetry.py
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
cli/python/src/mem0_cli/telemetry.py:22
critical System graph security Secrets conf 1.00 Possible secret in mem0-plugin/scripts/telemetry.py
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
mem0-plugin/scripts/telemetry.py:40
critical System graph security Secrets conf 1.00 Possible secret in mem0-ts/src/client/telemetry.ts
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
mem0-ts/src/client/telemetry.ts:15
critical System graph security Secrets conf 1.00 Possible secret in mem0-ts/src/oss/src/utils/telemetry.ts
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
mem0-ts/src/oss/src/utils/telemetry.ts:18
critical System graph security Secrets conf 1.00 Possible secret in mem0/memory/telemetry.py
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
mem0/memory/telemetry.py:15
critical System graph security Secrets conf 1.00 Possible secret in openclaw/cli/commands.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
openclaw/cli/commands.ts:344
critical System graph security Secrets conf 1.00 Possible secret in openclaw/telemetry.ts
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
openclaw/telemetry.ts:17
critical System graph security Secrets conf 1.00 Possible secret in scripts/oss-to-platform-migrate.sh
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
scripts/oss-to-platform-migrate.sh:31
critical System graph security Secrets conf 1.00 Possible secret in server/dashboard/src/utils/api-endpoints.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
server/dashboard/src/utils/api-endpoints.ts:7
critical System graph security Secrets conf 1.00 Possible secret in server/scripts/seed.sh
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
server/scripts/seed.sh:7
critical System graph security Secrets conf 1.00 Possible secret in server/telemetry.py
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
server/telemetry.py:24
low Security checks quality Quality conf 1.00 ✓ Repobility [MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.
Review and fix per the pattern semantics. See CWE-705 / for context.
examples/misc/voice_assistant_elevenlabs.py:228
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain "../" — directory escape.
Review and fix per the pattern semantics. See CWE-22 / A01:2021 for context.
mem0-plugin/scripts/setup_coding_categories.py:30
high Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState — React skips re-render on mutated reference.
Review and fix per the pattern semantics. See CWE-682 / for context.
3 files, 3 locations
openmemory/ui/store/appsSlice.ts:195
openmemory/ui/store/filtersSlice.ts:76
openmemory/ui/store/memoriesSlice.ts:67
high Security checks quality Quality conf 1.00 ✓ Repobility 2 occurrences [MINED110] Blocking call `input` inside async function `interactive_mode`: `input` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress.
Use the async equivalent: `aiohttp` instead of `requests`, `asyncio.sleep` instead of `time.sleep`, `aiofiles` instead of `open`.
lines 174, 184
examples/misc/healthcare_assistant_google_adk.py:174, 184 (2 hits)
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /messages/ has no auth: Handler `handle_get_message` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
openmemory/api/app/mcp_server.py:466
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /{client_name}/sse/{user_id}/messages/ has no auth: Handler `handle_post_message` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
openmemory/api/app/mcp_server.py:471
high Security checks software dependencies conf 0.90 ✓ Repobility 5 occurrences [MINED118] Dockerfile FROM `python:3.12-slim` not pinned by digest: `FROM python:3.12-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM python:3.12-slim@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
5 files, 5 locations
openmemory/api/Dockerfile:1
openmemory/ui/Dockerfile:4
server/Dockerfile:1
server/dashboard/Dockerfile:1
server/dev.Dockerfile:1
high Security checks security path traversal conf 0.80 3 occurrences [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.
Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads.
3 files, 3 locations
evaluation/evals.py:57
examples/misc/voice_assistant_elevenlabs.py:127
mem0-plugin/scripts/telemetry.py:105
high Security checks security auth conf 0.78 Consent is collected in UI without visible backend audit persistence
Persist consent as a backend record with subject, actor, purpose, scope, legal text version, timestamp, IP address, user agent, and revocation state.
openclaw/config.ts:42
high Security checks cicd CI/CD security conf 0.92 4 occurrences Dockerfile copies the entire context without .dockerignore
Create .dockerignore before using broad context copies, or copy only the required files and directories.
4 files, 4 locations
openmemory/api/Dockerfile:11
openmemory/ui/Dockerfile:24
server/Dockerfile:9
server/dashboard/Dockerfile:19
CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.90 ✓ Repobility 26 occurrences GitHub Action is tag-pinned rather than SHA-pinned
[MINED115] Action `pypa/gh-action-pypi-publish` pinned to mutable ref `@release/v1`: `uses: pypa/gh-action-pypi-publish@release/v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K r…
11 files, 26 locations
.github/workflows/cli-node-ci.yml:22, 54, 79 (6 hits)
.github/workflows/issue-labeler.yml:15, 19, 26, 32 (4 hits)
.github/workflows/openclaw-checks.yml:22, 48, 67, 80 (4 hits)
.github/workflows/cd.yml:43 (2 hits)
.github/workflows/cli-node-cd.yml:21 (2 hits)
.github/workflows/cli-python-cd.yml:32 (2 hits)
.github/workflows/ts-sdk-cd.yml:21 (2 hits)
.github/workflows/openclaw-cd.yml:21
CI/CD securitySupply chainGitHub Actions
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 33 occurrences GitHub Action is tag-pinned rather than SHA-pinned
[MINED115] Action `actions/checkout` pinned to mutable ref `@v2`: `uses: actions/checkout@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lo…
12 files, 32 locations
.github/workflows/cli-node-ci.yml:19, 27, 51, 59, 76, 84 (9 hits)
.github/workflows/cd.yml:15, 18 (3 hits)
.github/workflows/cli-node-cd.yml:18, 26 (3 hits)
.github/workflows/cli-python-cd.yml:18, 21 (3 hits)
.github/workflows/cli-python-ci.yml:22, 47, 65 (3 hits)
.github/workflows/openclaw-checks.yml:27, 53, 85 (3 hits)
.github/workflows/ci.yml:78, 95 (2 hits)
.github/workflows/ts-sdk-cd.yml:18, 26 (2 hits)
CI/CD securitySupply chainGitHub Actions
high Security checks security prompt injection conf 0.82 LLM memory extraction can be prompt-injected into storing fake facts
Validate extracted facts with a schema, enforce length and count limits, reject code-fence/prompt-looking content, and discard facts that contain instruction-like phrases or raw JSON prompt fragments.
mem0/configs/prompts.py:116
high Security checks security auth conf 0.83 Secret-like setting is echoed into a password input value
Never prefill secret fields with stored values. Show a masked status such as configured/not configured, require explicit rotation to replace the value, and return the raw key only once at creation time.
server/dashboard/src/app/setup/page.tsx:376
high Security checks security auth conf 0.83 Secret-like setting is echoed into a password input value
Never prefill secret fields with stored values. Show a masked status such as configured/not configured, require explicit rotation to replace the value, and return the raw key only once at creation time.
server/dashboard/src/app/(auth)/login/login-form.tsx:111
high System graph api Wiring conf 1.00 Dangling fetch: DELETE /api/auth/refresh (server/dashboard/src/lib/auth.tsx:50)
`server/dashboard/src/lib/auth.tsx:50` calls `DELETE /api/auth/refresh` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/auth/refresh` If this points at an external API, prefix it with `https://` so the matcher skips …
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://api.openai.com/v1/models (examples/yt-assistant-chrome/src/background.js:137)
`examples/yt-assistant-chrome/src/background.js:137` calls `GET https://api.openai.com/v1/models` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.openai.com/v1/models` If this points at an external API, pr…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/auth/refresh (server/dashboard/src/lib/auth.tsx:54)
`server/dashboard/src/lib/auth.tsx:54` calls `POST /api/auth/refresh` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/auth/refresh` If this points at an external API, prefix it with `https://` so the matcher skips it.
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/auth/refresh (server/dashboard/src/utils/api.ts:25)
`server/dashboard/src/utils/api.ts:25` calls `POST /api/auth/refresh` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/auth/refresh` If this points at an external API, prefix it with `https://` so the matcher skips it.
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST https://api.cloudflare.com/client/v4/accounts/${this.accountId}/vectorize/v2/indexes/${this.indexName}/insert (mem0-ts/src/oss/src/vector_stores/vectorize.ts:51)
`mem0-ts/src/oss/src/vector_stores/vectorize.ts:51` calls `POST https://api.cloudflare.com/client/v4/accounts/${this.accountId}/vectorize/v2/indexes/${this.indexName}/insert` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for match…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST https://api.cloudflare.com/client/v4/accounts/${this.accountId}/vectorize/v2/indexes/${this.indexName}/upsert (mem0-ts/src/oss/src/vector_stores/vectorize.ts:149)
`mem0-ts/src/oss/src/vector_stores/vectorize.ts:149` calls `POST https://api.cloudflare.com/client/v4/accounts/${this.accountId}/vectorize/v2/indexes/${this.indexName}/upsert` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matc…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST https://api.cloudflare.com/client/v4/accounts/${this.accountId}/vectorize/v2/indexes/memory_migrations/upsert (mem0-ts/src/oss/src/vector_stores/vectorize.ts:291)
`mem0-ts/src/oss/src/vector_stores/vectorize.ts:291` calls `POST https://api.cloudflare.com/client/v4/accounts/${this.accountId}/vectorize/v2/indexes/memory_migrations/upsert` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matc…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST https://api.openai.com/v1/chat/completions (examples/yt-assistant-chrome/src/background.js:167)
`examples/yt-assistant-chrome/src/background.js:167` calls `POST https://api.openai.com/v1/chat/completions` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.openai.com/v1/chat/completions` If this points a…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: PUT /api/auth/refresh (server/dashboard/src/lib/auth.tsx:42)
`server/dashboard/src/lib/auth.tsx:42` calls `PUT /api/auth/refresh` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/auth/refresh` If this points at an external API, prefix it with `https://` so the matcher skips it.
Dangling fetchFetch
high System graph security auth conf 1.00 FastAPI DELETE `delete_memories` without auth dependency — openmemory/api/app/routers/memories.py:355
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
openmemory/api/app/routers/memories.py:355 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI PATCH `patch_configuration` without auth dependency — openmemory/api/app/routers/config.py:159
`@router.patch` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
openmemory/api/app/routers/config.py:159 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `archive_memories` without auth dependency — openmemory/api/app/routers/memories.py:394
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
openmemory/api/app/routers/memories.py:394 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `create_memory` without auth dependency — openmemory/api/app/routers/memories.py:221
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
openmemory/api/app/routers/memories.py:221 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `export_backup` without auth dependency — openmemory/api/app/routers/backup.py:239
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
openmemory/api/app/routers/backup.py:239 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `filter_memories` without auth dependency — openmemory/api/app/routers/memories.py:545
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
openmemory/api/app/routers/memories.py:545 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `import_backup` without auth dependency — openmemory/api/app/routers/backup.py:265
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
openmemory/api/app/routers/backup.py:265 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `pause_memories` without auth dependency — openmemory/api/app/routers/memories.py:415
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
openmemory/api/app/routers/memories.py:415 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `refresh` without auth dependency — server/routers/auth.py:144
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
server/routers/auth.py:144 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `reset_configuration` without auth dependency — openmemory/api/app/routers/config.py:180
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
openmemory/api/app/routers/config.py:180 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI PUT `update_app_details` without auth dependency — openmemory/api/app/routers/apps.py:214
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
openmemory/api/app/routers/apps.py:214 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI PUT `update_configuration` without auth dependency — openmemory/api/app/routers/config.py:141
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
openmemory/api/app/routers/config.py:141 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI PUT `update_embedder_configuration` without auth dependency — openmemory/api/app/routers/config.py:228
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
openmemory/api/app/routers/config.py:228 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI PUT `update_llm_configuration` without auth dependency — openmemory/api/app/routers/config.py:204
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
openmemory/api/app/routers/config.py:204 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI PUT `update_memory` without auth dependency — openmemory/api/app/routers/memories.py:517
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
openmemory/api/app/routers/memories.py:517 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI PUT `update_openmemory_configuration` without auth dependency — openmemory/api/app/routers/config.py:276
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
openmemory/api/app/routers/config.py:276 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI PUT `update_vector_store_configuration` without auth dependency — openmemory/api/app/routers/config.py:252
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
openmemory/api/app/routers/config.py:252 securityAuth fastapi unauth mutation
high System graph security security conf 1.00 Insecure pattern 'eval_used' in mem0/reranker/huggingface_reranker.py:57
Found a known-risky pattern (eval_used). Review and replace if possible.
mem0/reranker/huggingface_reranker.py:57 Eval used
medium Security checks security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them.
high Security checks security auth conf 0.74 [AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes.
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /auth/refresh/route.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
server/dashboard/src/app/api/auth/refresh/route.ts:57
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /auth/refresh/route.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
server/dashboard/src/app/api/auth/refresh/route.ts:15
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: PUT /auth/refresh/route.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
server/dashboard/src/app/api/auth/refresh/route.ts:42
low Security checks quality Error handling conf 1.00 3 occurrences [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.
3 files, 3 locations
cli/python/src/mem0_cli/config.py:192
cli/python/src/mem0_cli/telemetry.py:65
cli/python/src/mem0_cli/telemetry_sender.py:72
medium Security checks quality Error handling conf 1.00 3 occurrences [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
3 files, 3 locations
cli/node/telemetry-sender.cjs:129
mem0-ts/src/client/telemetry.ts:14
mem0-ts/src/oss/src/llms/langchain.ts:130
medium Security checks quality Quality conf 1.00 ✓ Repobility [MINED109] Mutable default argument in `__init__` (dict): `def __init__(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
Use None as the default and create the collection inside the function: `def __init__(x=None): x = x or []`
mem0/configs/embeddings/base.py:15
medium Security checks quality Quality conf 1.00 ✓ Repobility [MINED109] Mutable default argument in `create` (list): `def create(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
Use None as the default and create the collection inside the function: `def create(x=None): x = x or []`
mem0/proxy/main.py:52
medium Security checks software dependencies conf 0.90 ✓ Repobility [MINED124] requirements.txt: `cryptography>46.0.4` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace `cryptography>46.0.4` with `cryptography>46.0.4==<version>` and manage upgrades through PRs / Dependabot.
server/requirements.txt:20
medium Security checks software dependencies conf 0.90 ✓ Repobility [MINED124] requirements.txt: `mem0ai` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace `mem0ai` with `mem0ai==<version>` and manage upgrades through PRs / Dependabot.
mem0-plugin/requirements.txt:1
medium Security checks software Open redirect conf 1.00 [SEC046] Client-side open redirect — window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030.
Validate the URL is same-origin or on an explicit allowlist before assignment: const u = new URL(serverUrl, location.href); if (u.origin !== location.origin && !ALLOWED.includes(u.host)) return; location.assign(u); Even better: have the server return a path (/checkout/done) instead of a full …
server/dashboard/src/utils/api.ts:20
low Security checks quality Quality conf 1.00 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws — wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated.
Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows.
mem0-plugin/scripts/_search.py:55
low Security checks quality Error handling conf 0.55 ✓ Repobility 25 occurrences Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
12 files, 24 locations
openmemory/api/app/routers/backup.py:37, 46, 49, 350, 403, 458 (6 hits)
mem0/memory/main.py:199, 888, 894, 2304, 2309 (5 hits)
openmemory/api/app/utils/memory.py:457, 488, 497 (3 hits)
mem0/vector_stores/turbopuffer.py:290, 332 (2 hits)
mem0/client/main.py:159
mem0/embeddings/vertexai.py:32
mem0/llms/aws_bedrock.py:712
mem0/vector_stores/databricks.py:384
Error handlingquality
medium Security checks cicd CI/CD security conf 0.94 Compose service `openmemory-ui` image uses the latest tag
Pin to a maintained version tag or digest and update it deliberately through dependency automation.
openmemory/docker-compose.yml:23 CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.90 Docker build context has no .dockerignore
Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases.
.dockerignore CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
server/Dockerfile:1 CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
openmemory/api/Dockerfile:1 CI/CD securitycontainers
high Security checks quality Quality conf 0.74 Frontend API reference is not matched by discovered backend routes
Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore.
server/dashboard/src/middleware.ts:7
high Security checks software dependencies conf 0.70 Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
docs/integrations/hermes.mdx:39
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — openmemory/ui/components/ui/chart.tsx:81
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — examples/multimodal-demo/src/utils/fileUtils.ts:13
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — examples/vercel-ai-sdk-chat-app/src/utils/fileUtils.ts:13
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — mem0-ts/src/oss/src/vector_stores/vectorize.ts:51
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — openclaw/telemetry.ts:4
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — openmemory/ui/components/form-view.tsx:439
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — server/dashboard/src/app/api/auth/refresh/route.ts:23
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — server/dashboard/src/lib/auth.tsx:42
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — server/dashboard/src/utils/api.ts:25
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — vercel-ai-sdk/src/mem0-utils.ts:298
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph hardware Security conf 1.00 Dockerfile runs as root: openmemory/api/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: server/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph cicd CI/CD security conf 1.00 7 occurrences GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
7 files, 7 locations
.github/workflows/cd.yml
.github/workflows/cli-node-cd.yml
.github/workflows/cli-python-cd.yml
.github/workflows/openclaw-cd.yml
.github/workflows/opencode-plugin-cd.yml
.github/workflows/ts-sdk-cd.yml
.github/workflows/vercel-ai-cd.yml
CI/CD securitySupply chainGithub actions
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in openmemory/ui/components/ui/chart.tsx:81
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
openmemory/ui/components/ui/chart.tsx:81 Dangerous innerhtml
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — cli/python/src/mem0_cli/telemetry.py:140
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph network Security conf 1.00 Privileged port 1000 in use
Port 1000 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
openmemory/compose/opensearch.yml Ports
high Security checks cicd CI/CD security conf 0.56 6 occurrences Compose service does not declare a runtime user
Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive.
2 files, 6 locations
openmemory/docker-compose.yml:1, 7, 23 (3 hits)
server/docker-compose.yaml:3, 31, 51 (3 hits)
CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.62 5 occurrences Compose service lacks no-new-privileges hardening
Add `security_opt: ["no-new-privileges:true"]` unless the service has a documented need for privilege escalation.
2 files, 5 locations
openmemory/docker-compose.yml:1, 7, 23 (3 hits)
server/docker-compose.yaml:3, 51 (2 hits)
CI/CD securitycontainers
low Security checks cicd CI/CD security conf 0.78 Compose service performs heavy setup work on every startup
Move migrations and asset preparation into a one-shot release job, CI step, or dedicated Compose service that completes before the app starts.
server/docker-compose.yaml:3 CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.72 Dockerfile keeps pip download cache
Use `pip install --no-cache-dir ...` in container builds.
openmemory/api/Dockerfile:8 CI/CD securitycontainers
low Security checks quality Quality conf 0.60 30 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
12 files, 18 locations
mem0-plugin/scripts/import_competing_tools.py:57, 61 (2 hits)
mem0-plugin/scripts/on_pre_compact.py:43, 207 (2 hits)
mem0-ts/src/oss/src/llms/openai_structured.ts:5, 48 (2 hits)
mem0/configs/llms/lmstudio.py:7, 36 (2 hits)
mem0/configs/llms/minimax.py:7, 34 (2 hits)
mem0/configs/llms/ollama.py:7, 34 (2 hits)
cli/node/src/commands/memory.ts:523
cli/python/src/mem0_cli/backend/platform.py:56
duplicationquality
high Security checks quality Quality conf 0.62 Source file name looks like an AI patch artifact
Rename it to the domain concept it implements or merge it into the existing module it was meant to change.
openclaw/tools/memory-update.ts:1
low System graph quality Integrity conf 1.00 121 env vars used in code but missing from .env.example
Drift between code and config docs. The first few: `ANTHROPIC_API_KEY`, `AWS_ACCESS_KEY_ID`, `AWS_PROFILE`, `AWS_REGION`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`, `AZURE_AI_SEARCH_API_KEY`, `AZURE_AI_SEARCH_SERVICE_NAME` + 113 more. Add them (with a placeholder/comment) to .env.example so onbo…
config drift
low System graph hardware Coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
Deployment
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: node:18-alpine
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
openmemory/ui/Dockerfile:4 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: node:20-alpine
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
server/dashboard/Dockerfile:1 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: python:3.12-slim
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
openmemory/api/Dockerfile:1 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: python:3.12-slim
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
server/Dockerfile:1 containersPinned dependencies
low System graph software Dead code candidate conf 1.00 File has no detected symbols: openmemory/api/app/config.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: openmemory/api/app/utils/prompts.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: openmemory/ui/components/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: openmemory/ui/components/ui/accordion.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: openmemory/ui/components/ui/alert.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: openmemory/ui/components/ui/aspect-ratio.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: openmemory/ui/components/ui/avatar.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: openmemory/ui/components/ui/button.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: openmemory/ui/components/ui/card.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: openmemory/ui/components/ui/checkbox.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: openmemory/ui/components/ui/collapsible.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: openmemory/ui/components/ui/hover-card.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: openmemory/ui/components/ui/input-otp.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: openmemory/ui/components/ui/input.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: openmemory/ui/components/ui/navigation-menu.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: openmemory/ui/components/ui/popover.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: openmemory/ui/components/ui/progress.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: openmemory/ui/components/ui/radio-group.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: openmemory/ui/components/ui/scroll-area.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: openmemory/ui/components/ui/select.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: openmemory/ui/components/ui/separator.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: openmemory/ui/components/ui/slider.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: openmemory/ui/components/ui/switch.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: openmemory/ui/components/ui/table.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: openmemory/ui/components/ui/tabs.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: openmemory/ui/components/ui/textarea.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: openmemory/ui/components/ui/toast.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: openmemory/ui/components/ui/toggle-group.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: openmemory/ui/components/ui/toggle.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: openmemory/ui/next-env.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: openmemory/ui/tailwind.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: vercel-ai-sdk/config/test-config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: vercel-ai-sdk/jest.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: vercel-ai-sdk/src/mem0-types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: vercel-ai-sdk/teardown.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: vercel-ai-sdk/tests/generate-output.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: vercel-ai-sdk/tests/mem0-provider-tests/mem0-cohere.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: vercel-ai-sdk/tests/mem0-provider-tests/mem0-google.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: vercel-ai-sdk/tests/mem0-provider-tests/mem0-groq.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: vercel-ai-sdk/tests/mem0-provider-tests/mem0-openai.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: vercel-ai-sdk/tests/mem0-provider-tests/mem0_anthropic.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: vercel-ai-sdk/tests/mem0-toolcalls.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: vercel-ai-sdk/tests/memory-core.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: vercel-ai-sdk/tests/text-properties.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: vercel-ai-sdk/tests/utils-test/anthropic-integration.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: vercel-ai-sdk/tests/utils-test/cohere-integration.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: vercel-ai-sdk/tests/utils-test/google-integration.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: vercel-ai-sdk/tests/utils-test/groq-integration.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: vercel-ai-sdk/tests/utils-test/openai-integration.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: vercel-ai-sdk/tsup.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph quality Integrity conf 1.00 11 occurrences Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: openmemory/api/app/mcp_server.py:handle_post_message, openmemory/api/app/mcp_server.py:handle_post_message This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why …
11 occurrences
repo-level (11 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 8 occurrences Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: mem0/client/project.py:get, mem0/client/project.py:get, mem0/client/project.py:get This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
8 occurrences
repo-level (8 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 4 places
Functions with the same first-5-line body hash: openmemory/api/app/mcp_server.py:search_memory, openmemory/api/app/mcp_server.py:list_memories, openmemory/api/app/mcp_server.py:delete_memories, openmemory/api/app/mcp_server.py:delete_all_memories This is *the* AI-coder failure mode (4× more duplic…
duplicatesduplication
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `aiplatform_v1` in mem0/vector_stores/vertex_ai_vector_search.py:7
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `eleven_multilingual_v2` in examples/misc/voice_assistant_elevenlabs.py:199
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `export_backup` in openmemory/api/app/routers/backup.py:240
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `get_fact_retrieval_messages_legacy` in mem0/memory/utils.py:31
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `history_old` in mem0/memory/storage.py:59
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `metadata_copy` in tests/memory/test_main.py:431
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `payload_copy` in mem0/vector_stores/faiss.py:280
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph cicd CI/CD security conf 1.00 package.json defines install-time lifecycle scripts
preinstall/install/postinstall/prepare scripts execute during dependency installation. Review them carefully for network calls, obfuscation, shell execution, or credential access.
mem0-ts/src/oss/package.json CI/CD securitySupply chainNpm
low System graph software Dead code conf 1.00 Possibly dead Python function: add_task
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
mem0/proxy/main.py:153
low System graph software Dead code conf 1.00 Possibly dead Python function: add_to_agent
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
cookbooks/helper/mem0_teachability.py:42
low System graph software Dead code conf 1.00 Possibly dead Python function: calculate_bert_scores
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
evaluation/metrics/utils.py:80
low System graph software Dead code conf 1.00 Possibly dead Python function: calculate_rouge_scores
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
evaluation/metrics/utils.py:49
low System graph software Dead code conf 1.00 Possibly dead Python function: capture_send
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
openmemory/api/app/mcp_server.py:522
low System graph software Dead code conf 1.00 3 occurrences Possibly dead Python function: downgrade
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
3 files, 3 locations
openmemory/api/alembic/versions/0b53c747049a_initial_migration.py:166
openmemory/api/alembic/versions/add_config_table.py:37
openmemory/api/alembic/versions/afd00efbd06b_add_unique_user_id_constraints.py:28
low System graph software Dead code conf 1.00 Possibly dead Python function: find_class
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
mem0/vector_stores/faiss.py:47
low System graph software Dead code conf 1.00 Possibly dead Python function: format_entities
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
mem0/memory/utils.py:73
low System graph software Dead code conf 1.00 Possibly dead Python function: list_available_models
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
mem0/llms/aws_bedrock.py:648
low System graph software Dead code conf 1.00 Possibly dead Python function: model_post_init
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
mem0/configs/vector_stores/vertex_ai_vector_search.py:25
low System graph software Dead code conf 1.00 Possibly dead Python function: process_item
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
evaluation/evals.py:12
low System graph software Dead code conf 1.00 Possibly dead Python function: receive
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
openmemory/api/app/mcp_server.py:480
low System graph software Dead code conf 1.00 Possibly dead Python function: run_server
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
openmemory/api/app/mcp_server.py:539
low System graph software Dead code conf 1.00 Possibly dead Python function: similarity_search
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
mem0/vector_stores/vertex_ai_vector_search.py:628
low System graph software Dead code conf 1.00 3 occurrences Possibly dead Python function: upgrade
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
3 files, 3 locations
openmemory/api/alembic/versions/0b53c747049a_initial_migration.py:20
openmemory/api/alembic/versions/add_config_table.py:20
openmemory/api/alembic/versions/afd00efbd06b_add_unique_user_id_constraints.py:19
low System graph software Dead code conf 1.00 Possibly dead Python function: validate_model_access
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
mem0/llms/aws_bedrock.py:690
low System graph software Dead code conf 1.00 Possibly dead Python function: validate_model_format
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
mem0/configs/llms/aws_bedrock.py:114
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cli/node/src/branding.ts:74
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cli/node/src/commands/agent-mode.ts:141
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cli/node/src/commands/agent-rush.ts:69
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cli/node/src/commands/config.ts:42
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cli/node/src/commands/entities.ts:76
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cli/node/src/commands/events.ts:57
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cli/node/src/commands/init.ts:144
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cli/node/src/commands/memory.ts:191
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cli/node/src/commands/utils.ts:73
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cli/node/src/commands/whoami.ts:16
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cli/node/src/index.ts:156
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cli/node/src/output.ts:27
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/mem0-demo/components/assistant-ui/memory-ui.tsx:45
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/openai-inbuilt-tools/index.js:13
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/yt-assistant-chrome/src/content.js:76
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — mem0-ts/src/client/tests/integration/global-setup.ts:16
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — mem0-ts/src/client/tests/integration/global-teardown.ts:16
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — mem0-ts/src/common/exceptions.ts:15
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — mem0-ts/src/oss/examples/basic.ts:8
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — mem0-ts/src/oss/examples/llms/mistral-example.ts:14
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — mem0-ts/src/oss/examples/local-llms.ts:66
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — mem0-ts/src/oss/examples/utils/test-utils.ts:6
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — mem0-ts/src/oss/examples/vector-stores/azure-ai-search.ts:5
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — mem0-ts/src/oss/examples/vector-stores/index.ts:34
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — mem0-ts/src/oss/examples/vector-stores/memory.ts:5
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — mem0-ts/src/oss/examples/vector-stores/pgvector.ts:5
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — mem0-ts/src/oss/examples/vector-stores/qdrant.ts:5
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — mem0-ts/src/oss/examples/vector-stores/redis.ts:5
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — mem0-ts/src/oss/examples/vector-stores/supabase.ts:9
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — mem0-ts/src/oss/src/utils/logger.ts:9
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — mem0-ts/src/oss/src/vector_stores/azure_ai_search.ts:265
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — mem0-ts/src/oss/src/vector_stores/redis.ts:196
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — mem0-ts/src/oss/src/vector_stores/supabase.ts:201
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — openclaw/cli/commands.ts:221
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — vercel-ai-sdk/teardown.ts:4
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph quality Integrity conf 1.00 Stub function `save_project_mapping` (body is just `pass`/`return`) — mem0-plugin/scripts/_identity.py:103
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph api Wiring conf 1.00 Unused endpoint: ANY /{client_name}/http/{user_id}
`openmemory/api/app/mcp_server.py` declares `ANY /{client_name}/http/{user_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: DELETE /
`openmemory/api/app/routers/memories.py` declares `DELETE /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: DELETE /memories
`server/main.py` declares `DELETE /memories` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: DELETE /memories/{memory_id}
`server/main.py` declares `DELETE /memories/{memory_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: DELETE /{key_id}
`server/routers/api_keys.py` declares `DELETE /{key_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /
`openmemory/api/app/routers/memories.py` declares `GET /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /categories
`openmemory/api/app/routers/memories.py` declares `GET /categories` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /configure
`server/main.py` declares `GET /configure` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /configure/providers
`server/main.py` declares `GET /configure/providers` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /me
`server/routers/auth.py` declares `GET /me` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /mem0/embedder
`openmemory/api/app/routers/config.py` declares `GET /mem0/embedder` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /mem0/llm
`openmemory/api/app/routers/config.py` declares `GET /mem0/llm` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /mem0/vector_store
`openmemory/api/app/routers/config.py` declares `GET /mem0/vector_store` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /memories
`server/main.py` declares `GET /memories` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /memories/{memory_id}
`server/main.py` declares `GET /memories/{memory_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /memories/{memory_id}/history
`server/main.py` declares `GET /memories/{memory_id}/history` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /openmemory
`openmemory/api/app/routers/config.py` declares `GET /openmemory` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /setup-status
`server/routers/auth.py` declares `GET /setup-status` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /{app_id}
`openmemory/api/app/routers/apps.py` declares `GET /{app_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /{app_id}/accessed
`openmemory/api/app/routers/apps.py` declares `GET /{app_id}/accessed` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /{app_id}/memories
`openmemory/api/app/routers/apps.py` declares `GET /{app_id}/memories` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /{client_name}/sse/{user_id}
`openmemory/api/app/mcp_server.py` declares `GET /{client_name}/sse/{user_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /{memory_id}
`openmemory/api/app/routers/memories.py` declares `GET /{memory_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /{memory_id}/access-log
`openmemory/api/app/routers/memories.py` declares `GET /{memory_id}/access-log` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /{memory_id}/related
`openmemory/api/app/routers/memories.py` declares `GET /{memory_id}/related` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: PATCH /
`openmemory/api/app/routers/config.py` declares `PATCH /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /
`openmemory/api/app/routers/memories.py` declares `POST /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /actions/archive
`openmemory/api/app/routers/memories.py` declares `POST /actions/archive` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /actions/pause
`openmemory/api/app/routers/memories.py` declares `POST /actions/pause` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /configure
`server/main.py` declares `POST /configure` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /export
`openmemory/api/app/routers/backup.py` declares `POST /export` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /filter
`openmemory/api/app/routers/memories.py` declares `POST /filter` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /generate-instructions
`server/main.py` declares `POST /generate-instructions` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /import
`openmemory/api/app/routers/backup.py` declares `POST /import` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /login
`server/routers/auth.py` declares `POST /login` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /memories
`server/main.py` declares `POST /memories` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /messages/
`openmemory/api/app/mcp_server.py` declares `POST /messages/` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /refresh
`server/routers/auth.py` declares `POST /refresh` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /register
`server/routers/auth.py` declares `POST /register` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /reset
`openmemory/api/app/routers/config.py` declares `POST /reset` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /search
`server/main.py` declares `POST /search` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /{client_name}/sse/{user_id}/messages/
`openmemory/api/app/mcp_server.py` declares `POST /{client_name}/sse/{user_id}/messages/` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who c…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: PUT /
`openmemory/api/app/routers/config.py` declares `PUT /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: PUT /mem0/embedder
`openmemory/api/app/routers/config.py` declares `PUT /mem0/embedder` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: PUT /mem0/llm
`openmemory/api/app/routers/config.py` declares `PUT /mem0/llm` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: PUT /mem0/vector_store
`openmemory/api/app/routers/config.py` declares `PUT /mem0/vector_store` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: PUT /memories/{memory_id}
`server/main.py` declares `PUT /memories/{memory_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: PUT /openmemory
`openmemory/api/app/routers/config.py` declares `PUT /openmemory` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: PUT /{app_id}
`openmemory/api/app/routers/apps.py` declares `PUT /{app_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: PUT /{memory_id}
`openmemory/api/app/routers/memories.py` declares `PUT /{memory_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph quality Complexity conf 1.00 Very large file: cli/python/tests/test_commands.py (1382 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: mem0-ts/src/oss/src/memory/index.ts (1708 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: mem0-ts/src/oss/src/prompts/index.ts (1042 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: mem0/client/main.py (1797 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: mem0/configs/prompts.py (1062 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: mem0/memory/main.py (3222 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: openclaw/cli/commands.ts (1872 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: openclaw/tests/cli-commands.test.ts (1754 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: tests/vector_stores/test_pgvector.py (2410 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/ca6b0b99-4c4e-4439-b664-2839dc2344fa/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/ca6b0b99-4c4e-4439-b664-2839dc2344fa/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.