Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
57 of your 73 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 3.06s · analysis 1.47s · 28.3 MB · GitHub preflight 409ms

claude-context

https://github.com/zilliztech/claude-context.git · scanned 2026-05-23 03:15 UTC (1 week, 6 days ago) · 10 languages

196 findings (63 legacy + 133 scanner) 11/13 scanners ran 75th percentile · Typescript · small (2-20K LoC) Scanner says 87 (lower by 8)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 1 week, 6 days ago · v2 · 130 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
86.0
/100
Repobility
85
63 legacy
9-layer
87
88.9% cov · 67 gaps
Critical
0
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 75.0 0.15 11.25
security_score 100.0 0.25 25.00
testing_score 51.0 0.20 10.20
documentation_score 92.0 0.15 13.80
practices_score 84.0 0.15 12.60
code_quality 62.0 0.10 6.20
Overall 1.00 79.0
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 0 High 46 Medium 8 Low 60 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 63 9-layer 67 Crowd 0 Layer: Quality 68 Software 22 Security 2 Api 1 Frontend 31 Cicd 6
Scan summary Repository scanned at 87.4/100 with 88.9% coverage. It contains 409 nodes across 0 cross-layer flows, written primarily in mixed languages. Engine surfaced 67 findings — concentrated in frontend (31), software (15), quality (13). Risk profile is high: 0 critical, 4 high, 6 medium. Recommended next step: open the frontend layer findings first — that's where the highest-impact wins live.

Showing 113 of 130 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

low Legacy quality quality conf 1.00 ✓ Repobility [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.
Review and fix per the pattern semantics. See CWE-755 / for context.
evaluation/servers/read_server.py:256 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._create_wrapper_script` used but never assigned in __init__: Method `call_method` of class `TypeScriptExecutor` reads `self._create_wrapper_script`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._create_wrapper_script = <default>` in __init__, or add a class-level default.
python/ts_executor.py:51 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._filter_existing_instances` used but never assigned in __init__: Method `_prepare_instances` of class `BaseRetrieval` reads `self._filter_existing_instances`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._filter_existing_instances = <default>` in __init__, or add a class-level default.
evaluation/retrieval/base.py:99 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._load_tools_from_sessions` used but never assigned in __init__: Method `mcp_sessions_context` of class `CustomRetrieval` reads `self._load_tools_from_sessions`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._load_tools_from_sessions = <default>` in __init__, or add a class-level default.
evaluation/retrieval/custom.py:164 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._load_tools_from_sessions` used but never assigned in __init__: Method `mcp_sessions_context` of class `CustomRetrieval` reads `self._load_tools_from_sessions`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._load_tools_from_sessions = <default>` in __init__, or add a class-level default.
evaluation/retrieval/custom.py:150 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._load_tools_from_sessions` used but never assigned in __init__: Method `mcp_sessions_context` of class `CustomRetrieval` reads `self._load_tools_from_sessions`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._load_tools_from_sessions = <default>` in __init__, or add a class-level default.
evaluation/retrieval/custom.py:181 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._load_tools_from_sessions` used but never assigned in __init__: Method `mcp_sessions_context` of class `CustomRetrieval` reads `self._load_tools_from_sessions`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._load_tools_from_sessions = <default>` in __init__, or add a class-level default.
evaluation/retrieval/custom.py:135 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.async_build_index` used but never assigned in __init__: Method `async_run` of class `CustomRetrieval` reads `self.async_build_index`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.async_build_index = <default>` in __init__, or add a class-level default.
evaluation/retrieval/custom.py:344 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.async_build_index` used but never assigned in __init__: Method `build_index` of class `CustomRetrieval` reads `self.async_build_index`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.async_build_index = <default>` in __init__, or add a class-level default.
evaluation/retrieval/custom.py:247 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.async_run` used but never assigned in __init__: Method `run` of class `CustomRetrieval` reads `self.async_run`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.async_run = <default>` in __init__, or add a class-level default.
evaluation/retrieval/custom.py:326 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.async_run` used but never assigned in __init__: Method `run` of class `Evaluator` reads `self.async_run`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.async_run = <default>` in __init__, or add a class-level default.
evaluation/client.py:62 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.async_search` used but never assigned in __init__: Method `async_run` of class `CustomRetrieval` reads `self.async_search`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.async_search = <default>` in __init__, or add a class-level default.
evaluation/retrieval/custom.py:352 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.async_search` used but never assigned in __init__: Method `search` of class `CustomRetrieval` reads `self.async_search`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.async_search = <default>` in __init__, or add a class-level default.
evaluation/retrieval/custom.py:291 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.build_index` used but never assigned in __init__: Method `run` of class `BaseRetrieval` reads `self.build_index`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.build_index = <default>` in __init__, or add a class-level default.
evaluation/retrieval/base.py:194 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.instances` used but never assigned in __init__: Method `async_run` of class `CustomRetrieval` reads `self.instances`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.instances = <default>` in __init__, or add a class-level default.
evaluation/retrieval/custom.py:329 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.mcp_sessions_context` used but never assigned in __init__: Method `async_build_index` of class `CustomRetrieval` reads `self.mcp_sessions_context`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.mcp_sessions_context = <default>` in __init__, or add a class-level default.
evaluation/retrieval/custom.py:254 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.mcp_sessions_context` used but never assigned in __init__: Method `async_search` of class `CustomRetrieval` reads `self.mcp_sessions_context`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.mcp_sessions_context = <default>` in __init__, or add a class-level default.
evaluation/retrieval/custom.py:294 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.output_dir` used but never assigned in __init__: Method `async_run` of class `CustomRetrieval` reads `self.output_dir`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.output_dir = <default>` in __init__, or add a class-level default.
evaluation/retrieval/custom.py:336 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.output_file` used but never assigned in __init__: Method `run` of class `BaseRetrieval` reads `self.output_file`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.output_file = <default>` in __init__, or add a class-level default.
evaluation/retrieval/base.py:204 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.output_file` used but never assigned in __init__: Method `run` of class `BaseRetrieval` reads `self.output_file`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.output_file = <default>` in __init__, or add a class-level default.
evaluation/retrieval/base.py:201 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.prompt` used but never assigned in __init__: Method `async_search` of class `CustomRetrieval` reads `self.prompt`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.prompt = <default>` in __init__, or add a class-level default.
evaluation/retrieval/custom.py:297 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.search` used but never assigned in __init__: Method `run` of class `BaseRetrieval` reads `self.search`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.search = <default>` in __init__, or add a class-level default.
evaluation/retrieval/base.py:197 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED110] Blocking call `time.sleep` inside async function `async_build_index`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress.
Use the async equivalent: `aiohttp` instead of `requests`, `asyncio.sleep` instead of `time.sleep`, `aiofiles` instead of `open`.
evaluation/retrieval/custom.py:286 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED110] Blocking call `time.sleep` inside async function `async_build_index`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress.
Use the async equivalent: `aiohttp` instead of `requests`, `asyncio.sleep` instead of `time.sleep`, `aiofiles` instead of `open`.
evaluation/retrieval/custom.py:276 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED110] Blocking call `time.sleep` inside async function `async_build_index`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress.
Use the async equivalent: `aiohttp` instead of `requests`, `asyncio.sleep` instead of `time.sleep`, `aiofiles` instead of `open`.
evaluation/retrieval/custom.py:278 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED110] Blocking call `time.sleep` inside async function `async_search`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress.
Use the async equivalent: `aiohttp` instead of `requests`, `asyncio.sleep` instead of `time.sleep`, `aiofiles` instead of `open`.
evaluation/retrieval/custom.py:316 qualitylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
.github/workflows/release.yml:15 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
.github/workflows/ci.yml:20 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/setup-node@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
.github/workflows/release.yml:23 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/setup-node@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
.github/workflows/ci.yml:28 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: pnpm/action-setup@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
.github/workflows/release.yml:18 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: pnpm/action-setup@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
.github/workflows/ci.yml:23 dependencylegacy
low Legacy quality quality conf 1.00 [SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).
Use a literal RegExp or whitelist-validate user input before constructing patterns.
packages/mcp/scripts/path-resolution-e2e.mjs:71 qualitylegacy
low Legacy quality quality conf 1.00 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).
Use execFile / spawn with separate args array; never pass shell strings.
scripts/build-benchmark.js:19 qualitylegacy
high Legacy security path_traversal conf 1.00 [SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly.
After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`.
packages/mcp/src/utils.ts:23 path_traversallegacy
high 9-layer quality integrity conf 1.00 Blocking `time.sleep(...)` inside `async def async_build_index` — evaluation/retrieval/custom.py:276
Sync I/O inside an async function blocks the event loop. While `time.sleep(...)` is running, *all* other coroutines on this loop are paused — silent throughput collapse under concurrency. Use the async equivalent (`httpx.AsyncClient`, `asyncio.sleep`, `aiofiles`) or wrap with `await asyncio.to_thre…
evaluation/retrieval/custom.py:276 integritysync-io-in-asyncperformance
high 9-layer quality integrity conf 1.00 Blocking `time.sleep(...)` inside `async def async_build_index` — evaluation/retrieval/custom.py:278
Sync I/O inside an async function blocks the event loop. While `time.sleep(...)` is running, *all* other coroutines on this loop are paused — silent throughput collapse under concurrency. Use the async equivalent (`httpx.AsyncClient`, `asyncio.sleep`, `aiofiles`) or wrap with `await asyncio.to_thre…
evaluation/retrieval/custom.py:278 integritysync-io-in-asyncperformance
high 9-layer quality integrity conf 1.00 Blocking `time.sleep(...)` inside `async def async_build_index` — evaluation/retrieval/custom.py:286
Sync I/O inside an async function blocks the event loop. While `time.sleep(...)` is running, *all* other coroutines on this loop are paused — silent throughput collapse under concurrency. Use the async equivalent (`httpx.AsyncClient`, `asyncio.sleep`, `aiofiles`) or wrap with `await asyncio.to_thre…
evaluation/retrieval/custom.py:286 integritysync-io-in-asyncperformance
high 9-layer quality integrity conf 1.00 Blocking `time.sleep(...)` inside `async def async_search` — evaluation/retrieval/custom.py:316
Sync I/O inside an async function blocks the event loop. While `time.sleep(...)` is running, *all* other coroutines on this loop are paused — silent throughput collapse under concurrency. Use the async equivalent (`httpx.AsyncClient`, `asyncio.sleep`, `aiofiles`) or wrap with `await asyncio.to_thre…
evaluation/retrieval/custom.py:316 integritysync-io-in-asyncperformance
medium Legacy quality quality conf 1.00 ✓ Repobility [MINED109] Mutable default argument in `main` (list): `def main(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
Use None as the default and create the collection inside the function: `def main(x=None): x = x or []`
evaluation/run_evaluation.py:14 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
evaluation/utils/format.py:191 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
evaluation/servers/read_server.py:266 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
evaluation/servers/read_server.py:181 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
evaluation/servers/read_server.py:132 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
evaluation/servers/grep_server.py:211 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
evaluation/analyze_and_plot_mcp_efficiency.py:102 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
python/ts_executor.py:302 qualitylegacy
medium Legacy quality quality conf 1.00 [SEC127] AI agent stub — TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or silently no-ops. AI agents consistently emit these when their context window runs out mid-implementation. Production callers hitting these stubs is a classic AI-generated-incident.
Either implement the body, or fail closed at module-load time so the deploy can't ship a half-built route. A CI gate that fails build on `raise NotImplementedError` in non-abstract code catches this cleanly.
evaluation/retrieval/base.py:176 qualitylegacy
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/chrome-extension/src/background.ts:49
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
pnpm/action-setup@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci.yml:23 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
pnpm/action-setup@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:18 supply-chaingithub-actionspinned-dependencies
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — evaluation/servers/grep_server.py:172
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — python/ts_executor.py:65
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer security coverage conf 1.00 No auth library detected
The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.
coverageauth
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/vscode-extension/src/commands/syncCommand.ts:7 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/core/src/vectordb/milvus-vectordb.ts:41 qualitylegacy
low 9-layer quality integrity conf 1.00 8 env vars used in code but missing from .env.example
Drift between code and config docs. The first few: `ANTHROPIC_API_KEY`, `GITHUB_TOKEN`, `HOME`, `HYBRID_MODE`, `MILVUS_COLLECTION_LIMIT_CHECK_TIMEOUT_MS`, `MOONSHOT_API_KEY`, `NODE_ENV`, `USERPROFILE`. Add them (with a placeholder/comment) to .env.example so onboarding doesn't break.
integrityconfig-drift
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: .eslintrc.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: evaluation/utils/constant.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/chrome-extension/src/vm-stub.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/chrome-extension/webpack.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/core/src/embedding/gemini-embedding.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/core/src/embedding/voyageai-embedding.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/core/src/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/core/src/vectordb/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/vscode-extension/copy-assets.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/vscode-extension/webpack.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci.yml:20 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-node@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci.yml:28 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:15 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-node@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:23 supply-chaingithub-actionspinned-dependencies
low 9-layer quality integrity conf 1.00 Legacy-named symbol `daysOld` in packages/chrome-extension/src/storage/indexedRepoManager.ts:105
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality tests conf 1.00 Low test-to-source ratio
9 tests / 70 src (ratio 0.13).
tests
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: evaluation/retrieval/base.py:run, evaluation/retrieval/custom.py:async_run This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer software dead-code conf 1.00 Possibly dead Python function: extract_final_answer
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
evaluation/utils/format.py:6 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: list_files
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
evaluation/utils/file_management.py:53 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: parse_retrieval_types
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
evaluation/run_evaluation.py:52 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: print_conversation_summary
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
evaluation/utils/format.py:443 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: print_token_usage
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
evaluation/utils/format.py:325 dead-code
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — examples/basic-usage/index.ts:13
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/chrome-extension/src/background.ts:304
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/chrome-extension/src/content.ts:135
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/chrome-extension/src/milvus/chromeMilvusAdapter.ts:63
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/chrome-extension/src/options.ts:12
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/chrome-extension/src/stubs/milvus-vectordb-stub.ts:53
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/context.ts:168
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/embedding/ollama-embedding.ts:65
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/splitter/ast-splitter.ts:48
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/sync/synchronizer.ts:228
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/utils/env-manager.ts:68
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/vectordb/milvus-restful-vectordb.ts:86
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/vectordb/milvus-vectordb.ts:42
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/core/src/vectordb/zilliz-utils.ts:300
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/mcp/src/config.ts:107
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/mcp/src/embedding.ts:6
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/mcp/src/handlers.ts:28
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/mcp/src/index.ts:56
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/mcp/src/snapshot.ts:39
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/mcp/src/sync.ts:105
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/mcp/src/utils.ts:29
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/vscode-extension/copy-assets.js:24
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/vscode-extension/src/commands/searchCommand.ts:96
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/vscode-extension/src/commands/syncCommand.ts:45
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/vscode-extension/src/extension.ts:20
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/vscode-extension/src/stubs/ast-splitter-stub.js:85
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/vscode-extension/src/webview/semanticSearchProvider.ts:37
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — python/test_context.ts:17
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — scripts/build-benchmark.js:15
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer quality complexity conf 1.00 Very large file: packages/core/src/context.ts (1455 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: packages/mcp/src/handlers.ts (1107 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low Legacy quality quality conf 1.00 ✓ Repobility [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.
Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context.
packages/chrome-extension/src/milvus/chromeMilvusAdapter.ts:230 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.
Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context.
examples/basic-usage/index.ts:108 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.
Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context.
evaluation/analyze_and_plot_mcp_efficiency.py:128 qualitylegacy
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/cbb5eee9-ffe7-42d1-9777-2906446514a2/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/cbb5eee9-ffe7-42d1-9777-2906446514a2/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.