Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
153 of your 364 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 3.48s · analysis 46.21s · 17.6 MB · GitHub API rate-limit (preflight)

ucsandman/DashClaw

https://github.com/ucsandman/DashClaw · scanned 2026-06-05 16:58 UTC (4 days, 23 hours ago) · 10 languages

1158 raw signals (336 security + 822 graph) 24th percentile · Javascript · large (100-500K LoC) System graph score 77 (lower by 12)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 4 days, 23 hours ago · v2 · 521 actionable findings from 2 signal sources. 226 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
63.3
/100
Security checks
50
152 findings
System graph
77
100.0% cov · 369 findings
Critical
6
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 85.0 0.15 12.75
security_score 0.0 0.25 0.00
testing_score 90.0 0.20 18.00
documentation_score 96.8 0.15 14.52
practices_score 100.0 0.15 15.00
code_quality 46.0 0.10 4.60
Overall 1.00 64.9
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 6 High 60 Medium 76 Low 155 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 152 System graph 369 Crowd 0 Layer: Quality 256 Security 47 Software 99 Cicd 11 Api 1 Frontend 105 Hardware 2
Corpus Intelligence Cross-corpus context (cohort percentile, top patterns, fix plan) is shown only on repositories you own. Sign up and connect your repo to view it.
Scan summary Ranks in the 19th percentile among medium-sized repos. Strongest structure (69), documentation (68); weakest practices (32), security (40). 152 findings (24 critical, 56 high). Most common pattern: js-console-log-prod. ~141h tech debt (rating C).

Showing 281 of 521 actionable findings. 747 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks cicd CI/CD security conf 0.96 2 occurrences Compose service contains a literal secret environment value
Literal secrets in Compose files are committed to source and exposed through container inspection.
lines 1, 18
docker-compose.yml:1, 18 (2 hits)
CI/CD securitycontainers
critical Security checks security secrets conf 0.95 20 occurrences Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
10 files, 20 locations
__tests__/unit/mcp-client.test.js:15, 47, 87, 122 (4 hits)
__tests__/unit/hosted/check-hosted-ready.test.mjs:20, 30, 40 (3 hits)
docs/superpowers/plans/2026-04-09-dashclaw-mcp-server.md:77, 109, 149 (3 hits)
sdk-python/tests/test_sdk_v2_surface.py:563, 564, 633 (3 hits)
docs/superpowers/plans/2026-04-18-hosted-stack-picker-ui.md:65, 405 (2 hits)
__tests__/unit/action-detail.route.test.js:155
__tests__/unit/connect-complete-discord-alert.test.js:89
__tests__/unit/middleware-page-gating.test.js:34
critical Security checks security secrets conf 0.95 5 occurrences Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.
Gitleaks detected a committed secret or credential pattern.
5 files, 5 locations
docs/superpowers/plans/2026-04-06-capability-invoke-research.md:916
docs/telegram-setup.md:67
scripts/generate-agent-keys.mjs:41
scripts/seed-research-capability.js:120
scripts/seed-research-capability.mjs:127
critical Security checks security secrets conf 0.95 5 occurrences Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data.
Gitleaks detected a committed secret or credential pattern.
3 files, 5 locations
__tests__/unit/claude-code/claudemd.test.js:21, 117 (2 hits)
__tests__/unit/claude-code/optimal-files.test.js:84, 397 (2 hits)
__tests__/unit/security-scanner.test.js:45
critical Security checks software dependencies conf 0.90 ✓ Repobility 3 occurrences Hardcoded Discord webhook URL in source
File contains a hardcoded `Discord` webhook URL: `https://discord.com/api/webhooks/1/abc...`. Webhook URLs are unauthenticated POST endpoints — anyone with the URL can send messages. They are also a common data-exfiltration channel for compromised packages (malicious post-install collects env vars …
3 files, 3 locations
__tests__/unit/connect-complete-discord-alert.test.js:49
__tests__/unit/ssrf-validation.test.js:87
app/lib/demoWebhooksData.js:13
high Security checks quality Quality conf 1.00 ✓ Repobility Missing import: `warnings` used but not imported
The file uses `warnings.something(...)` but never imports `warnings`. This raises NameError at runtime the first time the line executes.
livingcode/immune/verdict.py:16
low Security checks cicd CI/CD security conf 0.35 ✓ Repobility 2 occurrences Workflow references repository secrets in a pull_request workflow
Fork pull_request runs do not receive normal repository secrets on GitHub Actions. Review this as a reliability/intent signal, not as direct fork-secret exfiltration. Raise severity only for pull_request_target or another trusted-context path that runs untrusted PR code with secrets.
lines 73, 74
.github/workflows/ci.yml:73, 74 (2 hits)
CI/CD securityworkflow secretsGitHub Actions
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /_archive/routing/agents/:agentId/route.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /_archive/routing/agents/:agentId/route.
app/api/_archive/routing/agents/[agentId]/route.js:65
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /_archive/routing/tasks/:taskId/route.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /_archive/routing/tasks/:taskId/route.
app/api/_archive/routing/tasks/[taskId]/route.js:8
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /_archive/context/threads/:threadId/route.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /_archive/context/threads/:threadId/route.
app/api/_archive/context/threads/[threadId]/route.js:8
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /_archive/routing/agents/:agentId/route.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /_archive/routing/agents/:agentId/route.
app/api/_archive/routing/agents/[agentId]/route.js:12
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /_archive/routing/tasks/:taskId/route.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /_archive/routing/tasks/:taskId/route.
app/api/_archive/routing/tasks/[taskId]/route.js:30
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /_archive/snippets/:snippetId/route.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /_archive/snippets/:snippetId/route.
app/api/_archive/snippets/[snippetId]/route.js:9
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PATCH /_archive/context/threads/:threadId/route.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PATCH /_archive/context/threads/:threadId/route.
app/api/_archive/context/threads/[threadId]/route.js:33
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PATCH /_archive/routing/agents/:agentId/route.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PATCH /_archive/routing/agents/:agentId/route.
app/api/_archive/routing/agents/[agentId]/route.js:34
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /_archive/routing/tasks/:taskId/complete/route.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /_archive/routing/tasks/:taskId/complete/route.
app/api/_archive/routing/tasks/[taskId]/complete/route.js:14
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /_archive/snippets/:snippetId/use/route.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /_archive/snippets/:snippetId/use/route.
app/api/_archive/snippets/[snippetId]/use/route.js:8
high Security checks security path traversal conf 0.80 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.
Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads.
public/sw.js:74
high Security checks quality Quality conf 1.00 ✓ Repobility 25 occurrences `self._request` used but never assigned in __init__
Method `_report_recommendation_event` of class `DashClaw` reads `self._request`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
lines 158, 168, 191, 211, 215, 217, 237, 255, +16 more
sdk-python/dashclaw/client.py:158, 168, 191, 211, 215, 217, 237, 255, +16 more (25 hits)
high Security checks cicd CI/CD security conf 0.84 Database service publishes a host port
Publishing database ports to the host increases exposure. Internal Compose networking usually only needs expose, not ports.
docker-compose.yml:18 CI/CD securitycontainers
high Security checks software dependencies conf 0.90 ✓ Repobility 3 occurrences Dockerfile FROM `node:20-alpine` not pinned by digest
`FROM node:20-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
lines 2, 14, 30
Dockerfile:2, 14, 30 (3 hits)
medium Security checks cicd CI/CD security conf 0.90 ✓ Repobility 15 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `anthropics/claude-code-action` pinned to mutable ref `@v1` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
4 files, 15 locations
.github/workflows/codeql.yml:32, 37, 40 (6 hits)
.github/workflows/demo-image.yml:27, 30, 33, 41, 49 (5 hits)
.github/workflows/claude.yml:35 (2 hits)
.github/workflows/refresh-model-pricing.yml:73 (2 hits)
CI/CD securitySupply chainGitHub Actions
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 23 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `actions/checkout` pinned to mutable ref `@v6` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
6 files, 23 locations
.github/workflows/ci.yml:14, 17, 23, 103, 106 (8 hits)
.github/workflows/sdk-live.yml:22, 25, 46, 49 (6 hits)
.github/workflows/refresh-model-pricing.yml:34, 37 (4 hits)
.github/workflows/claude.yml:29 (2 hits)
.github/workflows/codeql.yml:27 (2 hits)
.github/workflows/demo-image.yml:24
CI/CD securitySupply chainGitHub Actions
high Security checks software dependencies conf 0.90 ✓ Repobility 5 occurrences package.json dep `dashclaw` pulled from URL/Git
`dependencies.dashclaw` = `file:../../sdk` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload.
5 files, 5 locations
examples/anthropic-governed-agent/package.json:1
examples/claude-code-review-agent/package.json:1
examples/governed-chat-harness/package.json:1
examples/openai-agents-governed/package.json:1
examples/openai-deploy-pipeline/package.json:1
high Security checks quality Quality conf 1.00 ✓ Repobility Phantom test coverage: test_capability
Test function `test_capability` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
sdk-python/dashclaw/client.py:1980
high Security checks quality Quality conf 1.00 ✓ Repobility Phantom test coverage: test_policies
Test function `test_policies` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
sdk-python/dashclaw/client.py:1197
high Security checks quality Quality conf 1.00 ✓ Repobility Phantom test coverage: test_webhook
Test function `test_webhook` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
sdk-python/dashclaw/client.py:1189
high Security checks security auth conf 0.83 Secret-like setting is echoed into a password input value
Settings screens sometimes render API keys, tokens, or passwords back into HTML/JSX password fields. That still exposes the secret to page source, browser extensions, screenshots, and DOM scraping.
app/workflows/components/WorkflowAiDraftPanel.jsx:89
high Security checks security auth conf 0.83 Secret-like setting is echoed into a password input value
Settings screens sometimes render API keys, tokens, or passwords back into HTML/JSX password fields. That still exposes the secret to page source, browser extensions, screenshots, and DOM scraping.
app/login/LocalPasswordForm.js:56
high Security checks software dependencies conf 0.90 ✓ Repobility Workflow container/services image `postgres:16` unpinned
`container/services image: postgres:16` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
.github/workflows/ci.yml:81
medium Security checks security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
high Security checks security auth conf 0.74 [AUC002] Low visible authorization coverage in route inventory: Only 17.1% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
Only 17.1% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: DELETE /actions/route.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: DELETE /actions/route.
app/api/actions/route.js:382
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: DELETE /policies/route.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: DELETE /policies/route.
app/api/policies/route.js:179
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: DELETE /webhooks/route.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: DELETE /webhooks/route.
app/api/webhooks/route.js:98
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /identities/route.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /identities/route.
app/api/identities/route.js:40
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /pairings/route.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /pairings/route.
app/api/pairings/route.js:52
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PATCH /policies/route.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PATCH /policies/route.
app/api/policies/route.js:96
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /identities/route.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /identities/route.
app/api/identities/route.js:13
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /keys/route.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /keys/route.
app/api/keys/route.js:56
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /policies/route.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /policies/route.
app/api/policies/route.js:51
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /webhooks/route.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /webhooks/route.
app/api/webhooks/route.js:45
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /actions/route.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /actions/route.
app/api/actions/route.js:37
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /artifacts/route.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /artifacts/route.
app/api/artifacts/route.js:9
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /guard/route.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /guard/route.
app/api/guard/route.js:228
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /model-strategies/route.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /model-strategies/route.
app/api/model-strategies/route.js:13
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /policies/route.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /policies/route.
app/api/policies/route.js:16
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /webhooks/route.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /webhooks/route.
app/api/webhooks/route.js:18
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /actions/route.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /actions/route.
app/api/actions/route.js:76
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /artifacts/route.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /artifacts/route.
app/api/artifacts/route.js:31
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /guard/route.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /guard/route.
app/api/guard/route.js:51
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /model-strategies/route.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /model-strategies/route.
app/api/model-strategies/route.js:24
low Security checks quality Error handling conf 1.00 3 occurrences [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.
3 files, 3 locations
.hermes/hooks/dashclaw_common.py:58
.hermes/hooks/dashclaw_postllm_hermes.py:48
hooks/dashclaw_agent_intel/mcp_monitor.py:147
medium Security checks quality Error handling conf 1.00 3 occurrences [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
3 files, 3 locations
app/api/actions/[actionId]/route.js:203
app/api/approvals/[actionId]/route.js:94
app/api/stream/route.js:148
low Security checks security Deserialization conf 1.00 3 occurrences [SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.
Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data.
3 files, 3 locations
app/api/policies/import/route.js:54
app/api/policies/templates/route.js:21
scripts/seed-claude-code-starter.mjs:25
medium Security checks quality Quality conf 1.00 [SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0).
Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser).
app/components/ui/Skeleton.jsx:20
low Security checks quality Quality conf 1.00 3 occurrences [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws — wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated.
Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows.
3 files, 3 locations
hooks/dashclaw_code_session_reporter.py:113
hooks/dashclaw_posttool.py:196
plugins/dashclaw/hooks/dashclaw_code_session_reporter.py:113
low Security checks quality Error handling conf 0.55 ✓ Repobility 24 occurrences Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
8 files, 24 locations
hooks/dashclaw_stop.py:142, 160, 195, 197, 455 (5 hits)
livingcode/sensing.py:59, 67, 75, 83, 91 (5 hits)
hooks/dashclaw_code_session_reporter.py:79, 115, 121, 138 (4 hits)
hooks/dashclaw_pretool.py:160, 692, 744 (3 hits)
sdk-python/dashclaw/client.py:78, 169, 186 (3 hits)
scripts/test-sdk-live-python.py:474, 499 (2 hits)
examples/first-governed-action.py:43
hooks/dashclaw_posttool.py:199
Error handlingquality
medium Security checks cicd CI/CD security conf 0.88 Database service has no healthcheck
Compose starts dependent containers in dependency order, but it does not wait for a database to be ready unless a healthcheck is defined and dependents use service_healthy.
docker-compose.yml:18 CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.76 Dockerfile copies broad context with incomplete .dockerignore
COPY . or ADD . is safer when .dockerignore excludes secrets, git history, keys, and generated artifacts.
Dockerfile:17 CI/CD securitycontainers
high Security checks quality Quality conf 0.74 15 occurrences Frontend API reference is not matched by discovered backend routes
A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys.
6 files, 15 locations
app/actions/[actionId]/page.js:57, 70, 135, 153, 173, 190 (6 hits)
app/activity/page.jsx:86, 87, 89 (3 hits)
app/agents/[agentId]/components/AgentPoliciesSection.jsx:42, 55 (2 hits)
app/agents/registry/components/CapabilitiesCard.jsx:25, 46 (2 hits)
app/agents/[agentId]/components/AgentDecisionTable.jsx:60
app/agents/page.js:38
medium Security checks software dependencies conf 0.88 hono: GHSA-2gcr-mfcq-wcc3
Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths
packages/openclaw-plugin/package-lock.json
medium Security checks software dependencies conf 0.88 hono: GHSA-3hrh-pfw6-9m5x
Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection
packages/openclaw-plugin/package-lock.json
medium Security checks software dependencies conf 0.88 hono: GHSA-f577-qrjj-4474
Hono: JWT middleware accepts any Authorization scheme, not only Bearer
packages/openclaw-plugin/package-lock.json
medium Security checks software dependencies conf 0.88 hono: GHSA-xrhx-7g5j-rcj5
Hono: IP Restriction bypasses static deny rules for non-canonical IPv6
packages/openclaw-plugin/package-lock.json
medium Security checks software dependencies conf 0.90 npm package `redis` is 2 major version(s) behind (4.7.1 -> 6.0.0)
`redis` is pinned/resolved at 4.7.1 but the latest stable release on the npm registry is 6.0.0 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
medium Security checks quality Quality conf 0.70 Public web app has no Content Security Policy
A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox.
index.html
medium Security checks quality Quality conf 0.78 Public web service has no security.txt
security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt.
.well-known/security.txt
medium Security checks software dependencies conf 0.90 2 occurrences Python package `dashclaw` is 2 major version(s) behind (2.6.0 -> 4.1.1)
`dashclaw==2.6.0` is 2 major version(s) behind the latest stable release on PyPI (4.1.1). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises.
2 files, 2 locations
examples/crewai-governed/requirements.txt:2
examples/langgraph-governed/requirements.txt:3
medium Security checks software dependencies conf 0.88 2 occurrences python-dotenv: GHSA-mf9w-mj56-hr94
python-dotenv: Symlink following in set_key allows arbitrary file overwrite via cross-device rename fallback
2 files, 2 locations
examples/managed-agent-governed/requirements.txt
examples/requirements.txt
medium Security checks software dependencies conf 0.88 requests: GHSA-9hjg-9r4m-mvj7
Requests vulnerable to .netrc credentials leak via malicious URLs
examples/managed-agent-governed/requirements.txt
medium Security checks software dependencies conf 0.88 requests: GHSA-9wx4-h78v-vm56
Requests `Session` object does not verify requests after making first request with verify=False
examples/managed-agent-governed/requirements.txt
medium Security checks software dependencies conf 0.88 requests: GHSA-gc5v-m9x4-r6x2
Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function
examples/managed-agent-governed/requirements.txt
medium Security checks software dependencies conf 0.90 ✓ Repobility 4 occurrences requirements.txt: `dashclaw` has no version pin
Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
3 files, 4 locations
examples/autogen-governed/requirements.txt:1, 3 (2 hits)
examples/crewai-governed/requirements.txt:3
examples/langgraph-governed/requirements.txt:4
medium Security checks quality Quality conf 0.72 Service worker is present without a web app manifest
A service worker without a manifest often means the PWA install surface is incomplete or inconsistent across devices.
manifest.json
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — __tests__/integration/hosted/end-to-end.test.js:41
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — __tests__/unit/connect-complete-discord-alert.test.js:42
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — __tests__/unit/workflow-step-form-model.test.js:271
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/agents/[agentId]/components/AgentDecisionTable.jsx:60
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/agents/[agentId]/page.js:35
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/agents/registry/page.jsx:66
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/api/workflows/draft/route.js:130
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/assumptions/page.js:44
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/audit-log/page.js:68
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/capabilities/page.jsx:36
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/compliance/page.jsx:100
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/components/ActivityTimeline.js:192
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/components/ArtifactsTab.jsx:145
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/components/SwarmActivityLog.js:98
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/components/UserMenu.js:79
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/decisions/page.js:109
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/docs/page.js:1281
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/drift/page.js:93
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/evaluations/page.js:105
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/integrations/page.js:60
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/learning/analytics/page.js:84
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/learning/page.js:71
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/lib/actionAlerts.js:68
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/lib/capability-invoke.js:90
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/lib/jwks-verifier.js:20
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/lib/llm.js:153
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/lib/notification-adapters/discord.js:106
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/lib/notification-adapters/email.js:34
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/lib/notification-adapters/github.js:17
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/lib/notification-adapters/linear.js:10
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/lib/notification-adapters/slack.js:38
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/lib/url-safety.js:92
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/lib/webhooks.js:148
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/messages/_components/ThreadConversation.jsx:75
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/messages/page.js:45
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/mission-control/components/OperationsFeed.jsx:35
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/mission-control/page.js:147
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/policies/components/ActivityTab.jsx:66
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/policies/components/CustomTab.jsx:301
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/policies/components/ShieldConfig.jsx:51
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/policies/components/ShieldsGrid.jsx:34
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/scoring/page.jsx:109
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/security/page.js:102
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/settings/components/GovernancePanel.jsx:90
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — app/webhooks/page.js:217
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — cli/lib/api.js:37
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — examples/governed-chat-harness/tools.js:62
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — mcp-server/lib/tools.js:601
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — sdk/dashclaw.js:87
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — sdk/legacy/dashclaw-v1.js:150
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph frontend Frontend quality conf 1.00 Custom React Flow node registered without explicit width/height — __tests__/unit/workflow-detail.page.test.jsx:197
When you register a custom node type via `nodeTypes`, the RFNode object you build must include `width` and `height` props. Without them, MiniMap renders ZERO mini-nodes for that type and `fitView` underestimates the bounds (cuts off lane labels, etc.). Add `width: …, height: …` to the node object. …
Fq rfnode no dims
medium System graph frontend Frontend quality conf 1.00 Custom React Flow node registered without explicit width/height — __tests__/unit/workflow-step-form-model.test.js:125
When you register a custom node type via `nodeTypes`, the RFNode object you build must include `width` and `height` props. Without them, MiniMap renders ZERO mini-nodes for that type and `fitView` underestimates the bounds (cuts off lane labels, etc.). Add `width: …, height: …` to the node object. …
Fq rfnode no dims
medium System graph cicd CI/CD security conf 1.00 3 occurrences GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
3 files, 3 locations
.github/workflows/claude.yml
.github/workflows/demo-image.yml
.github/workflows/refresh-model-pricing.yml
CI/CD securitySupply chainGithub actions
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — livingcode/__main__.py:141
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — scripts/test-sdk-agent.py:216
`urllib.request.urlopen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — sdk-python/dashclaw/client.py:1119
`urllib.request.urlopen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
low Security checks cicd CI/CD security conf 0.72 .dockerignore misses sensitive defaults
.dockerignore exists but does not cover common secret or VCS patterns.
.dockerignore CI/CD securitycontainers
low Security checks cicd CI/CD security conf 0.68 App service does not wait for database health
depends_on controls startup order, but without condition: service_healthy an app can start while the database is still initializing and fail intermittently.
docker-compose.yml:1 CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.62 Compose service lacks no-new-privileges hardening
no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities.
docker-compose.yml:1 CI/CD securitycontainers
low Security checks quality Quality conf 0.60 24 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
12 files, 14 locations
__tests__/unit/workflows.page.test.jsx:6, 9 (2 hits)
app/api/cron/outcome-sweep/route.js:13, 41 (2 hits)
__tests__/unit/capability-detail.page.test.jsx:32
__tests__/unit/compliance-page.test.jsx:1
__tests__/unit/model-strategies-detail.page.test.jsx:10
__tests__/unit/model-strategies-new.page.test.jsx:1
__tests__/unit/reputation-page.test.jsx:4
__tests__/unit/workflow-new.page.test.jsx:10
duplicationquality
low Security checks quality Quality conf 0.68 Multiple AI-agent scaffold marker files are present
Repositories with several agent instruction, progress, or completion marker files are often generated scaffolds. They are not automatically wrong, but they deserve a reachability and ownership review before users treat the code as production-ready.
.github/copilot-instructions.md:1
low Security checks software dependencies conf 0.90 3 occurrences npm package `@anthropic-ai/sdk` is minor version(s) behind (0.93.0 -> 0.100.1)
`@anthropic-ai/sdk` is pinned/resolved at 0.93.0 but the latest stable release on the npm registry is 0.100.1 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
3 files, 3 locations
examples/anthropic-governed-agent/package.json
examples/claude-code-review-agent/package.json
examples/governed-chat-harness/package.json
low Security checks software dependencies conf 0.90 npm package `@openai/agents` is minor version(s) behind (^0.7.0 -> 0.11.6)
`@openai/agents` is pinned/resolved at ^0.7.0 but the latest stable release on the npm registry is 0.11.6 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
examples/openai-agents-governed/package.json
low Security checks software dependencies conf 0.90 npm package `@xyflow/react` is minor version(s) behind (12.10.2 -> 12.11.0)
`@xyflow/react` is pinned/resolved at 12.10.2 but the latest stable release on the npm registry is 12.11.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 4 occurrences npm package `dashclaw` is minor version(s) behind (4.0.1 -> 4.1.1)
`dashclaw` is pinned/resolved at 4.0.1 but the latest stable release on the npm registry is 4.1.1 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
4 files, 4 locations
cli/package.json
examples/openai-governed-agent/package.json
package.json
packages/openclaw-plugin/package.json
low Security checks software dependencies conf 0.90 npm package `esbuild` is minor version(s) behind (0.25.12 -> 0.28.0)
`esbuild` is pinned/resolved at 0.25.12 but the latest stable release on the npm registry is 0.28.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `js-yaml` is minor version(s) behind (4.1.1 -> 4.2.0)
`js-yaml` is pinned/resolved at 4.1.1 but the latest stable release on the npm registry is 4.2.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks quality Quality conf 0.64 Public docs site has no llms.txt
AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions.
llms.txt
low Security checks quality Quality conf 0.50 Public web app has no humans.txt
humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links.
humans.txt
low Security checks quality Quality conf 0.74 Public web app has no robots.txt
Public websites should publish a robots.txt file so crawlers and AI agents can discover crawl rules and sitemap locations without guessing.
robots.txt
low Security checks quality Quality conf 0.72 Public web app has no sitemap
A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss.
sitemap.xml
low Security checks software dependencies conf 0.90 Python package `crewai` is minor version(s) behind (1.11.0 -> 1.14.6)
`crewai==1.11.0` is minor version(s) behind the latest stable release on PyPI (1.14.6). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises.
examples/crewai-governed/requirements.txt:1
low Security checks software dependencies conf 0.90 Python package `langchain-core` is minor version(s) behind (1.3.3 -> 1.4.1)
`langchain-core==1.3.3` is minor version(s) behind the latest stable release on PyPI (1.4.1). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises.
examples/langgraph-governed/requirements.txt:2
low Security checks software dependencies conf 0.90 Python package `langgraph` is minor version(s) behind (1.1.3 -> 1.2.4)
`langgraph==1.1.3` is minor version(s) behind the latest stable release on PyPI (1.2.4). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises.
examples/langgraph-governed/requirements.txt:1
low System graph frontend Frontend quality conf 1.00 "active" state uses light bg in a dark theme — app/components/Sidebar.js:145
A ternary like `active ? 'bg-white' : '...'` (or bg-gray-100/200) on a dark theme produces jarring white pills. Use a dark-emphasized active state instead — border + ring or slightly brighter dark bg. Example: `active ? 'bg-gray-800 border-gray-500 ring-1 ring-blue-500/30' : '…'`. Why: P-E in CHEC…
Fq active light bg
low System graph quality Integrity conf 1.00 119 env vars used in code but missing from .env.example
Drift between code and config docs. The first few: `AGENT_ONLINE_WINDOW_MS`, `AGENT_PRIVATE_KEY_JWK`, `ALERT_FROM_EMAIL`, `ALLOWED_ORIGIN`, `API_SECRET`, `BUG04_OUT`, `CI`, `CRON_SECRET` + 111 more. Add them (with a placeholder/comment) to .env.example so onboarding doesn't break.
config drift
low System graph hardware Coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
Deployment
low System graph hardware Supply chain conf 1.00 3 occurrences Docker base image is tag-pinned but not digest-pinned: node:20-alpine
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
lines 2, 14, 30
Dockerfile:2, 14, 30 (3 hits)
containersPinned dependencies
low System graph software Dead code candidate conf 1.00 File has no detected symbols: __tests__/integration/handoff-e2e.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: __tests__/integration/hosted/end-to-end.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: __tests__/integration/schema-0007-apply.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: __tests__/integration/secrets.route.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: __tests__/integration/skills-scan.route.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: __tests__/unit/act-binding.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: __tests__/unit/actions-loops.route.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: __tests__/unit/behavior-path-match.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: __tests__/unit/billing-cache.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: __tests__/unit/canonical-json.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: __tests__/unit/capabilities-health.route.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: __tests__/unit/capability-form-model.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: __tests__/unit/capability-highlights-state.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: __tests__/unit/capability-new.page.test.jsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: __tests__/unit/compliance-evidence.route.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: __tests__/unit/compliance-frameworks.route.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: __tests__/unit/compliance-gaps.route.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: __tests__/unit/contracts.runner.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: __tests__/unit/costs.route.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: __tests__/unit/doctor-format.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: __tests__/unit/gap-to-policy.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: __tests__/unit/guard-repository-projection.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: __tests__/unit/guardrails-evaluator.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: __tests__/unit/integrity-canonicalize.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: __tests__/unit/integrity-receipt.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: __tests__/unit/learning-analytics-velocity.route.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: __tests__/unit/live-verification-proof.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: __tests__/unit/mcp-tools.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: __tests__/unit/missionControl.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: __tests__/unit/model-strategy-form-model.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: __tests__/unit/oauth-crypto.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: __tests__/unit/policies.route.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: __tests__/unit/policy-advanced-import-panel.test.jsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: __tests__/unit/policy-generator-drafts.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: __tests__/unit/predictive-risk.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: __tests__/unit/provider-registry.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: __tests__/unit/routing-agents-detail.route.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: __tests__/unit/routing-tasks-detail.route.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: __tests__/unit/security-scan.route.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: __tests__/unit/template-vars.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: __tests__/unit/validate-non-fabrication.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: __tests__/unit/video-hero.test.jsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: __tests__/unit/workflow-ai-draft-panel.test.jsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: __tests__/unit/workflow-draft.route.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: __tests__/unit/workflow-run-step-card.test.jsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: drizzle.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playwright.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: postcss.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tailwind.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: vitest.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph quality Integrity conf 1.00 20 occurrences Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: sdk-python/dashclaw/client.py:record_assumption, sdk-python/dashclaw/client.py:record_assumption This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're se…
20 occurrences
repo-level (20 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `act_9283_dec_signed_v1` in app/components/GuardSimulation.js:281
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `act_test_legacy` in __tests__/unit/capability-health.test.js:157
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `asm_old` in __tests__/unit/assumptions-route.test.js:140
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `cs_old` in __tests__/unit/code-sessions/repository-upsert.test.js:69
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `daysOld` in app/api/assumptions/route.js:47
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `daysOld` in app/lib/demo/demoMiddleware.js:410
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `getCapabilityHealthSummaryLegacy` in app/lib/capability-health.js:49
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `hoursOld` in app/lib/signals.js:212
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `includeLegacy` in app/api/docs/raw/route.js:10
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `org_old` in __tests__/unit/hosted/workspace-provision.test.js:73
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `ort_old` in __tests__/unit/oauth-token.test.js:101
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `sec_old` in __tests__/unit/secrets-page.test.jsx:131
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `showLegacy` in app/components/CopyMarkdownButton.js:16
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `showLegacy` in app/docs/DocsSidebarClient.js:15
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `showLegacy` in app/docs/page.js:202
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph software Dead code conf 1.00 Possibly dead Python function: create_calendar_event
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
sdk-python/dashclaw/client.py:857
low System graph software Dead code conf 1.00 Possibly dead Python function: delete_snippet
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
sdk-python/dashclaw/client.py:907
low System graph software Dead code conf 1.00 Possibly dead Python function: log_mood
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
sdk-python/dashclaw/client.py:923
low System graph software Dead code conf 1.00 Possibly dead Python function: log_observation
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
sdk-python/dashclaw/client.py:913
low System graph software Dead code conf 1.00 Possibly dead Python function: rebuild_recommendations
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
sdk-python/dashclaw/client.py:689
low System graph software Dead code conf 1.00 Possibly dead Python function: record_content
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
sdk-python/dashclaw/client.py:750
low System graph software Dead code conf 1.00 Possibly dead Python function: record_idea
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
sdk-python/dashclaw/client.py:862
low System graph software Dead code conf 1.00 Possibly dead Python function: record_interaction
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
sdk-python/dashclaw/client.py:754
low System graph software Dead code conf 1.00 Possibly dead Python function: record_recommendation_events
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
sdk-python/dashclaw/client.py:676
low System graph software Dead code conf 1.00 Possibly dead Python function: report_security_finding
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
sdk-python/dashclaw/client.py:964
low System graph software Dead code conf 1.00 Possibly dead Python function: scan_prompt_injection
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
sdk-python/dashclaw/client.py:971
low System graph software Dead code conf 1.00 Possibly dead Python function: set_recommendation_active
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
sdk-python/dashclaw/client.py:681
low System graph software Dead code conf 1.00 Possibly dead Python function: start_heartbeat
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
sdk-python/dashclaw/client.py:502
low System graph software Dead code conf 1.00 Possibly dead Python function: stop_heartbeat
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
sdk-python/dashclaw/client.py:521
low System graph software Dead code conf 1.00 Possibly dead Python function: test_policies
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
sdk-python/dashclaw/client.py:1197
low System graph software Dead code conf 1.00 Possibly dead Python function: track_approach
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
sdk-python/dashclaw/client.py:928
low System graph software Dead code conf 1.00 Possibly dead Python function: use_snippet
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
sdk-python/dashclaw/client.py:903
low System graph software Dead code conf 1.00 Possibly dead Python function: validate_assumption
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
sdk-python/dashclaw/client.py:609
low System graph software Dead code conf 1.00 Possibly dead Python function: wrap_client
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
sdk-python/dashclaw/client.py:791
low System graph software Dead code conf 1.00 Possibly dead Python function: wrapped_create
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
sdk-python/dashclaw/client.py:842
low System graph frontend Frontend quality conf 1.00 React Flow <Controls> without dark theming — app/components/WorkflowEditor.js:372
`<Controls>` ships with white buttons. Override `.react-flow__controls` and `.react-flow__controls-button` in your stylesheet or pass a styled wrapper. Why: P1 in CHECKLIST.md — vendor defaults bleed light through. Rule id: fq.controls.no-bg
Fq controls no bg
low System graph frontend Frontend quality conf 1.00 React Flow <MiniMap> without dark background — app/components/WorkflowEditor.js:376
A bare <MiniMap> renders with the vendor's white default in dark themes. Wrap the canvas in a class that overrides `.react-flow__minimap` background, or pass an explicit `style`/`maskColor`/`bgColor`. Why: P1 in CHECKLIST.md — vendor defaults bleed light through. Rule id: fq.minimap.no-bg
Fq minimap no bg
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — app/api/agents/heartbeat/route.js:42
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — app/api/cron/reset-meters/route.js:33
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — app/api/webhooks/stripe/route.js:53
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — app/docs/page.js:912
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — app/guides/openai-agents-sdk/page.js:43
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — app/lib/connectGuide.js:72
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — app/lib/connectPrompt.js:67
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — app/lib/db.js:48
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — app/lib/llm.js:66
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cli/lib/config.js:122
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cli/lib/doctor.js:100
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/agent-chat-complete.js:18
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/anthropic-governed-agent/index.js:97
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/approval-flow.js:12
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/claude-code-review-agent/index.js:34
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/first-governed-action.js:13
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/governed-chat-harness/index.js:46
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/guard-and-act.js:12
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/kimi_dashclaw_test.js:21
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/loop-monitoring.js:12
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/openai-agents-governed/index.js:94
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/openai-deploy-pipeline/index.js:42
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/openai-governed-agent/index.js:45
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — examples/swarm-research-task.js:13
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/_archive/fix-db-schema.js:8
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/_archive/force-setup.js:11
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/security-scan.js:76
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/seed-fixitforme-workflow.js:88
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/seed-research-capability.js:76
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — sdk/legacy/dashclaw-v1.js:511
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph quality Complexity conf 1.00 Very large file: app/actions/[actionId]/page.js (941 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: app/decisions/[actionId]/page.js (1266 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: app/docs/page.js (2894 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: app/lib/demo/fixtures/feature-agents.js (901 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: app/page.js (891 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: middleware.js (1545 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: schema/schema.js (1371 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: sdk-python/dashclaw/client.py (2135 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: sdk/dashclaw.js (1485 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: sdk/legacy/dashclaw-v1.js (2945 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/d3c22f64-81c6-4c3d-aaa5-f34a57f8b76b/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/d3c22f64-81c6-4c3d-aaa5-f34a57f8b76b/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.