Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
80 of your 166 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 1.38s · analysis 10.9s · 1.4 MB · GitHub API rate-limit (preflight)

modelcontextprotocol/servers

https://github.com/modelcontextprotocol/servers · scanned 2026-06-05 07:07 UTC (5 days, 23 hours ago) · 10 languages

329 raw signals (159 security + 170 graph) 64th percentile · Typescript · small (2-20K LoC) System graph score 69 (higher by 5)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 23 hours ago · v2 · 135 actionable findings from 2 signal sources. 109 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
68.6
/100
Security checks
68
86 findings
System graph
69
88.9% cov · 49 findings
Critical
1
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 100.0 0.15 15.00
security_score 30.0 0.25 7.50
testing_score 95.0 0.20 19.00
documentation_score 90.0 0.15 13.50
practices_score 77.0 0.15 11.55
code_quality 74.1 0.10 7.41
Overall 1.00 74.0
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 1 High 15 Medium 31 Low 44 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 86 System graph 49 Crowd 0 Layer: Software 54 Cicd 8 Quality 49 Frontend 6 Hardware 12 Security 1 Api 5
Scan summary Quality grade B (74/100). Dimensions: security 30, maintainability 100. 159 findings (84 security). 14,401 lines analyzed.

Showing 91 of 135 actionable findings. 244 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks software dependencies conf 0.88 vitest: GHSA-5xrq-8626-4rwp
When Vitest UI server is listening, arbitrary file can be read and executed
package-lock.json
low Security checks cicd CI/CD security conf 0.35 ✓ Repobility Workflow references repository secrets in a pull_request workflow
Fork pull_request runs do not receive normal repository secrets on GitHub Actions. Review this as a reliability/intent signal, not as direct fork-secret exfiltration. Raise severity only for pull_request_target or another trusted-context path that runs untrusted PR code with secrets.
.github/workflows/typescript.yml:102 CI/CD securityworkflow secretsGitHub Actions
high Security checks software Prototype pollution conf 1.00 [SEC033] Prototype Pollution — unfiltered merge of user object: Merging user-controlled object into a target without filtering `__proto__`/`constructor`/`prototype` keys lets attackers inject properties onto Object.prototype, affecting every object in the process. CWE-1321. Real-world: CVE-2019-10744 (lodash), CVE-2021-23337 (lodash.set), CVE-2023-26136 (tough-cookie).
Sanitize keys BEFORE merge: function sanitize(obj) { delete obj.__proto__; delete obj.constructor; delete obj.prototype; return obj; } Or use Object.create(null) for the target. Or use Map() for user-key-indexed data. Upgrade lodash >= 4.17.21 for partial mitigation.
src/sequentialthinking/lib.ts:64
high Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences `self.fail` used but never assigned in __init__
Method `convert` of class `GitHashParamType` reads `self.fail`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
lines 35, 38, 46
scripts/release.py:35, 38, 46 (3 hits)
high Security checks software dependencies conf 0.90 ✓ Repobility 14 occurrences Dockerfile FROM `node:22.12-alpine` not pinned by digest
`FROM node:22.12-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
7 files, 14 locations
src/everything/Dockerfile:1, 9 (2 hits)
src/fetch/Dockerfile:2, 24 (2 hits)
src/filesystem/Dockerfile:1, 11 (2 hits)
src/git/Dockerfile:2, 24 (2 hits)
src/memory/Dockerfile:1, 11 (2 hits)
src/sequentialthinking/Dockerfile:1, 11 (2 hits)
src/time/Dockerfile:2, 24 (2 hits)
high Security checks quality Quality conf 0.80 ✓ Repobility Express DELETE /mcp has no auth
Express route DELETE /mcp declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
src/everything/transports/streamableHttp.ts:165
high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /mcp has no auth
Express route POST /mcp declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
src/everything/transports/streamableHttp.ts:60
high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /message has no auth
Express route POST /message declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
src/everything/transports/sse.ts:59
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 30 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `actions/checkout` pinned to mutable ref `@v6` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
5 files, 30 locations
.github/workflows/release.yml:18, 46, 77, 121, 129, 161, 164, 207, +1 more (12 hits)
.github/workflows/typescript.yml:17, 33, 34, 56, 57, 87, 88 (7 hits)
.github/workflows/python.yml:17, 40, 77, 94, 115 (5 hits)
.github/workflows/readme-pr-check.yml:20, 66 (4 hits)
.github/workflows/claude.yml:29 (2 hits)
CI/CD securitySupply chainGitHub Actions
medium Security checks cicd CI/CD security conf 0.90 ✓ Repobility 13 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `anthropics/claude-code-action` pinned to mutable ref `@v1` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
3 files, 13 locations
.github/workflows/release.yml:30, 82, 126, 146 (8 hits)
.github/workflows/python.yml:37, 74, 121 (3 hits)
.github/workflows/claude.yml:35 (2 hits)
CI/CD securitySupply chainGitHub Actions
high Security checks software dependencies conf 0.88 gitpython: GHSA-mv93-w799-cj2w
GitPython: Newline injection in config_writer() section parameter bypasses CVE-2026-42215 patch, enabling RCE via core.hooksPath
src/git/uv.lock
high Security checks software dependencies conf 0.88 3 occurrences pyjwt: PYSEC-2026-175
PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient passes its uri argument directly to urllib.request.urlopen() which uses Python stdlib's default OpenerDirector registering HTTPHandler, HTTPSHandler, FTPHandler, FileHandler, and DataHandler. There is currently no docu…
3 files, 3 locations
src/fetch/uv.lock
src/git/uv.lock
src/time/uv.lock
high Security checks software dependencies conf 0.88 3 occurrences pyjwt: PYSEC-2026-177
PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.get_signing_key() forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited out…
3 files, 3 locations
src/fetch/uv.lock
src/git/uv.lock
src/time/uv.lock
high Security checks software dependencies conf 0.88 3 occurrences pyjwt: PYSEC-2026-178
PyJWT is a JSON Web Token implementation in Python. From 2.8.0 to 2.12.1, when verifying detached JWS tokens using the unencoded-payload option ("b64": false, RFC 7797), PyJWT performs Base64URL decoding of the compact-serialization payload segment before enforcing the detached-payload rules. For b…
3 files, 3 locations
src/fetch/uv.lock
src/git/uv.lock
src/time/uv.lock
high Security checks software dependencies conf 0.88 3 occurrences pyjwt: PYSEC-2026-179
PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the secre…
3 files, 3 locations
src/fetch/uv.lock
src/git/uv.lock
src/time/uv.lock
high Security checks software dependencies conf 0.88 3 occurrences starlette: PYSEC-2026-161
BadHost: Missing Host header validation poisons request.url.path, bypassing path-based security checks
3 files, 3 locations
src/fetch/uv.lock
src/git/uv.lock
src/time/uv.lock
high Security checks software dependencies conf 0.88 urllib3: PYSEC-2026-141
urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.
src/fetch/uv.lock
high Security checks software dependencies conf 0.88 urllib3: PYSEC-2026-142
urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) when HTTPResponse.dr…
src/fetch/uv.lock
medium Security checks cicd CI/CD security conf 0.90 Docker build context has no .dockerignore
Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts.
.dockerignore CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.82 7 occurrences Docker final stage has no non-root USER
Docker images run as root unless the image or Dockerfile switches to a non-root user.
7 files, 7 locations
src/everything/Dockerfile:10
src/fetch/Dockerfile:25
src/filesystem/Dockerfile:13
src/git/Dockerfile:25
src/memory/Dockerfile:12
src/sequentialthinking/Dockerfile:12
src/time/Dockerfile:25
CI/CD securitycontainers
medium Security checks software dependencies conf 0.88 esbuild: GHSA-67mh-4wv8-2f99
esbuild enables any website to send any requests to the development server and read the response
package-lock.json
medium Security checks software dependencies conf 0.88 hono: GHSA-2gcr-mfcq-wcc3
Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths
package-lock.json
medium Security checks software dependencies conf 0.88 hono: GHSA-3hrh-pfw6-9m5x
Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection
package-lock.json
medium Security checks software dependencies conf 0.88 hono: GHSA-f577-qrjj-4474
Hono: JWT middleware accepts any Authorization scheme, not only Bearer
package-lock.json
medium Security checks software dependencies conf 0.88 hono: GHSA-xrhx-7g5j-rcj5
Hono: IP Restriction bypasses static deny rules for non-canonical IPv6
package-lock.json
medium Security checks software dependencies conf 0.88 3 occurrences idna: GHSA-65pc-fj4g-8rjx
Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix
3 files, 3 locations
src/fetch/uv.lock
src/git/uv.lock
src/time/uv.lock
medium Security checks software dependencies conf 0.88 mcp-server-git: GHSA-5cgr-j3jf-jw3v
mcp-server-git's unrestricted git_init tool allows repository creation at arbitrary filesystem locations
src/git/uv.lock
medium Security checks software dependencies conf 0.88 mcp-server-git: GHSA-9xwc-hfwc-8w59
mcp-server-git argument injection in git_diff and git_checkout functions allows overwriting local files
src/git/uv.lock
medium Security checks software dependencies conf 0.88 mcp-server-git: GHSA-j22h-9j4x-23w5
mcp-server-git has missing path validation when using --repository flag
src/git/uv.lock
medium Security checks software dependencies conf 0.88 mcp-server-git: GHSA-vjqx-cfc4-9h6v
mcp-server-git : Path traversal in git_add allows staging files outside repository boundaries
src/git/uv.lock
medium Security checks software dependencies conf 0.90 npm package `@types/diff` is 3 major version(s) behind (5.2.3 -> 8.0.0)
`@types/diff` is pinned/resolved at 5.2.3 but the latest stable release on the npm registry is 8.0.0 (3 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
src/filesystem/package.json
medium Security checks software dependencies conf 0.90 npm package `@types/minimatch` is 1 major version(s) behind (5.1.2 -> 6.0.0)
`@types/minimatch` is pinned/resolved at 5.1.2 but the latest stable release on the npm registry is 6.0.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
src/filesystem/package.json
medium Security checks software dependencies conf 0.90 4 occurrences npm package `@vitest/coverage-v8` is 2 major version(s) behind (2.1.9 -> 4.1.8)
`@vitest/coverage-v8` is pinned/resolved at 2.1.9 but the latest stable release on the npm registry is 4.1.8 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
4 files, 4 locations
src/everything/package.json
src/filesystem/package.json
src/memory/package.json
src/sequentialthinking/package.json
medium Security checks software dependencies conf 0.90 npm package `diff` is 1 major version(s) behind (8.0.3 -> 9.0.0)
`diff` is pinned/resolved at 8.0.3 but the latest stable release on the npm registry is 9.0.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
src/filesystem/package.json
medium Security checks software dependencies conf 0.90 npm package `glob` is 3 major version(s) behind (10.5.0 -> 13.0.6)
`glob` is pinned/resolved at 10.5.0 but the latest stable release on the npm registry is 13.0.6 (3 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
src/filesystem/package.json
medium Security checks software dependencies conf 0.90 npm package `minimatch` is 1 major version(s) behind (9.0.9 -> 10.2.5)
`minimatch` is pinned/resolved at 9.0.9 but the latest stable release on the npm registry is 10.2.5 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
src/filesystem/package.json
medium Security checks software dependencies conf 0.90 npm package `prettier` is 1 major version(s) behind (2.8.8 -> 3.8.3)
`prettier` is pinned/resolved at 2.8.8 but the latest stable release on the npm registry is 3.8.3 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
src/everything/package.json
medium Security checks software dependencies conf 0.90 npm package `yargs` is 1 major version(s) behind (17.7.2 -> 18.0.0)
`yargs` is pinned/resolved at 17.7.2 but the latest stable release on the npm registry is 18.0.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
src/sequentialthinking/package.json
medium Security checks software dependencies conf 0.88 qs: GHSA-q8mj-m7cp-5q26
qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set
package-lock.json
medium Security checks software dependencies conf 0.88 vite: GHSA-4w7w-66w2-5vf9
Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling
package-lock.json
medium System graph hardware Security conf 1.00 Dockerfile runs as root: src/everything/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: src/fetch/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: src/filesystem/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: src/git/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: src/memory/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: src/sequentialthinking/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: src/time/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph cicd CI/CD security conf 1.00 4 occurrences GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
4 files, 4 locations
.github/workflows/claude.yml
.github/workflows/python.yml
.github/workflows/release.yml
.github/workflows/typescript.yml
CI/CD securitySupply chainGithub actions
medium System graph security Coverage conf 1.00 No auth library detected
The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.
auth
low Security checks cicd CI/CD security conf 0.72 Dockerfile installs recommended OS packages
Installing recommended packages often pulls in unnecessary runtime surface area.
src/git/Dockerfile:27 CI/CD securitycontainers
low Security checks quality Quality conf 0.60 6 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
6 files, 6 locations
src/everything/tools/get-resource-reference.ts:38
src/everything/tools/trigger-sampling-request-async.ts:110
src/everything/tools/trigger-sampling-request.ts:41
src/filesystem/vitest.config.ts:1
src/memory/vitest.config.ts:1
src/sequentialthinking/vitest.config.ts:1
duplicationquality
low Security checks software dependencies conf 0.90 npm package `chalk` is minor version(s) behind (5.3.0 -> 5.6.2)
`chalk` is pinned/resolved at 5.3.0 but the latest stable release on the npm registry is 5.6.2 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
src/sequentialthinking/package.json
low Security checks software dependencies conf 0.90 4 occurrences npm package `shx` is minor version(s) behind (0.3.4 -> 0.4.0)
`shx` is pinned/resolved at 0.3.4 but the latest stable release on the npm registry is 0.4.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
4 files, 4 locations
src/everything/package.json
src/filesystem/package.json
src/memory/package.json
src/sequentialthinking/package.json
low System graph hardware Coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
Deployment
low System graph hardware Supply chain conf 1.00 3 occurrences Docker base image is tag-pinned but not digest-pinned: ghcr.io/astral-sh/uv:python3.12-bookworm-slim
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
3 files, 3 locations
src/fetch/Dockerfile:2
src/git/Dockerfile:2
src/time/Dockerfile:2
containersPinned dependencies
low System graph hardware Supply chain conf 1.00 4 occurrences Docker base image is tag-pinned but not digest-pinned: node:22-alpine
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
4 files, 4 locations
src/everything/Dockerfile:9
src/filesystem/Dockerfile:11
src/memory/Dockerfile:11
src/sequentialthinking/Dockerfile:11
containersPinned dependencies
low System graph hardware Supply chain conf 1.00 4 occurrences Docker base image is tag-pinned but not digest-pinned: node:22.12-alpine
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
4 files, 4 locations
src/everything/Dockerfile:1
src/filesystem/Dockerfile:1
src/memory/Dockerfile:1
src/sequentialthinking/Dockerfile:1
containersPinned dependencies
low System graph hardware Supply chain conf 1.00 3 occurrences Docker base image is tag-pinned but not digest-pinned: python:3.12-slim-bookworm
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
3 files, 3 locations
src/fetch/Dockerfile:24
src/git/Dockerfile:24
src/time/Dockerfile:24
containersPinned dependencies
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/everything/__tests__/resources.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/everything/__tests__/server.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/everything/transports/sse.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/everything/vitest.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/fetch/src/mcp_server_fetch/__main__.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/filesystem/__tests__/path-utils.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/filesystem/__tests__/roots-utils.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/filesystem/__tests__/structured-content.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/filesystem/vitest.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/git/src/mcp_server_git/__main__.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/memory/__tests__/file-path.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/memory/__tests__/knowledge-graph.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/memory/vitest.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/sequentialthinking/__tests__/lib.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/sequentialthinking/vitest.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/time/src/mcp_server_time/__main__.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph quality Integrity conf 1.00 2 occurrences Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/git/src/mcp_server_git/server.py:git_diff_unstaged, src/git/src/mcp_server_git/server.py:git_diff This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they'…
2 occurrences
repo-level (2 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 2 occurrences Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: scripts/release.py:package_name, scripts/release.py:package_name, scripts/release.py:package_name This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're s…
2 occurrences
repo-level (2 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `normalizedOld` in src/filesystem/lib.ts:205
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `project_backup` in src/filesystem/__tests__/path-validation.test.ts:66
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph cicd CI/CD security conf 1.00 4 occurrences package.json defines install-time lifecycle scripts
preinstall/install/postinstall/prepare scripts execute during dependency installation. Review them carefully for network calls, obfuscation, shell execution, or credential access.
4 files, 4 locations
src/everything/package.json
src/filesystem/package.json
src/memory/package.json
src/sequentialthinking/package.json
CI/CD securitySupply chainNpm
low System graph software Dead code conf 1.00 Possibly dead Python function: list_repos
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/git/src/mcp_server_git/server.py:443
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/everything/index.ts:30
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/everything/transports/streamableHttp.ts:39
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/filesystem/__tests__/directory-tree.test.ts:66
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/filesystem/__tests__/lib.test.ts:523
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/filesystem/__tests__/path-validation.test.ts:43
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph quality Integrity conf 1.00 Stub function `cli` (body is just `pass`/`return`) — scripts/release.py:138
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph api Wiring conf 1.00 Unused endpoint: DELETE /mcp
`src/everything/transports/streamableHttp.ts` declares `DELETE /mcp` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /mcp
`src/everything/transports/streamableHttp.ts` declares `GET /mcp` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /sse
`src/everything/transports/sse.ts` declares `GET /sse` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /mcp
`src/everything/transports/streamableHttp.ts` declares `POST /mcp` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /message
`src/everything/transports/sse.ts` declares `POST /message` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/e7754425-5240-4ee0-b663-dfac5e327454/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/e7754425-5240-4ee0-b663-dfac5e327454/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.