qingchencloud/clawpanel

Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.

https://github.com/qingchencloud/clawpanel · scanned 2026-05-15 17:15 UTC (4 weeks ago) · 10 languages

182 raw signals (59 security + 123 graph) 35th percentile · Javascript · medium (20-100K LoC) System graph score 68 (lower by 16)

File as issue Image

UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 4 weeks ago · v1 · 20 actionable findings from 1 signal source. 26 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON

100.0% cov · 0 findings

Score breakdown â 2026-05-17-v4 calibration-aware

Component	Sub-score	Weight	Contribution
`structure_score`	85.0	0.15	12.75
`security_score`	41.6	0.25	10.40
`testing_score`	14.0	0.20	2.80
`documentation_score`	83.7	0.15	12.55
`practices_score`	75.0	0.15	11.25
`code_quality`	27.4	0.10	2.74
Overall		1.00	52.5

Calibrated penalty buckets (security_score): web: 3.0 Â· agent: 23.4 Â· docker: 6.5 Â· threat: 4.6 Â· journey: 21.0

Severity distribution — click a segment to filter

Active filters: source: legacy × excluding tests × Reset all

Severity: Critical 0 High 8 Medium 5 Low 6 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 20 System graph 0 Crowd 0 Layer: Quality 11 Software 1 Cicd 4 Security 4

Exclude dismissed / FP Exclude test files

Scan summary Quality grade C- (52/100). Dimensions: security 42, maintainability 85. 59 findings (1 security). 88,826 lines analyzed.

Showing 19 of 20 actionable findings. 46 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Security checks security auth conf 0.88 Token handoff appears to use a callback URL or fragment

A frontend flow appears to combine a caller-controlled callback/redirect parameter with a token-bearing URL or fragment. This can exfiltrate sessions when callback validation is incomplete.

src/lib/ws-client.js:159

high Security checks cicd CI/CD security conf 0.90 Compose service uses host networking

Sharing host namespaces reduces isolation and can expose host processes, networking, or IPC resources.

docker-compose.yml:14 CI/CD securitycontainers

high Security checks security auth conf 0.78 Consent is collected in UI without visible backend audit persistence

A frontend journey appears to ask for consent to share identity/KYC/biometric data, but backend code does not show a consent audit model with scope, purpose, legal text version, timestamp, IP, or user-agent evidence.

src/lib/error-diagnosis.js:25

high Security checks cicd CI/CD security conf 0.95 Docker final stage runs as root

The final runtime stage explicitly uses root. A compromised app process would have root inside the container.

Dockerfile:84 CI/CD securitycontainers

high Security checks security auth conf 0.83 3 occurrences Secret-like setting is echoed into a password input value

Settings screens sometimes render API keys, tokens, or passwords back into HTML/JSX password fields. That still exposes the secret to page source, browser extensions, screenshots, and DOM scraping.

2 files, 3 locations

src/pages/assistant.js:3797, 4054 (2 hits)

src/pages/gateway.js:168

medium Security checks quality Error handling conf 1.00 3 occurrences [ERR002] Empty Catch Block: Empty catch blocks hide errors.

Log the error or rethrow it. Use console.error() at minimum.

3 files, 3 locations

public/push-sw.js:62

src/main.js:421

src/router.js:52

medium Security checks quality Quality Average file size is 523 lines (recommend <300)

Refactor large files by extracting related functions into separate modules. Target files with 300+ lines first. Use the Single Responsibility Principle — each module should have one clear purpose.

low Security checks quality Quality conf 0.60 5 occurrences Duplicated implementation block across source files

Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.

5 files, 5 locations

src/components/kernel-badge.js:50

src/engines/hermes/pages/oauth.js:14

src/engines/hermes/pages/profiles.js:15

src/pages/dashboard.js:79

src/pages/settings.js:22

duplicationquality

high Security checks quality Quality conf 0.80 8 occurrences localStorage write failures are swallowed silently

localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota.

8 files, 8 locations

index.html:375

src/components/ai-drawer.js:208

src/components/cli-conflict-banner.js:55

src/components/sidebar.js:183

src/engines/hermes/lib/chat-store.js:72

src/lib/ciao-bug-warning.js:32

src/lib/i18n.js:71

src/pages/dashboard.js:880

medium Security checks quality Quality conf 0.70 Public web app has no Content Security Policy

A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox.

index.html

medium Security checks quality Quality conf 0.78 Public web service has no security.txt

security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt.

.well-known/security.txt

medium Security checks quality Quality conf 0.78 React interval is created without an explicit cleanup

Intervals created in React hooks or components should be cleared on unmount. Missing cleanup can keep stale callbacks alive after recording, polling, or overlay components close.

scripts/dev-api.js:9060

high Security checks software dependencies conf 0.70 12 occurrences Remote install command pipes network code directly to a shell

Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified.

12 files, 12 locations

CONTRIBUTING.md:462

README.de.md:105

README.en.md:129

README.es.md:105

README.fr.md:105

README.ja.md:105

README.ko.md:105

README.md:202

low Security checks cicd CI/CD security conf 0.72 .dockerignore misses sensitive defaults

.dockerignore exists but does not cover common secret or VCS patterns.

.dockerignore CI/CD securitycontainers

high Security checks cicd CI/CD security conf 0.56 Compose service does not declare a runtime user

If the image does not define USER internally, this service may run as root.

docker-compose.yml:14 CI/CD securitycontainers

low Security checks quality Quality conf 0.64 Public docs site has no llms.txt

AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions.

llms.txt

low Security checks quality Quality conf 0.50 Public web app has no humans.txt

humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links.

humans.txt

low Security checks quality Quality conf 0.74 Public web app has no robots.txt

Public websites should publish a robots.txt file so crawlers and AI agents can discover crawl rules and sitemap locations without guessing.

robots.txt

low Security checks quality Quality conf 0.72 Public web app has no sitemap

A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss.

sitemap.xml

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.

For AI agents + API integrations

Email me when this repo regresses

Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.

API access

This page is publicly accessible at: https://repobility.com/scan/efdecec6-e2ef-4fec-829e-1a8beb5bdd4d/

To check status programmatically (no auth required):

curl -s https://repobility.com/api/v1/public/scan/efdecec6-e2ef-4fec-829e-1a8beb5bdd4d/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.