Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
81 of your 215 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 5.7s · analysis 16.6s · 7.1 MB · GitHub API rate-limit (preflight)

violettoolssite/CFspider

https://github.com/violettoolssite/CFspider · scanned 2026-06-06 01:12 UTC (3 days, 23 hours ago) · 10 languages

443 raw signals (207 security + 236 graph) 37th percentile · Python · medium (20-100K LoC) System graph score 65 (lower by 18)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 3 days, 23 hours ago · v2 · 216 actionable findings from 2 signal sources. 108 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
59.1
/100
Security checks
53
126 findings
System graph
65
100.0% cov · 90 findings
Critical
8
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 75.0 0.15 11.25
security_score 36.0 0.25 9.00
testing_score 15.0 0.20 3.00
documentation_score 81.6 0.15 12.24
practices_score 67.0 0.15 10.05
code_quality 18.8 0.10 1.88
Overall 1.00 47.4
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 8 High 44 Medium 63 Low 73 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 126 System graph 90 Crowd 0 Layer: Security 22 Software 112 Quality 52 Cicd 5 Api 1 Frontend 23 Network 1
Scan summary Quality grade D+ (47/100). Dimensions: security 36, maintainability 75. 207 findings (99 security). 45,798 lines analyzed.

Showing 188 of 216 actionable findings. 324 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks quality Quality conf 1.00 ✓ Repobility [MINED007] Sql String Concat: cursor.execute(f"... {user_input} ...") — SQL injection.
Review and fix per the pattern semantics. See CWE-89 / A03:2021 for context.
cfspider/export.py:324
critical Security checks security secrets conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
cfspider_obfuscate.js:14
high Security checks quality Quality conf 1.00 ✓ Repobility Missing import: `html` used but not imported
The file uses `html.something(...)` but never imports `html`. This raises NameError at runtime the first time the line executes.
x27cn/x27cn/minify.py:270
critical System graph security Secrets conf 1.00 Possible secret in cfspider/workers/vless_workers.js
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
cfspider/workers/vless_workers.js:884
critical System graph security Secrets conf 1.00 Possible secret in cfspider/workers/workers.js
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
cfspider/workers/workers.js:1246
critical System graph security Secrets conf 1.00 Possible secret in cfspider/workers/破皮版workers.js
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
cfspider/workers/破皮版workers.js:1
critical System graph security Secrets conf 1.00 Possible secret in workers/vless_workers.js
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
workers/vless_workers.js:884
critical System graph security Secrets conf 1.00 Possible secret in workers/workers.js
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
workers/workers.js:1246
critical System graph security Secrets conf 1.00 Possible secret in workers/破皮版workers.js
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
workers/破皮版workers.js:1
high Security checks software dependencies conf 0.88 @xmldom/xmldom: GHSA-2v35-w6hq-6mfw
xmldom: Uncontrolled recursion in XML serialization leads to DoS
cfspider-browser/package-lock.json
high Security checks software dependencies conf 0.88 @xmldom/xmldom: GHSA-f6ww-3ggp-fr8h
xmldom has XML injection through unvalidated DocumentType serialization
cfspider-browser/package-lock.json
high Security checks software dependencies conf 0.88 @xmldom/xmldom: GHSA-j759-j44w-7fr8
xmldom has XML node injection through unvalidated comment serialization
cfspider-browser/package-lock.json
high Security checks software dependencies conf 0.88 @xmldom/xmldom: GHSA-wh4c-j3r5-mjhp
xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion
cfspider-browser/package-lock.json
high Security checks software dependencies conf 0.88 @xmldom/xmldom: GHSA-x6wf-f3px-wcqx
xmldom has XML node injection through unvalidated processing instruction serialization
cfspider-browser/package-lock.json
low Security checks quality Quality conf 1.00 ✓ Repobility [MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.
Review and fix per the pattern semantics. See CWE-705 / for context.
cfspider/proxy_server.py:223
high Security checks security Injection conf 0.50 [SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection.
Use parameterized queries: cursor.execute('SELECT * FROM t WHERE id = ?', [id]). For dynamic table or column names, choose identifiers from a hard-coded allowlist and keep values in parameters.
cfspider/export.py:326
high Security checks security path traversal conf 0.80 3 occurrences [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.
Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads.
3 files, 3 locations
x27cn/x27cn/advanced.py:411
x27cn/x27cn/cli.py:137
x27cn/x27cn/obfuscate.py:127
high Security checks quality Quality conf 1.00 ✓ Repobility 25 occurrences `self._ensure_vless_proxy` used but never assigned in __init__
Method `start` of class `TwoProxyServer` reads `self._ensure_vless_proxy`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
3 files, 25 locations
cfspider/stealth.py:122, 126, 129, 370, 396, 397, 441, 444, +4 more (13 hits)
cfspider/vless_client.py:189, 192, 329, 343, 386, 390, 443, 521, +1 more (9 hits)
cfspider/proxy_server.py:188, 216, 226 (3 hits)
high Security checks software dependencies conf 0.88 axios: GHSA-35jp-ww65-95wh
axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`
cfspider-browser/package-lock.json
high Security checks software dependencies conf 0.88 axios: GHSA-3g43-6gmg-66jw
axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge
cfspider-browser/package-lock.json
high Security checks software dependencies conf 0.88 axios: GHSA-43fc-jf86-j433
Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig
cfspider-browser/package-lock.json
high Security checks software dependencies conf 0.88 axios: GHSA-6chq-wfr3-2hj9
Axios: Header Injection via Prototype Pollution
cfspider-browser/package-lock.json
high Security checks software dependencies conf 0.88 axios: GHSA-777c-7fjr-54vf
Allocation of Resources Without Limits or Throttling in Axios
cfspider-browser/package-lock.json
high Security checks software dependencies conf 0.88 axios: GHSA-hfxv-24rg-xrqf
Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection
cfspider-browser/package-lock.json
high Security checks software dependencies conf 0.88 axios: GHSA-j5f8-grm9-p9fc
Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection
cfspider-browser/package-lock.json
high Security checks software dependencies conf 0.88 axios: GHSA-p92q-9vqr-4j8v
Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter
cfspider-browser/package-lock.json
high Security checks software dependencies conf 0.88 axios: GHSA-pf86-5x62-jrwf
Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking
cfspider-browser/package-lock.json
high Security checks software dependencies conf 0.88 axios: GHSA-pjwm-pj3p-43mv
axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)
cfspider-browser/package-lock.json
high Security checks software dependencies conf 0.88 axios: GHSA-q8qp-cvcw-x6jj
Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking
cfspider-browser/package-lock.json
high Security checks software dependencies conf 0.88 electron: GHSA-532v-xpq5-8h95
Electron: Use-after-free in offscreen child window paint callback
cfspider-browser/package-lock.json
high Security checks software dependencies conf 0.88 electron: GHSA-8337-3p73-46f4
Electron: Use-after-free in WebContents fullscreen, pointer-lock, and keyboard-lock permission callbacks
cfspider-browser/package-lock.json
high Security checks software dependencies conf 0.88 electron: GHSA-9wfr-w7mm-pc7f
Electron: Renderer command-line switch injection via undocumented commandLineSwitches webPreference
cfspider-browser/package-lock.json
high Security checks software dependencies conf 0.88 electron: GHSA-jjp3-mq3x-295m
Electron: Use-after-free in PowerMonitor on Windows and macOS
cfspider-browser/package-lock.json
high Security checks software dependencies conf 0.88 fast-uri: GHSA-q3j6-qgpj-74h6
fast-uri vulnerable to path traversal via percent-encoded dot segments
package-lock.json
high Security checks software dependencies conf 0.88 fast-uri: GHSA-v39h-62p7-jpjc
fast-uri vulnerable to host confusion via percent-encoded authority delimiters
package-lock.json
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 21 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `actions/checkout` pinned to mutable ref `@v4` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
2 files, 21 locations
.github/workflows/build-browser.yml:19, 22, 43, 53, 56, 93, 105, 108, +2 more (20 hits)
.github/workflows/update-vless-configs.yml:15
CI/CD securitySupply chainGitHub Actions
medium Security checks cicd CI/CD security conf 0.90 ✓ Repobility 2 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `softprops/action-gh-release` pinned to mutable ref `@v1` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
lines 150
.github/workflows/build-browser.yml:150 (2 hits)
CI/CD securitySupply chainGitHub Actions
high Security checks software dependencies conf 0.90 ✓ Repobility Lockfile pulls package from off-canonical host `registry.npmmirror.com`
`package-lock.json` resolved URL for `node_modules/@inversifyjs/common` is `https://registry.npmmirror.com/@inversifyjs/common/-/common-1.3.3.tgz...` — host `registry.npmmirror.com` is not the canonical registry. Could be a mirror compromise, dependency confusion attack, or a forgotten private regi…
package-lock.json:1
high Security checks software dependencies conf 0.88 lodash: GHSA-r5fr-rjxr-66jc
lodash vulnerable to Code Injection via `_.template` imports key names
cfspider-browser/package-lock.json
high Security checks software dependencies conf 0.88 2 occurrences minimatch: GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
2 files, 2 locations
cfspider-browser/package-lock.json
package-lock.json
high Security checks software dependencies conf 0.88 2 occurrences minimatch: GHSA-3ppc-4f35-3m26
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
2 files, 2 locations
cfspider-browser/package-lock.json
package-lock.json
high Security checks software dependencies conf 0.88 2 occurrences minimatch: GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments
2 files, 2 locations
cfspider-browser/package-lock.json
package-lock.json
high Security checks software dependencies conf 0.88 picomatch: GHSA-c2c7-rcm5-vvqj
Picomatch has a ReDoS vulnerability via extglob quantifiers
cfspider-browser/package-lock.json
high Security checks software dependencies conf 0.88 rollup: GHSA-mw96-cpmx-2vgc
Rollup 4 has Arbitrary File Write via Path Traversal
cfspider-browser/package-lock.json
high Security checks security auth conf 0.83 Secret-like setting is echoed into a password input value
Settings screens sometimes render API keys, tokens, or passwords back into HTML/JSX password fields. That still exposes the secret to page source, browser extensions, screenshots, and DOM scraping.
cfspider-browser/src/components/Settings/SettingsModal.tsx:351
high Security checks software dependencies conf 0.88 tar: GHSA-34x7-hfp2-rc4v
node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal
cfspider-browser/package-lock.json
high Security checks software dependencies conf 0.88 tar: GHSA-83g3-92jg-28cx
Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction
cfspider-browser/package-lock.json
high Security checks software dependencies conf 0.88 tar: GHSA-8qq5-rm4j-mr97
node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization
cfspider-browser/package-lock.json
high Security checks software dependencies conf 0.88 tar: GHSA-9ppj-qmqm-q256
node-tar Symlink Path Traversal via Drive-Relative Linkpath
cfspider-browser/package-lock.json
high Security checks software dependencies conf 0.88 tar: GHSA-qffp-2rhf-9h96
tar has Hardlink Path Traversal via Drive-Relative Linkpath
cfspider-browser/package-lock.json
high Security checks software dependencies conf 0.88 tar: GHSA-r6q2-hw4h-h46w
Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS
cfspider-browser/package-lock.json
high Security checks software dependencies conf 0.88 tmp: GHSA-ph9p-34f9-6g65
tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape
cfspider-browser/package-lock.json
high Security checks software dependencies conf 0.88 xlsx: GHSA-4r6h-8v6p-xvw6
Prototype Pollution in sheetJS
cfspider-browser/package-lock.json
high Security checks software dependencies conf 0.88 xlsx: GHSA-5pgg-2g8v-p4x9
SheetJS Regular Expression Denial of Service (ReDoS)
cfspider-browser/package-lock.json
medium Security checks security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
low Security checks quality Error handling conf 1.00 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.
cfspider/proxy_server.py:279
medium Security checks quality Quality conf 1.00 [SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0).
Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser).
cfspider-browser/src/components/Browser/VirtualMouse.tsx:201
medium Security checks quality Quality conf 1.00 [SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals — sometimes triggers RCE (Django debug page with arbitrary template eval).
Set DEBUG=False / APP_DEBUG=false in production. Provide a generic 500 handler that logs to backend but returns a sanitized page to clients.
x27cn/x27cn/cli.py:227
medium Security checks quality Quality conf 1.00 [SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals — sometimes triggers RCE (Django debug page with arbitrary template eval).
Set DEBUG=False / APP_DEBUG=false in production. Provide a generic 500 handler that logs to backend but returns a sanitized page to clients.
x27cn/x27cn/advanced.py:346
medium Security checks software dependencies conf 0.88 2 occurrences ajv: GHSA-2g4f-4pwh-qvx6
ajv has ReDoS when using `$data` option
2 files, 2 locations
cfspider-browser/package-lock.json
package-lock.json
medium Security checks quality Quality Average file size is 552 lines (recommend <300)
Refactor large files by extracting related functions into separate modules. Target files with 300+ lines first. Use the Single Responsibility Principle — each module should have one clear purpose.
medium Security checks software dependencies conf 0.88 axios: GHSA-3w6x-2g7m-8v23
Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`
cfspider-browser/package-lock.json
medium Security checks software dependencies conf 0.88 axios: GHSA-445q-vr5w-6q77
Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream
cfspider-browser/package-lock.json
medium Security checks software dependencies conf 0.88 axios: GHSA-5c9x-8gcm-mpgx
Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0
cfspider-browser/package-lock.json
medium Security checks software dependencies conf 0.88 axios: GHSA-62hf-57xw-28j9
Axios: unbounded recursion in toFormData causes DoS via deeply nested request data
cfspider-browser/package-lock.json
medium Security checks software dependencies conf 0.88 axios: GHSA-898c-q2cr-xwhg
axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions
cfspider-browser/package-lock.json
medium Security checks software dependencies conf 0.88 axios: GHSA-fvcv-3m26-pcqx
Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain
cfspider-browser/package-lock.json
medium Security checks software dependencies conf 0.88 axios: GHSA-m7pr-hjqh-92cm
Axios: no_proxy bypass via IP alias allows SSRF
cfspider-browser/package-lock.json
medium Security checks software dependencies conf 0.88 axios: GHSA-vf2m-468p-8v99
Axios: HTTP adapter streamed responses bypass maxContentLength
cfspider-browser/package-lock.json
medium Security checks software dependencies conf 0.88 axios: GHSA-w9j2-pvgh-6h63
Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy
cfspider-browser/package-lock.json
medium Security checks software dependencies conf 0.88 axios: GHSA-xx6v-rp6x-q39c
Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion
cfspider-browser/package-lock.json
medium Security checks software dependencies conf 0.88 2 occurrences brace-expansion: GHSA-f886-m6hf-6m8v
brace-expansion: Zero-step sequence causes process hang and memory exhaustion
2 files, 2 locations
cfspider-browser/package-lock.json
package-lock.json
low Security checks quality Error handling conf 0.55 ✓ Repobility 13 occurrences Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
5 files, 13 locations
cfspider/vless_client.py:350, 445, 523, 544, 561, 619 (6 hits)
cfspider/batch.py:296, 328, 417 (3 hits)
cfspider/proxy_server.py:256, 274 (2 hits)
cfspider/human_browser.py:311
cfspider/mirror.py:399
Error handlingquality
medium Security checks software dependencies conf 0.88 electron: GHSA-3c8v-cfp5-9885
Electron: Out-of-bounds read in second-instance IPC on macOS and Linux
cfspider-browser/package-lock.json
medium Security checks software dependencies conf 0.88 electron: GHSA-4p4r-m79c-wq3v
Electron: HTTP Response Header Injection in custom protocol handlers and webRequest
cfspider-browser/package-lock.json
medium Security checks software dependencies conf 0.88 electron: GHSA-5rqw-r77c-jp79
Electron: AppleScript injection in app.moveToApplicationsFolder on macOS
cfspider-browser/package-lock.json
medium Security checks software dependencies conf 0.88 electron: GHSA-9w97-2464-8783
Electron: Use-after-free in download save dialog callback
cfspider-browser/package-lock.json
medium Security checks software dependencies conf 0.88 electron: GHSA-f3pv-wv63-48x8
Electron: Named window.open targets not scoped to the opener's browsing context
cfspider-browser/package-lock.json
medium Security checks software dependencies conf 0.88 electron: GHSA-mwmh-mq4g-g6gr
Electron: Registry key path injection in app.setAsDefaultProtocolClient on Windows
cfspider-browser/package-lock.json
medium Security checks software dependencies conf 0.88 electron: GHSA-r5p7-gp4j-qhrx
Electron: Incorrect origin passed to permission request handler for iframe requests
cfspider-browser/package-lock.json
medium Security checks software dependencies conf 0.88 electron: GHSA-vmqv-hx8q-j7mg
Electron has ASAR Integrity Bypass via resource modification
cfspider-browser/package-lock.json
medium Security checks software dependencies conf 0.88 electron: GHSA-xj5x-m3f3-5x3h
Electron: Service worker can spoof executeJavaScript IPC replies
cfspider-browser/package-lock.json
medium Security checks software dependencies conf 0.88 electron: GHSA-xwr5-m59h-vwqr
Electron: nodeIntegrationInWorker not correctly scoped in shared renderer processes
cfspider-browser/package-lock.json
medium Security checks software dependencies conf 0.88 esbuild: GHSA-67mh-4wv8-2f99
esbuild enables any website to send any requests to the development server and read the response
cfspider-browser/package-lock.json
medium Security checks software dependencies conf 0.88 follow-redirects: GHSA-r4q5-vmmm-2653
follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets
cfspider-browser/package-lock.json
high Security checks quality Quality conf 0.80 localStorage write failures are swallowed silently
localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota.
cfspider-browser/src/store/index.ts:688
medium Security checks software dependencies conf 0.88 lodash: GHSA-f23m-r3pf-42rh
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
cfspider-browser/package-lock.json
medium Security checks software dependencies conf 0.90 npm package `@types/react-dom` is 1 major version(s) behind (18.3.7 -> 19.2.3)
`@types/react-dom` is pinned/resolved at 18.3.7 but the latest stable release on the npm registry is 19.2.3 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
cfspider-browser/package.json
medium Security checks software dependencies conf 0.90 npm package `@vitejs/plugin-react` is 2 major version(s) behind (4.7.0 -> 6.0.2)
`@vitejs/plugin-react` is pinned/resolved at 4.7.0 but the latest stable release on the npm registry is 6.0.2 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs rais…
cfspider-browser/package.json
medium Security checks software dependencies conf 0.90 npm package `concurrently` is 2 major version(s) behind (8.2.2 -> 10.0.3)
`concurrently` is pinned/resolved at 8.2.2 but the latest stable release on the npm registry is 10.0.3 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
cfspider-browser/package.json
medium Security checks software dependencies conf 0.90 npm package `cross-env` is 3 major version(s) behind (7.0.3 -> 10.1.0)
`cross-env` is pinned/resolved at 7.0.3 but the latest stable release on the npm registry is 10.1.0 (3 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
cfspider-browser/package.json
medium Security checks software dependencies conf 0.90 npm package `react-markdown` is 1 major version(s) behind (9.0.1 -> 10.1.0)
`react-markdown` is pinned/resolved at 9.0.1 but the latest stable release on the npm registry is 10.1.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
cfspider-browser/package.json
medium Security checks software dependencies conf 0.90 npm package `wait-on` is 2 major version(s) behind (7.2.0 -> 9.0.10)
`wait-on` is pinned/resolved at 7.2.0 but the latest stable release on the npm registry is 9.0.10 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
cfspider-browser/package.json
medium Security checks software dependencies conf 0.88 picomatch: GHSA-3v7f-55p6-f55p
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching
cfspider-browser/package-lock.json
medium Security checks software dependencies conf 0.88 postcss: GHSA-qx2v-qp2m-jg93
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output
cfspider-browser/package-lock.json
medium Security checks software dependencies conf 0.88 vite: GHSA-4w7w-66w2-5vf9
Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling
cfspider-browser/package-lock.json
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — cfspider/workers/vless_workers.js:8
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — cfspider/workers/workers.js:8
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — cfspider/workers/爬楼梯workers.js:15
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — cfspider/workers/破皮版workers.js:1
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — cfspider/workers/破皮版workers_明文.js:195
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — cfspider/workers/破皮版workers_超明文.js:67
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — workers/vless_workers.js:8
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — workers/workers.js:8
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — workers/爬楼梯workers.js:15
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — workers/破皮版workers.js:1
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — workers/破皮版workers_明文.js:195
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — workers/破皮版workers_超明文.js:67
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/build-browser.yml CI/CD securitySupply chainGithub actions
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/update-vless-configs.yml CI/CD securitySupply chainGithub actions
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in cfspider/workers/vless_workers.js:1278
Found a known-risky pattern (weak_hash). Review and replace if possible.
cfspider/workers/vless_workers.js:1278 Weak hash
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in cfspider/workers/workers.js:1640
Found a known-risky pattern (weak_hash). Review and replace if possible.
cfspider/workers/workers.js:1640 Weak hash
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in cfspider/workers/破皮版workers.js:1
Found a known-risky pattern (weak_hash). Review and replace if possible.
cfspider/workers/破皮版workers.js:1 Weak hash
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in workers/vless_workers.js:1278
Found a known-risky pattern (weak_hash). Review and replace if possible.
workers/vless_workers.js:1278 Weak hash
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in workers/workers.js:1640
Found a known-risky pattern (weak_hash). Review and replace if possible.
workers/workers.js:1640 Weak hash
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in workers/破皮版workers.js:1
Found a known-risky pattern (weak_hash). Review and replace if possible.
workers/破皮版workers.js:1 Weak hash
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — cfspider/workers_manager.py:360
`requests.post(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph network Security conf 1.00 Privileged port 50 in use
Port 50 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
cfspider/proxy_server.py Ports
medium System graph quality Tests conf 1.00 Very low test-to-source ratio
1 test file(s) for 79 source file(s) (ratio 0.01). Consider adding integration or unit tests for critical paths.
Coverage
low Security checks software dependencies conf 0.88 @tootallnate/once: GHSA-vpq2-c234-7xj6
@tootallnate/once vulnerable to Incorrect Control Flow Scoping
cfspider-browser/package-lock.json
low Security checks security auth conf 0.76 [AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.
No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.
low Security checks software dependencies conf 0.88 axios: GHSA-xhjh-pmcv-23jw
Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams
cfspider-browser/package-lock.json
low Security checks quality Quality conf 0.60 9 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
8 files, 9 locations
workers/破皮版workers_超明文.js:1, 2 (2 hits)
cfspider/async_api.py:88
cfspider/browser.py:92
cfspider/extract.py:278
cfspider/impersonate.py:34
cfspider/workers/破皮版workers_超明文.js:2
workers/爬楼梯workers.js:1
workers/破皮版workers_明文.js:1
duplicationquality
low Security checks software dependencies conf 0.88 electron: GHSA-9899-m83m-qhpj
Electron: USB device selection not validated against filtered device list
cfspider-browser/package-lock.json
low Security checks software dependencies conf 0.88 electron: GHSA-f37v-82c4-4x64
Electron: Crash in clipboard.readImage() on malformed clipboard image data
cfspider-browser/package-lock.json
low Security checks software dependencies conf 0.88 electron: GHSA-jfqx-fxh3-c62j
Electron: Unquoted executable path in app.setLoginItemSettings on Windows
cfspider-browser/package-lock.json
low Security checks software dependencies conf 0.90 npm package `@neondatabase/serverless` is minor version(s) behind (1.0.2 -> 1.1.0)
`@neondatabase/serverless` is pinned/resolved at 1.0.2 but the latest stable release on the npm registry is 1.1.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs ra…
package.json
low Security checks software dependencies conf 0.90 npm package `autoprefixer` is minor version(s) behind (10.4.24 -> 10.5.0)
`autoprefixer` is pinned/resolved at 10.4.24 but the latest stable release on the npm registry is 10.5.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
cfspider-browser/package.json
low Security checks software dependencies conf 0.90 npm package `esbuild` is minor version(s) behind (0.19.12 -> 0.28.0)
`esbuild` is pinned/resolved at 0.19.12 but the latest stable release on the npm registry is 0.28.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
cfspider-browser/package.json
low Security checks software dependencies conf 0.90 npm package `javascript-obfuscator` is minor version(s) behind (5.1.0 -> 5.4.3)
`javascript-obfuscator` is pinned/resolved at 5.1.0 but the latest stable release on the npm registry is 5.4.3 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `terser` is minor version(s) behind (5.46.0 -> 5.48.0)
`terser` is pinned/resolved at 5.46.0 but the latest stable release on the npm registry is 5.48.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks quality Quality conf 0.74 robots.txt does not advertise a sitemap
Sitemap directives in robots.txt help crawlers and AI agents find the canonical public URL inventory quickly.
cfspider/cli.py
low System graph software Dead code candidate conf 1.00 File has no detected symbols: api-docs/js/main.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: browser-extension/popup.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: cfspider-browser/electron/preload.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: cfspider-browser/src/main.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: cfspider-browser/src/services/builtinSkills.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: cfspider-browser/src/vite-env.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: cfspider-browser/vite.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: cfspider-pages/main.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: cfspider/x27cn/__main__.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: x27cn/debug_mangle.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph quality Integrity conf 1.00 17 occurrences Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: x27cn/x27cn/advanced.py:obfuscate_numbers, x27cn/x27cn/advanced.py:obfuscate_number This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
17 occurrences
repo-level (17 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 2 occurrences Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: x27cn/x27cn/minify.py:save_protected, x27cn/x27cn/minify.py:save_protected, x27cn/x27cn/minify.py:save_protected This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or documen…
2 occurrences
repo-level (2 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 4 places
Functions with the same first-5-line body hash: cfspider/stealth.py:encoding, cfspider/stealth.py:encoding, cfspider/stealth.py:encoding, cfspider/stealth.py:encoding This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or d…
duplicatesduplication
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `my_backup` in cfspider/mirror.py:28
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph cicd CI/CD security conf 1.00 package.json defines install-time lifecycle scripts
preinstall/install/postinstall/prepare scripts execute during dependency installation. Review them carefully for network calls, obfuscation, shell execution, or credential access.
cfspider-browser/package.json CI/CD securitySupply chainNpm
low System graph software Dead code conf 1.00 Possibly dead Python function: client_to_vless
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
cfspider/vless_client.py:532
low System graph software Dead code conf 1.00 Possibly dead Python function: collect_string
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
x27cn/x27cn/advanced.py:187
low System graph software Dead code conf 1.00 Possibly dead Python function: forward
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
cfspider/proxy_server.py:245
low System graph software Dead code conf 1.00 Possibly dead Python function: obfuscate_number
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
x27cn/x27cn/advanced.py:120
low System graph software Dead code conf 1.00 Possibly dead Python function: process_iife
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
x27cn/x27cn/minify.py:846
low System graph software Dead code conf 1.00 Possibly dead Python function: process_script
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
x27cn/x27cn/minify.py:228
low System graph software Dead code conf 1.00 Possibly dead Python function: process_style
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
x27cn/x27cn/minify.py:239
low System graph software Dead code conf 1.00 Possibly dead Python function: recv_all
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
cfspider/vless_client.py:237
low System graph software Dead code conf 1.00 Possibly dead Python function: replace_script
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
x27cn/x27cn/obfuscate.py:169
low System graph software Dead code conf 1.00 Possibly dead Python function: replace_style
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
x27cn/x27cn/obfuscate.py:193
low System graph software Dead code conf 1.00 Possibly dead Python function: replacer
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
x27cn/x27cn/minify.py:215
low System graph software Dead code conf 1.00 Possibly dead Python function: save_protected
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
x27cn/x27cn/minify.py:836
low System graph software Dead code conf 1.00 Possibly dead Python function: save_string
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
x27cn/x27cn/minify.py:117
low System graph software Dead code conf 1.00 Possibly dead Python function: set_cookie
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
cfspider/stealth.py:461
low System graph software Dead code conf 1.00 Possibly dead Python function: vless_to_client
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
cfspider/vless_client.py:549
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — add_encryption.js:36
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — browser-extension/content.js:283
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — build_encrypted.js:213
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cfspider-browser/electron/main.ts:1742
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cfspider-browser/src/components/Browser/Browser.tsx:312
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cfspider-browser/src/components/DataPanel/DataPanel.tsx:114
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cfspider-browser/src/services/ai.ts:124
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cfspider-browser/src/services/heartbeat.ts:94
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cfspider-browser/src/services/skills.ts:126
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cfspider-browser/src/store/index.ts:881
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cfspider/workers/vless_workers.js:521
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cfspider/workers/workers.js:655
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cfspider/workers/破皮版workers.js:1
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — cfspider_obfuscate.js:165
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — deep_obfuscate.js:87
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — obfuscate.js:300
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — workers/vless_workers.js:521
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — workers/workers.js:655
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — workers/破皮版workers.js:1
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph quality Integrity conf 1.00 Stub function `encoding` (body is just `pass`/`return`) — cfspider/stealth.py:113
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Complexity conf 1.00 Very large file: cfspider-browser/electron/main.ts (2179 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: cfspider-browser/src/services/ai.ts (7589 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: cfspider/workers/vless_workers.js (2078 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: cfspider/workers/workers.js (2441 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: workers/vless_workers.js (2078 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: workers/workers.js (2441 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/f3288468-7c64-43df-aa0e-0cdd9f87b514/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/f3288468-7c64-43df-aa0e-0cdd9f87b514/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.