RepoSafe

"Know Before you clone." Paste a GitHub URL and RepoSafe checks the repo for malicious scripts, credential leaks, and risky configs so you know if it's safe before cloning.

Comment

Inspiration

Modern developers constantly clone repositories from GitHub while exploring tools, libraries, and open-source projects.

But this workflow has a dangerous assumption: that repositories are safe.

Recent incidents demonstrated that malicious repositories can:

  • execute hidden install scripts
  • override configuration endpoints
  • exfiltrate environment variables
  • socially engineer developers through README instructions

In some cases, developers lost API keys simply by opening a repository.

Despite this risk, the typical workflow still looks like this:

Find repository → clone → run install → trust the code.

There is no safety checkpoint before cloning.

RepoSafe was built to create that missing safety layer.

What it does

RepoSafe analyzes a GitHub repository before you clone it.

A developer pastes a repository URL, and RepoSafe automatically:

  1. Fetches repository files using the GitHub API
  2. Scans configuration files, install scripts, and documentation
  3. Detects high-risk patterns such as:
    • curl | bash remote execution
    • malicious postinstall scripts
    • API endpoint overrides
    • credential harvesting instructions
  4. Evaluates repository trust signals including:
    • account age
    • contributor activity
    • star/fork anomalies
  5. Uses AI to generate a clear explanation of every risk detected

Within seconds, the developer receives a trust verdict:

  • ✅ Safe to Clone
  • ⚠️ Clone with Caution
  • ❌ Do Not Clone

Each verdict includes a line-by-line breakdown of the threats detected, making the analysis transparent and educational.

How we built it

RepoSafe uses a lightweight architecture designed to analyze repositories quickly without cloning them.

Step 1 — Repository Intake

A user submits a GitHub repository URL.
The backend extracts repository metadata and file structure using the GitHub REST API.

Step 2 — Static File Analysis

Critical files are fetched and inspected, including:

  • package.json
  • install scripts
  • configuration files
  • .mcp.json
  • README instructions

These files are scanned for known malicious patterns such as command injection and credential exfiltration.

Step 3 — AI Threat Analysis

The extracted code snippets are analyzed using the groq API, which identifies suspicious behavior patterns and explains them in plain language.

Step 4 — Trust Scoring

A scoring engine combines:

  • detected threat patterns
  • repository metadata
  • account credibility indicators

to generate a trust score and final verdict.

Step 5 — Developer-Friendly Report

Results are presented through a modern web interface that includes:

  • trust score
  • threat severity indicators
  • detailed explanations of detected risks

Challenges we ran into

One of the main challenges was identifying dangerous patterns without cloning the repository.

Many existing tools rely on scanning installed dependencies, but RepoSafe had to infer threats using only:

  • repository metadata
  • static configuration files
  • install scripts
  • documentation instructions

Another challenge was balancing security analysis with clarity. Developers needed explanations that were both technically accurate and easy to understand.

We solved this by combining rule-based detection with AI-generated explanations.

Accomplishments that we're proud of

  • Building a fully working security scanner in under 12 hours
  • Creating a developer-friendly interface with real-time scan feedback
  • Detecting multiple classes of repository threats before cloning
  • Generating clear, actionable explanations instead of generic warnings

What we learned

This project reinforced how vulnerable the developer supply chain can be.

Many developers trust repositories implicitly, but even simple patterns like curl | bash can introduce serious risk.

We also learned how effective AI can be when used as an explanation layer for security analysis, translating complex technical risks into clear insights developers can act on.

What's next for RepoSafe

Future improvements include:

  • a shareable "Safe to Clone" trust badge, that encourages secure open-source practices
  • browser extensions that scan repositories directly on GitHub
  • CI/CD integrations to automatically verify repositories
  • deeper dependency graph analysis
  • expanded detection for additional package ecosystems
  • community-verified trust scoring

Our goal is to make repository safety a default part of the developer workflow.

Built With

Share this project:

Updates