Skill

repo-security-review

Audits GitHub repositories for security risks before installation: reviews install scripts for malicious commands, source code for data exfiltration, and dependencies for suspicious packages.

Github

Git

security

npx claudepluginhub jbdamask/john-claude-skills --plugin john-skills

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Perform security audits on GitHub repositories to identify data exfiltration, malicious code, or suspicious behavior before installation.

Supporting Assets

references/red-flags.md

SKILL.md

Similar Skills

package-risk

Analyzes installed package source code for supply chain risks by scanning for eval, network calls, env access, and obfuscation. Scores packages and reports issues with file:line context for JS, Python, Rust, Go ecosystems.

sentinel

repo-forensics

Audits git repositories, AI skills, and MCP servers for security risks including dependencies, prompt injection, credential theft, runtime dynamism, manifest drift, CVEs, and exploited vulns.

20 files1 tool

repo-forensics

ring:dev-dep-security-check

169

Intercepts pip, npm, go installs to audit package identity, vulnerabilities, suspicious signals, and enforce lockfile hash pinning before execution.

ring-dev-team

Stats

Stars23

Forks2

Last CommitJan 15, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Repo Security Review

Perform security audits on GitHub repositories to identify data exfiltration, malicious code, or suspicious behavior before installation.

Workflow

1. Gather Repository Info

Fetch the main page to understand what the project does
Locate the GitHub repository URL
Identify install scripts (install.sh, setup.py, Makefile, etc.)

2. Review Install Scripts

Fetch and analyze all install scripts for:

URLs contacted - Should only be official sources (GitHub releases, package registries)
Commands executed - Look for curl/wget to unknown hosts, eval of remote code
File system access - Unexpected writes outside install directory
Environment variables - Harvesting of secrets, API keys, credentials

3. Audit Source Code

Examine main application code for:

Network calls - All HTTP/HTTPS requests and their destinations
Data collection - Any telemetry, analytics, or phone-home behavior
File access - Reading sensitive files (~/.ssh, ~/.aws, credentials)
Obfuscated code - Base64 encoded strings, eval(), exec()

4. Check Dependencies

Review dependency files (package.json, go.mod, requirements.txt, Cargo.toml):

Look for analytics/telemetry packages
Check for typosquatted package names
Verify packages are from reputable sources

5. Provide Assessment

Summarize findings with:

Overall verdict (Safe / Caution / Unsafe)
Network activity - All external endpoints contacted
Data storage - Where data is stored (local vs remote)
Red flags found - Any suspicious patterns
Recommendation - Install as-is, build from source, or avoid

Red Flags Reference

See references/red-flags.md for comprehensive list of suspicious patterns.

Key Suspicious Patterns (Quick Reference)

Install scripts:

curl | bash from non-official URLs
Hidden file creation (dotfiles outside expected locations)
Modification of shell profiles to inject code
Download and execute without verification

Source code:

Hardcoded IPs or non-GitHub/official URLs
Base64 encoded payloads
Reading SSH keys, AWS credentials, browser data
Sending data to analytics endpoints
Obfuscated variable names

Dependencies:

analytics, telemetry, tracking packages
Misspelled package names (typosquatting)
Packages with very few downloads/stars
Dependencies from personal GitHub repos

Output Format

## Security Review Summary: [Project Name]

### [Status Emoji] Install Script - [CLEAN/SUSPICIOUS/DANGEROUS]
[Findings]

### [Status Emoji] Application Code - [CLEAN/SUSPICIOUS/DANGEROUS]
[Findings]

### [Status Emoji] Dependencies - [CLEAN/SUSPICIOUS/DANGEROUS]
[Findings]

### Assessment
[Overall verdict and recommendation]

Use checkmarks for clean, warning signs for suspicious, X for dangerous.