Open source security scanner

Scan before you install.

Check any skill, plugin, or package for malicious code before it runs on your machine. Get a clear RED / YELLOW / GREEN verdict in seconds.

Get started View on GitHub
repoguard scan 
$ repoguard scan https://github.com/sketchy/plugin

  RepoGuard Report: plugin
  Verdict: RED

  Data Exfiltration      █████████░  HIGH
  Obfuscated Code        ██████░░░░  MED
  Install Scripts        ████████░░  HIGH
  Backdoors              ░░░░░░░░░░  NONE
  Privacy Violations     ███░░░░░░░  LOW
  Dependency Risks       ░░░░░░░░░░  NONE
  Filesystem Access      █████░░░░░  MED
  Supply Chain Red Flags ██░░░░░░░░  LOW

  Top findings:
  ! postinstall script runs curl | bash  (package.json:8)
  ! Reads .env and POSTs to Discord webhook  (steal.js:12)
  * Base64-encoded payload passed to eval()  (utils.js:45)

  Recommendation: DO NOT USE this repository.

What should you scan?

Claude Code Skills

Skills and plugins run with your full permissions. Scan them before adding to your workflow.

🔌

MCP Servers

MCP servers connect directly to your AI tools. Verify they're not exfiltrating your data.

📦

npm / pip Packages

Scan the source repo of any package before installing. Catch typosquats and malicious install scripts.

🔧

VS Code Extensions

Extensions run inside your editor with access to your files. Check the source first.

🔄

GitHub Actions

Actions run in your CI/CD pipeline with access to secrets. Don't trust blindly.

🛡️

Any Open Source Repo

Before you clone and run anything, let RepoGuard tell you what's inside.

8 security checks in every scan

Data Exfiltration — Reads .env, SSH keys, cookies and sends them to external servers
Obfuscation — eval(), base64, hex encoding, zero-width Unicode, high-entropy strings
Install Scripts — Dangerous postinstall hooks, curl|bash, setup.py exec patterns
Backdoors — Reverse shells, remote code execution, command & control patterns
Privacy Violations — Geolocation, clipboard, camera/mic, fingerprinting, keylogging
Dependency Risks — Typosquatting detection, unpinned versions that could pull compromised releases
Filesystem Abuse — Path traversal, system directory access, privilege escalation
Supply Chain Signals — Suspicious star/age ratio, fork status, missing license

Get started in 10 seconds

1

Install

npm install -g repoguard
2

Scan

repoguard scan https://github.com/author/skill
3

Decide

GREEN = safe. YELLOW = review first. RED = don't install.

Works with any AI tool

Use --json to get machine-readable output. Pipe it to Claude Code, ChatGPT, or any LLM for AI-powered false-positive filtering — no API key required. 

$ repoguard scan https://github.com/author/mcp-server --json
# Full JSON output — feed it to any AI for deeper review