✓ Verified
💻 Development
✓ Enhanced Data
Repo Analyzer
GitHub repository trust scoring and due diligence.
- Rating
- 4.1 (193 reviews)
- Downloads
- 11,055 downloads
- Version
- 1.0.0
Overview
GitHub repository trust scoring and due diligence.
✨Key Features
1
Enhanced dependency audit: Detects known malicious packages (event-stream, ua-parser-js, etc.), typosquatting attacks, install hooks, and estimates transitive dependency bloat
2
Fork comparison: Analyzes fork divergence, detects cosmetic vs meaningful changes, flags suspicious modifications (removed CI, added wallets), identifies gutted forks
3
Agent safety: Detects prompt injection, credential harvesting, install script hooks, obfuscated code
4
Secrets detection: Finds hardcoded API keys, tokens, private keys via regex + entropy
5
Network mapping: Categorizes all outbound domains (API, CDN, unknown)
6
CI/CD audit: Checks GitHub Actions for pull_request_target, unpinned actions, secret leaks
7
Permissions manifest: Summarizes what the code needs to run (like an app permissions list)
8
Author reputation: Org memberships, suspicious repos, account age
9
Backer verification: Cross-references investor claims vs committer org membership
10
Complexity hotspots: Flags large files with deep nesting and high conditional density
Complete Documentation
View Source →
Repo Analyzer
Zero-dependency GitHub trust scorer. Runs 29 analysis modules across 12 scoring categories.
Usage
bash
# Single repo
node scripts/analyze.js <owner/repo or github-url> [flags]
# From a tweet (auto-extracts GitHub links)
node scripts/analyze.js <x.com-or-twitter.com-url> [flags]
# Batch mode
node scripts/analyze.js --file <repos.txt> [--json]Flags
--json— JSON output (for pipelines)--oneline— compact one-line score--badge— shields.io markdown badge--verbose— show progress--token— GitHub PAT (or set GITHUB_TOKEN env)--file— batch mode, one repo per line (# comments ok)
Environment
CRITICAL: Always run with GITHUB_TOKEN loaded. Without it, scores are severely degraded (missing stars, forks, commits). Before running:source ~/.bashrc (token is in ~/.bashrc as GITHUB_TOKEN).
Or pass explicitly: GITHUB_TOKEN="$(grep GITHUB_TOKEN ~/.bashrc | cut -d'"' -f2)" node scripts/analyze.js ...Scoring (14 categories, 168pts normalized to 100)
| Category | Max | What it checks |
|---|---|---|
| Commit Health | 20 | Human vs bot, GPG sigs, code dumps, fake timestamps |
| Contributors | 15 | Bus factor, contributor diversity |
| Code Quality | 25 | Tests, CI, license, docs, lock files |
| AI Authenticity | 15 | AI slop detection in code/README |
| Social | 10 | Stars, forks, star/fork ratio, botted stars |
| Activity | 10 | Recent pushes, releases |
| Crypto Safety | 5 | Token mints, rug patterns, wallet addresses |
| Dependency Audit | 10 | Known malicious packages, typosquatting, install hooks, lock files |
| Fork Quality | 8 | Fork divergence, suspicious changes, gutted vs meaningful forks |
| README Quality | 10 | Install guide, examples, structure, API docs |
| Maintainability | 10 | File sizes, nesting, code/doc ratio |
| Project Health | 10 | Abandoned detection, velocity, issue response, PR review |
| Originality | 5 | Copy-paste, template detection, backer verification |
| Agent Safety | 15 | Install hooks, prompt injection, secrets, CI audit, permissions |
Grade Scale
- A (85+): LEGIT
- B (70-84): SOLID
- C (55-69): MIXED
- D (40-54): SKETCHY
- F (<40): AVOID
Key Features
- Enhanced dependency audit: Detects known malicious packages (event-stream, ua-parser-js, etc.), typosquatting attacks, install hooks, and estimates transitive dependency bloat
- Fork comparison: Analyzes fork divergence, detects cosmetic vs meaningful changes, flags suspicious modifications (removed CI, added wallets), identifies gutted forks
- Agent safety: Detects prompt injection, credential harvesting, install script hooks, obfuscated code
- Secrets detection: Finds hardcoded API keys, tokens, private keys via regex + entropy
- Network mapping: Categorizes all outbound domains (API, CDN, unknown)
- CI/CD audit: Checks GitHub Actions for pull_request_target, unpinned actions, secret leaks
- Permissions manifest: Summarizes what the code needs to run (like an app permissions list)
- Author reputation: Org memberships, suspicious repos, account age
- Backer verification: Cross-references investor claims vs committer org membership
- Complexity hotspots: Flags large files with deep nesting and high conditional density
Batch File Format
text
# One repo per line, # for comments
Uniswap/v3-core
https://github.com/aave/aave-v3-core
OpenZeppelin/openzeppelin-contractsOutput
Default: rich terminal report with bar charts, sections, verdict.--json: Full structured data for programmatic use.
--oneline: RepoName: 85/100 [A] — 2 flagsWhen Reporting to User
Keep it concise. Lead with score/grade and notable findings. Skip sections with nothing interesting. Example:"Uniswap/v3-core scored 75/B — 96% GPG-signed, 11 authors, MIT license. Flagged: abandoned (466 days no push), 2,597 transitive deps (bloated), secrets in CI run commands. Agent safety: CAUTION."
Installation
Terminal bash
openclaw install repo-analyzer
Copied!
💻Code Examples
node scripts/analyze.js --file <repos.txt> [--json]
node-scriptsanalyzejs---file-repostxt---json.txt
### Flags
- `--json` — JSON output (for pipelines)
- `--oneline` — compact one-line score
- `--badge` — shields.io markdown badge
- `--verbose` — show progress
- `--token <pat>` — GitHub PAT (or set GITHUB_TOKEN env)
- `--file <path>` — batch mode, one repo per line (# comments ok)
### Environment
**CRITICAL:** Always run with GITHUB_TOKEN loaded. Without it, scores are severely degraded (missing stars, forks, commits).
Before running: `source ~/.bashrc` (token is in ~/.bashrc as GITHUB_TOKEN).
Or pass explicitly: `GITHUB_TOKEN="$(grep GITHUB_TOKEN ~/.bashrc | cut -d'"' -f2)" node scripts/analyze.js ...`
## Scoring (14 categories, 168pts normalized to 100)
| Category | Max | What it checks |
|----------|-----|----------------|
| Commit Health | 20 | Human vs bot, GPG sigs, code dumps, fake timestamps |
| Contributors | 15 | Bus factor, contributor diversity |
| Code Quality | 25 | Tests, CI, license, docs, lock files |
| AI Authenticity | 15 | AI slop detection in code/README |
| Social | 10 | Stars, forks, star/fork ratio, botted stars |
| Activity | 10 | Recent pushes, releases |
| Crypto Safety | 5 | Token mints, rug patterns, wallet addresses |
| Dependency Audit | 10 | Known malicious packages, typosquatting, install hooks, lock files |
| Fork Quality | 8 | Fork divergence, suspicious changes, gutted vs meaningful forks |
| README Quality | 10 | Install guide, examples, structure, API docs |
| Maintainability | 10 | File sizes, nesting, code/doc ratio |
| Project Health | 10 | Abandoned detection, velocity, issue response, PR review |
| Originality | 5 | Copy-paste, template detection, backer verification |
| Agent Safety | 15 | Install hooks, prompt injection, secrets, CI audit, permissions |
## Grade Scale
- A (85+): LEGIT
- B (70-84): SOLID
- C (55-69): MIXED
- D (40-54): SKETCHY
- F (<40): AVOID
## Key Features
- **Enhanced dependency audit**: Detects known malicious packages (event-stream, ua-parser-js, etc.), typosquatting attacks, install hooks, and estimates transitive dependency bloat
- **Fork comparison**: Analyzes fork divergence, detects cosmetic vs meaningful changes, flags suspicious modifications (removed CI, added wallets), identifies gutted forks
- **Agent safety**: Detects prompt injection, credential harvesting, install script hooks, obfuscated code
- **Secrets detection**: Finds hardcoded API keys, tokens, private keys via regex + entropy
- **Network mapping**: Categorizes all outbound domains (API, CDN, unknown)
- **CI/CD audit**: Checks GitHub Actions for pull_request_target, unpinned actions, secret leaks
- **Permissions manifest**: Summarizes what the code needs to run (like an app permissions list)
- **Author reputation**: Org memberships, suspicious repos, account age
- **Backer verification**: Cross-references investor claims vs committer org membership
- **Complexity hotspots**: Flags large files with deep nesting and high conditional density
## Batch File Formatexample.sh
# Single repo
node scripts/analyze.js <owner/repo or github-url> [flags]
# From a tweet (auto-extracts GitHub links)
node scripts/analyze.js <x.com-or-twitter.com-url> [flags]
# Batch mode
node scripts/analyze.js --file <repos.txt> [--json]example.txt
# One repo per line, # for comments
Uniswap/v3-core
https://github.com/aave/aave-v3-core
OpenZeppelin/openzeppelin-contractsTags
#coding_agents-and-ides
#github
#git
Quick Info
Category Development
Model Claude 3.5
Complexity One-Click
Author don-gbot
Last Updated 3/10/2026
🚀
Optimized for
Claude 3.5
Ready to Install?
Get started with this skill in seconds
openclaw install repo-analyzer
Related Skills
✓ Verified
💻 Development
4claw
4claw — a moderated imageboard for AI agents.
🧠 Claude-Ready
)}
★ 4.4 (118)
↓ 4,990
v1.0.0
✓ Verified
💻 Development
Aap Passport
Agent Attestation Protocol - The Reverse Turing Test.
🧠 Claude-Ready
)}
★ 4.3 (89)
↓ 4,621
v1.0.0
✓ Verified
💻 Development
Acestep Lyrics Transcription
Transcribe audio to timestamped lyrics using OpenAI Whisper or ElevenLabs Scribe API.
⚡ GPT-Optimized
)}
★ 3.8 (274)
↓ 17,648
v1.0.0
✓ Verified
💻 Development
Adaptive Suite
A continuously adaptive skill suite that empowers Clawdbot.
🧠 Claude-Ready
)}
★ 4.7 (88)
↓ 1,625
v1.0.0