Repository Trust Analyzer
Contents
- •Quick start
- •Analysis workflow
- •Understanding results
- •Example output
- •Validation loop
- •Scoring methodology → See SCORING.md
Quick Start
/repo-check <target>
Where <target> is one of:
- •
owner/repo— shorthand (e.g.facebook/react) - •
https://github.com/owner/repo— full URL - •
https://github.com/owner/repo/blob/branch/path/SKILL.md— SKILL.md URL
Analysis Workflow
Copy and track progress:
Repository Trust Analysis: - [ ] Step 1: Parse input to extract owner/repo - [ ] Step 2: Verify gh CLI authentication - [ ] Step 3: Build and run the analyzer - [ ] Step 4: Review trust signal and category scores - [ ] Step 5: Review any warnings - [ ] Step 6: Make adoption decision
Understanding Results
Trust Signal Levels
| Signal | Meaning |
|---|---|
| HIGH | Strong trust indicators across categories — safe to adopt with standard review |
| MODERATE | Acceptable but review flagged areas — investigate warnings before adopting |
| LOW | Significant concerns — manual deep review required before adoption |
Categories Analyzed
| Category | Weight | What It Measures |
|---|---|---|
| Activity | 35% | Commit recency, frequency, contributor count, archive status |
| Security | 25% | OpenSSF Scorecard (if available), license presence |
| Popularity | 20% | Stars, forks, watchers |
| Maturity | 20% | README, contributing guide, CI/CD, releases, code of conduct |
Example Output
# Repository Trust Report: facebook/react **URL:** https://github.com/facebook/react ## Overall Trust Signal: HIGH ## Popularity — HIGH | Metric | Value | |--------|-------| | Stars | 230000 | | Forks | 47000 | | Watchers | 6500 | ## Activity — HIGH | Metric | Value | |--------|-------| | Last commit | 2026-02-15T10:30:00Z (1 days ago) | | Commits (90d) | 350 | | Open issues | 900 | | Contributors | 1800 | ## Security — MODERATE | Metric | Value | |--------|-------| | License | MIT License (MIT) | | OpenSSF Scorecard | Not available | ## Maturity — HIGH | Metric | Value | |--------|-------| | Releases | 100 | | README | true | | Contributing guide | true | | CI/CD | true |
Validation Loop
- •Run analysis:
/repo-check <target> - •Review the overall trust signal
- •If MODERATE or LOW:
- •Check the warnings section for specific concerns
- •Review the lowest-scoring categories
- •Investigate flagged areas manually
- •For skill adoption:
- •HIGH → proceed with standard code review
- •MODERATE → deeper review of flagged areas, check issue tracker
- •LOW → consider alternatives, require team sign-off
- •Re-run periodically to track changes
Instructions
When the user invokes this skill:
- •
Parse the input to extract
owner/repofrom the provided target (shorthand, URL, or SKILL.md URL). - •
Check that
ghCLI is authenticated:bashgh auth status
- •
Build and run the analyzer binary:
bashcd repo-check && go build -o repo-check . && ./repo-check <target>
For JSON output:
bashcd repo-check && go build -o repo-check . && ./repo-check --json <target>
- •
Present the structured report to the user, highlighting:
- •The overall trust signal (HIGH/MODERATE/LOW)
- •Any warnings that need attention
- •Category-level scores for deeper analysis
- •
If the Go binary is unavailable (build fails, Go not installed), fall back to manual
gh apicalls:bash# Repo metadata gh api repos/{owner}/{repo} # Commit activity gh api repos/{owner}/{repo}/stats/participation # Community profile gh api repos/{owner}/{repo}/community/profile # Releases gh api repos/{owner}/{repo}/releases?per_page=100Then manually assess trust signals based on the raw data and the scoring methodology in SCORING.md.
- •
Provide a recommendation based on the trust signal and the user's context (adopting a dependency vs. evaluating a skill vs. general assessment).