Repo Security Review
Perform security audits on GitHub repositories to identify data exfiltration, malicious code, or suspicious behavior before installation.
Workflow
1. Gather Repository Info
- •Fetch the main page to understand what the project does
- •Locate the GitHub repository URL
- •Identify install scripts (install.sh, setup.py, Makefile, etc.)
2. Review Install Scripts
Fetch and analyze all install scripts for:
- •URLs contacted - Should only be official sources (GitHub releases, package registries)
- •Commands executed - Look for curl/wget to unknown hosts, eval of remote code
- •File system access - Unexpected writes outside install directory
- •Environment variables - Harvesting of secrets, API keys, credentials
3. Audit Source Code
Examine main application code for:
- •Network calls - All HTTP/HTTPS requests and their destinations
- •Data collection - Any telemetry, analytics, or phone-home behavior
- •File access - Reading sensitive files (~/.ssh, ~/.aws, credentials)
- •Obfuscated code - Base64 encoded strings, eval(), exec()
4. Check Dependencies
Review dependency files (package.json, go.mod, requirements.txt, Cargo.toml):
- •Look for analytics/telemetry packages
- •Check for typosquatted package names
- •Verify packages are from reputable sources
5. Provide Assessment
Summarize findings with:
- •Overall verdict (Safe / Caution / Unsafe)
- •Network activity - All external endpoints contacted
- •Data storage - Where data is stored (local vs remote)
- •Red flags found - Any suspicious patterns
- •Recommendation - Install as-is, build from source, or avoid
Red Flags Reference
See references/red-flags.md for comprehensive list of suspicious patterns.
Key Suspicious Patterns (Quick Reference)
Install scripts:
- •
curl | bashfrom non-official URLs - •Hidden file creation (dotfiles outside expected locations)
- •Modification of shell profiles to inject code
- •Download and execute without verification
Source code:
- •Hardcoded IPs or non-GitHub/official URLs
- •Base64 encoded payloads
- •Reading SSH keys, AWS credentials, browser data
- •Sending data to analytics endpoints
- •Obfuscated variable names
Dependencies:
- •
analytics,telemetry,trackingpackages - •Misspelled package names (typosquatting)
- •Packages with very few downloads/stars
- •Dependencies from personal GitHub repos
Output Format
code
## Security Review Summary: [Project Name] ### [Status Emoji] Install Script - [CLEAN/SUSPICIOUS/DANGEROUS] [Findings] ### [Status Emoji] Application Code - [CLEAN/SUSPICIOUS/DANGEROUS] [Findings] ### [Status Emoji] Dependencies - [CLEAN/SUSPICIOUS/DANGEROUS] [Findings] ### Assessment [Overall verdict and recommendation]
Use checkmarks for clean, warning signs for suspicious, X for dangerous.