Repo Analyzer

# Repo Analyzer

Zero-dependency GitHub trust scorer. Runs 29 analysis modules across 12 scoring categories.

Usage

```bash # Single repo node scripts/analyze.js <owner/repo or github-url> [flags]

# From a tweet (auto-extracts GitHub links) node scripts/analyze.js <x.com-or-twitter.com-url> [flags]

# Batch mode node scripts/analyze.js --file <repos.txt> [--json] ```

Flags - `--json` — JSON output (for pipelines) - `--oneline` — compact one-line score - `--badge` — shields.io markdown badge - `--verbose` — show progress - `--token <pat>` — GitHub PAT (or set GITHUB_TOKEN env) - `--file <path>` — batch mode, one repo per line (# comments ok)

Environment **CRITICAL:** Always run with GITHUB_TOKEN loaded. Without it, scores are severely degraded (missing stars, forks, commits). Before running: `source ~/.bashrc` (token is in ~/.bashrc as GITHUB_TOKEN). Or pass explicitly: `GITHUB_TOKEN="$(grep GITHUB_TOKEN ~/.bashrc | cut -d'"' -f2)" node scripts/analyze.js ...`

Scoring (14 categories, 168pts normalized to 100)

| Category | Max | What it checks | |----------|-----|----------------| | Commit Health | 20 | Human vs bot, GPG sigs, code dumps, fake timestamps | | Contributors | 15 | Bus factor, contributor diversity | | Code Quality | 25 | Tests, CI, license, docs, lock files | | AI Authenticity | 15 | AI slop detection in code/README | | Social | 10 | Stars, forks, star/fork ratio, botted stars | | Activity | 10 | Recent pushes, releases | | Crypto Safety | 5 | Token mints, rug patterns, wallet addresses | | Dependency Audit | 10 | Known malicious packages, typosquatting, install hooks, lock files | | Fork Quality | 8 | Fork divergence, suspicious changes, gutted vs meaningful forks | | README Quality | 10 | Install guide, examples, structure, API docs | | Maintainability | 10 | File sizes, nesting, code/doc ratio | | Project Health | 10 | Abandoned detection, velocity, issue response, PR review | | Originality | 5 | Copy-paste, template detection, backer verification | | Agent Safety | 15 | Install hooks, prompt injection, secrets, CI audit, permissions |

Grade Scale - A (85+): LEGIT - B (70-84): SOLID - C (55-69): MIXED - D (40-54): SKETCHY - F (<40): AVOID

Key Features - **Enhanced dependency audit**: Detects known malicious packages (event-stream, ua-parser-js, etc.), typosquatting attacks, install hooks, and estimates transitive dependency bloat - **Fork comparison**: Analyzes fork divergence, detects cosmetic vs meaningful changes, flags suspicious modifications (removed CI, added wallets), identifies gutted forks - **Agent safety**: Detects prompt injection, credential harvesting, install script hooks, obfuscated code - **Secrets detection**: Finds hardcoded API keys, tokens, private keys via regex + entropy - **Network mapping**: Categorizes all outbound domains (API, CDN, unknown) - **CI/CD audit**: Checks GitHub Actions for pull_request_target, unpinned actions, secret leaks - **Permissions manifest**: Summarizes what the code needs to run (like an app permissions list) - **Author reputation**: Org memberships, suspicious repos, account age - **Backer verification**: Cross-references investor claims vs committer org membership - **Complexity hotspots**: Flags large files with deep nesting and high conditional density

Batch File Format ``` # One repo per line, # for comments Uniswap/v3-core https://github.com/aave/aave-v3-core OpenZeppelin/openzeppelin-contracts ```

Output Default: rich terminal report with bar charts, sections, verdict. `--json`: Full structured data for programmatic use. `--oneline`: `RepoName: 85/100 [A] — 2 flags`

When Reporting to User Keep it concise. Lead with score/grade and notable findings. Skip sections with nothing interesting. Example:

"Uniswap/v3-core scored 75/B — 96% GPG-signed, 11 authors, MIT license. Flagged: abandoned (466 days no push), 2,597 transitive deps (bloated), secrets in CI run commands. Agent safety: CAUTION."