Install hooks
postinstall scripts, curl | sh chains, and setup files that run before you inspect the repo.
Paste a public GitHub or Bitbucket link from a recruiter DM or coding test. We run a static risk scan in an isolated worker — the repository never touches your machine.
Do not clone or run a suspicious repository locally — even if the score comes back low. This scan covers static patterns only.
Ready to scan
Paste a public repository URL and run the scan — the verdict and findings appear right here.
60+ static checks across install hooks, shell execution, credential access, and obfuscation — repo only, no conversation context.
postinstall scripts, curl | sh chains, and setup files that run before you inspect the repo.
Reads of ~/.ssh, wallet paths, browser profiles, and environment variables — common in real reported cases.
child_process, eval, and remote fetch-and-run patterns that execute code outside your control.