Check the repo before you run it.

Paste a public GitHub or Bitbucket link from a recruiter DM or coding test. We run a static risk scan in an isolated worker — the repository never touches your machine.

  • Public GitHub & Bitbucket only
  • Runs in an isolated worker — repo stays off your laptop

Do not clone or run a suspicious repository locally — even if the score comes back low. This scan covers static patterns only.

Static engine

What we look for in the repo.

60+ static checks across install hooks, shell execution, credential access, and obfuscation — repo only, no conversation context.

Install hooks

postinstall scripts, curl | sh chains, and setup files that run before you inspect the repo.

Exfiltration patterns

Reads of ~/.ssh, wallet paths, browser profiles, and environment variables — common in real reported cases.

Shell execution

child_process, eval, and remote fetch-and-run patterns that execute code outside your control.