guard-install now scans GitHub repos before you run them

Hey everyone, I shared this earlier as a CLI to analyse npm packages before installing. Since then, I’ve added something I think is even more useful: 👉 You can now scan GitHub repos before cloning or running them npx guard-install --repo https://github.com/user/repo Why this...

DEV Community

by Nithin D J

Hey everyone,

I shared this earlier as a CLI to analyse npm packages before installing.

Since then, I’ve added something I think is even more useful:

👉 You can now scan GitHub repos before cloning or running them

npx guard-install --repo https://github.com/user/repo

Why this matters

There’s a growing pattern (especially in crypto interviews / side projects):

“Clone this repo and run it locally”

Some of these repos:

access environment variables
interact with wallets / keys
make outbound network calls

You don’t always notice what’s happening before you run the code.

What the repo scan does

Scans files (without executing anything)
Detects:
- sensitive data patterns (PRIVATE_KEY, MNEMONIC)
- crypto/wallet usage
- network calls
- shell execution
Combines signals → gives a risk level (LOW / MEDIUM / HIGH)
Explains why something might need review

Example

🔐 Sensitive data patterns found
💰 Cryptocurrency functionality
🌐 Network activity detected

Risk: MEDIUM — Sensitive domain with multiple relevant signals

Links

GitHub: https://github.com/dasanakudigenithin/guard-install
npm: https://www.npmjs.com/package/guard-install
DEV.to: https://dev.to/nithindj192/npm-installs-packages-blindly-i-built-a-cli-to-fix-that-1dd

Still early, but getting more practical now.

Would love feedback on:

Are these signals useful or noisy?
What would make you trust a HIGH risk warning?
Would you use this before running unknown repos?

Thanks!