# repo-forensics

> Security scanner for GitHub repos, Agent Skills, Plugins, and MCP servers. 18 scanners. Zero dependencies.

- **URL**: https://www.freshcrate.ai/projects/repo-forensics
- **Author**: alexgreensh
- **Category**: MCP Servers
- **Latest version**: `v2.9.2` (2026-06-06)
- **License**: NOASSERTION
- **Source**: https://github.com/alexgreensh/repo-forensics
- **Homepage**: https://www.linkedin.com/in/alexgreensh/
- **Language**: Python
- **GitHub**: 51 stars, 10 forks
- **Registry**: github
- **Tags**: `agent-skill`, `claude-skills`, `forensics`, `openclaw-skills`, `python`, `security-audit`, `security-scanner`, `security-tools`

## Description

Security scanner for GitHub repos, Agent Skills, Plugins, and MCP servers. 18 scanners. Zero dependencies.

## Recent releases

| Version | Date | Urgency | Changes |
| --- | --- | --- | --- |
| `v2.9.2` | 2026-06-06 | High | ## Highlights - Adds vpmdhaj OpenSearch/Elastic npm typosquat IOCs and install-script markers. - Adds Miasma / Red Hat Cloud Services exact version IOCs and behavioral markers. - Adds agentic CI detection for Claude/Codex-style GitHub Actions with untrusted triggers, secrets, and sensitive tools, including scalar and quoted scalar `on:` trigger forms. - Adds MCP stdio dynamic command/config risk detection. - Adds `CODEX_API_KEY` secret detection. - Updates forensify inventory to use `codex plugi |
| `v2.9.0` | 2026-05-24 | High | ## What's New  ### Scanner #20: Entrypoint Payload Injection Detection New dedicated scanner detecting payloads injected into package entrypoints that execute on require()/import, bypassing lifecycle hook scanning entirely.  - **JavaScript CJS injection** (node-ipc pattern): IIFE appended at end of file, high-entropy blocks, module.exports reassignment - **Python import-time execution** (durabletask pattern): AST-based top-level scope analysis for dangerous calls in __init__.py/setup.py - 32 tes |
| `v2.8.0` | 2026-05-13 | High | Closes all 6 detection gaps from March-May 2026 threat intel review.  New: Geofenced destructive commands (Rule 37), CI runner memory extraction (Rule 38), LLMO attack correlation (Rule 39), cache poisoning via forked PR, Morse/hex encoding detection, slopsquatting corpus.  Auto-scan now runs 10 scanners. 39 correlation rules. JS/TS process-enumeration coverage. Full torture room gauntlet. 1140 tests passing. |
| `v2.7.11` | 2026-05-10 | High | ## 8 New Detection Classes (Tier 3 P0)  Based on deep research across 7 agents, 141 findings, 120 sources:  **TrustFall .mcp.json RCE** — Detects malicious MCP server definitions with inline code execution (`node -e`, `python -c`, `fetch+eval`). Catches the zero-click RCE attack disclosed by Adversa AI (May 2026) affecting Claude Code, Cursor, Gemini CLI, and Copilot CLI.  **Git history forgery** — First scanner to detect `refs/replace/*` objects and `.git/info/grafts` files. `git fsck` is blind |
| `v2.7.6` | 2026-05-05 | High | ## What's new  **Consistent cache-file permissions.** All cache writes (IOC, KEV, baseline, refresh marker) now share one canonical atomic-write path with explicit `fchmod(0o600)`, ensuring the documented user-private mode is honored regardless of the user's umask on shared systems.  **Cleaner internals.** A single helper in `forensics_core` (`atomic_write_json` / `atomic_write_text`) replaces four near-duplicate implementations across the codebase. Every cache writer now gets identical guarante |
| `v2.7.2` | 2026-04-29 | High | ## Mini Shai-Hulud Detection (TeamPCP Wave 6)  Comprehensive detection for the @cap-js/db-service supply chain worm that compromised SAP CAP packages on April 29, 2026.  ### New Detection Capabilities - 4 compromised package versions with version-pinned checking (@cap-js/db-service@2.10.1, @cap-js/postgres@2.2.2, @cap-js/sqlite@2.2.2, mbt@1.2.48) - 9 IOC string patterns (dead-drop markers, PBKDF2 salt, runner name, C2 domain) - Claude Code SessionStart hook injection detection (flat + nested for |
| `v2.6.7` | 2026-04-23 | High | ## Scanner concurrency limiter  Fixed a critical bug where all 19 scanners launched simultaneously with no concurrency cap. When scanning multiple targets (e.g., marketplace plugin caches), this spawned 57+ Python processes, causing CPU load averages above 80.  **New: FIFO-based semaphore** caps concurrent scanners to `clamp(ncpu, 4, 8)`. Configurable via `--max-jobs=N` flag or `REPO_FORENSICS_MAX_JOBS` env var.  **New: Stale scanner cleanup** — on startup (both `run_forensics.sh` and `session_s |
| `v2.6.6` | 2026-04-21 | High | ## Scanner rename: openclaw_skills → agent_skills The skill scanner now detects and scans agent skills across all ecosystems, not just OpenClaw.  **Detection now covers:** - Claude Code: SKILL.md, .claude/, .claude-plugin/ - Codex: codex.json, .codex/ - Cursor: .cursor/ - MCP: tools.json, .mcp.json, mcp.json - OpenClaw: all existing markers (SOUL.md, .clawhubignore, etc.) - Generic: AGENTS.md  ## Version alignment - plugin.json and marketplace.json aligned to 2.6.6 - All scanner counts (19) and |
| `v2.6.4` | 2026-04-19 | High | ## What changed  **SessionStart scanner now actually runs.** The IOC threat feed URL was returning 404 (the `iocs/` directory was never pushed), causing the daily database refresh to hang for the full urllib timeout. Combined with the KEV fetch, cold-start latency hit ~22s — blowing the 15s hook timeout and silently killing the scanner every session.  ### Fixes - Add `iocs/latest.json` with seed threat data (C2 IPs, malicious domains, npm/PyPI packages) - Bump SessionStart hook timeout 15s → 25s |
| `v2.6.3` | 2026-04-19 | High | ### Bug Fix  Corrects the v2.6.2 fix: `hookEventName` must be nested **inside** `hookSpecificOutput`, not at the top level alongside it.  **Correct format (v2.6.3):** ```json {"hookSpecificOutput": {"hookEventName": "SessionStart", "additionalContext": "..."}} ```  **Wrong format (v2.6.2):** ```json {"hookEventName": "SessionStart", "hookSpecificOutput": {"additionalContext": "..."}} ```  Thanks @eligrumman for catching this and providing the reference implementation.  > Note: After `/plugin upd |

## Citation

- HTML: https://www.freshcrate.ai/projects/repo-forensics
- Markdown: https://www.freshcrate.ai/projects/repo-forensics.md
- Dependencies JSON: https://www.freshcrate.ai/api/projects/repo-forensics/deps

_Generated by freshcrate.ai. Indexes github releases for AI-agent ecosystem packages._