GitHub AI Code Inspector

About

GitHub AI Code Inspector is a Chrome side panel extension for inspecting AI-generated GitHub repositories, pull requests, package files, workflow files, and agent/MCP configs directly inside GitHub.

It helps developers, maintainers, and AI-assisted builders quickly review public GitHub repositories before cloning, running, merging, or trusting them.

GitHub AI Code Inspector is rule-based and runs inspection logic locally in your browser. No external AI API is required.

Key features:

• Native GitHub page detection
Automatically detects whether you are viewing a repository, pull request, PR files page, single file, package.json, lockfile, GitHub Actions workflow, MCP config, or agent config.

• One-click repository inspection
Review public repositories for README accuracy, runability, security signals, implementation quality, maintenance signals, and overall trust score.

• One-click pull request inspection
Scan pull requests directly from GitHub pages when available. If the full PR diff cannot be read from the page, the extension provides a manual paste fallback.

• File-level inspection
Inspect individual GitHub files directly from the side panel, including package.json, workflow files, lockfiles, MCP configs, agent configs, and general source files.

• Package and dependency risk checks
Review package scripts and dependency-related signals such as postinstall, preinstall, install, prepare scripts, suspicious lifecycle behavior, and risky shell execution patterns.

• GitHub Actions workflow risk checks
Detect risky GitHub Actions patterns, including pull_request_target usage, broad permissions, secrets usage, unpinned actions, suspicious shell commands, and potentially dangerous CI behavior.

• MCP and agent config checks
Review MCP server configs, Claude/Cursor/Cline-style agent files, and tool descriptions for risky command access, suspicious endpoints, prompt-injection-like text, and overly permissive behavior.

• Hidden Unicode detection
Detect invisible or suspicious Unicode characters that may hide misleading code behavior.

• Secrets-like pattern detection
Flag common token and credential-like patterns such as API keys, private keys, GitHub tokens, cloud keys, Slack tokens, and password-shaped strings.

• Suspicious command detection
Flag risky command patterns such as eval-like behavior, curl | bash, wget | sh, PowerShell IEX, shell download execution, and other potentially dangerous code execution patterns.

• AI-code signal detection
Identify common AI-generated code signals, incomplete implementation patterns, placeholder-heavy code, and mismatches between documentation and actual source files.

• Safe Signals
Highlight positive engineering signals when detected, such as no obvious secrets, no hidden Unicode, lockfile presence, security files, or safer workflow patterns.

• Copyable Markdown reports
Copy a clean Markdown inspection report for PR review, documentation, or collaboration.

Privacy and security:

GitHub AI Code Inspector runs inspection logic locally in your browser. No external AI API is required. Pasted diffs are analyzed locally. Repository code is not sent to third-party AI services.

No GitHub OAuth is required. The extension does not request repo write permissions and does not automatically comment on pull requests.

For public GitHub pages, the extension can work without a GitHub token. An optional GitHub token may be added only to improve GitHub API access or rate limits where supported. If provided, the token is stored in Chrome storage and used only for requests to GitHub API endpoints.

Important limitations:

GitHub AI Code Inspector is a developer assistance tool. It does not replace manual code review, security review, dependency auditing, or professional security assessment.

It provides heuristic risk signals and recommendations, but it cannot guarantee that every issue or vulnerability will be detected. Some repository scans may be partial depending on what GitHub page data is visible or accessible.

Best used for:

• Reviewing AI-generated GitHub projects
• Checking repositories before cloning or running them
• Inspecting pull requests before merge
• Reviewing package.json and dependency scripts
• Checking GitHub Actions workflows
• Reviewing MCP and agent configuration files
• Finding README and implementation mismatches
• Spotting risky package scripts or workflow changes
• Creating lightweight Markdown audit reports

Built by Catalayer.