TrustStarTrustStar
Trust ScoreGitHub fake star detection
npm CheckDownloads vs stars consistency
Code ScanNEWStatic security analysis
BadgeEmbed your trust score
Recent AuditsLive community feed
GitHubOpen source — contribute
Log inSign up
Open Source Methodology

How TrustStar Works

Full transparency on how we calculate trust. Our methodology is open source — anyone can audit it, challenge it, or contribute to it.

View on GitHub ↗Try an Analysis

Two Engines, One Verdict

TrustStar combines two independent analysis engines to deliver a complete trust verdict. A project can have thousands of bought stars but clean code. Another can be authentically popular but contain dangerous code. TrustStar detects both.

Trust Score

Reputation Engine

Analyses whether a GitHub repository's popularity is genuine or artificially inflated through fake stars, bot accounts, or coordinated campaigns.

Metrics analyzed

Account Quality35%

Age, repos, followers, activity patterns of stargazers

Temporal Behavior30%

Star velocity, burst detection, Z-score anomalies

Project Health20%

Fork/star ratio, commit cadence, issue resolution

Community Signals15%

Contributor diversity, organic engagement patterns

SAFE (≥ 70)SUSPICIOUS (40–69)DANGEROUS (< 40)

Safety Score

Code Security Engine

Static analysis of skill source code to detect dangerous patterns: data exfiltration, credential theft, obfuscated payloads, and supply chain risks.

Analyzers

Network Analysis

Outbound calls, hardcoded IPs, dynamic URLs, data exfiltration

Filesystem Access

Sensitive path access (~/.ssh, ~/.aws, /etc/passwd), file operations

Code Execution

Shell injection, eval(), subprocess, curl|bash patterns

Obfuscation Detection

Base64 payloads, minified code, hex escapes, String.fromCharCode

Dependency Audit

Typosquatting, unpinned versions, excessive dependencies

SAFE (≥ 70)SUSPICIOUS (40–69)DANGEROUS (< 40)

Transparent Scoring

Every score is deterministic and reproducible. No black box, no AI judgment calls — pure static analysis with published thresholds.

SeverityPenaltyExample
CRITICAL-25 ptseval(atob(…)), curl|bash, ~/.ssh access
HIGH-15 ptsUnknown domain calls, subprocess shell=True
MEDIUM-8 ptsUnpinned dependencies, hex escapes
LOW-3 ptsMinor style issues
INFO0 ptsKnown safe patterns detected

Each dimension starts at 100 and loses points per finding. The final score is a weighted average of all dimensions. Minimum score per dimension: 0.

Why We're Open Source

Auditability

Our detection algorithms are public. If you think we're wrong, you can prove it. No trust-us-bro security.

Community-Driven

Found a false positive? Missing a pattern? Open a PR. The methodology improves with every contribution.

Enterprise Ready

Open source doesn't mean amateur. Transparent methodology is what compliance teams actually want to see.

TrustStar vs. the Alternatives

TrustStar
SClawHub
ClawSecure
Bitdefender
VirusTotal
Open source methodology
Fake star detection
Code security scanning
Combined trust verdict
Free & unlimited
Embeddable badges
Soon
API access
Soon

Ready to verify trust?

Analyze a Repository →

Free, open source, no account required.