GitHub AI Code Inspector

Chrome side panel for inspecting AI-generated GitHub repos, PRs, and files. Workflow, Unicode, command, package, MCP risk.

GitHub AI Code Inspector is a Chrome side panel extension for inspecting AI-generated GitHub repositories, pull requests, package files, workflow files, and agent/MCP configs directly inside GitHub. It helps developers, maintainers, and AI-assisted builders quickly review public GitHub repositories before cloning, running, merging, or trusting them. GitHub AI Code Inspector is rule-based and runs inspection logic locally in your browser. No external AI API is required. Key features: • Native GitHub page detection Automatically detects whether you are viewing a repository, pull request, PR files page, single file, package.json, lockfile, GitHub Actions workflow, MCP config, or agent config. • One-click repository inspection Review public repositories for README accuracy, runability, security signals, implementation quality, maintenance signals, and overall trust score. • One-click pull request inspection Scan pull requests directly from GitHub pages when available. If the full PR diff cannot be read from the page, the extension provides a manual paste fallback. • File-level inspection Inspect individual GitHub files directly from the side panel, including package.json, workflow files, lockfiles, MCP configs, agent configs, and general source files. • Package and dependency risk checks Review package scripts and dependency-related signals such as postinstall, preinstall, install, prepare scripts, suspicious lifecycle behavior, and risky shell execution patterns. • GitHub Actions workflow risk checks Detect risky GitHub Actions patterns, including pull_request_target usage, broad permissions, secrets usage, unpinned actions, suspicious shell commands, and potentially dangerous CI behavior. • MCP and agent config checks Review MCP server configs, Claude/Cursor/Cline-style agent files, and tool descriptions for risky command access, suspicious endpoints, prompt-injection-like text, and overly permissive behavior. • Hidden Unicode detection Detect invisible or suspicious Unicode characters that may hide misleading code behavior. • Secrets-like pattern detection Flag common token and credential-like patterns such as API keys, private keys, GitHub tokens, cloud keys, Slack tokens, and password-shaped strings. • Suspicious command detection Flag risky command patterns such as eval-like behavior, curl | bash, wget | sh, PowerShell IEX, shell download execution, and other potentially dangerous code execution patterns. • AI-code signal detection Identify common AI-generated code signals, incomplete implementation patterns, placeholder-heavy code, and mismatches between documentation and actual source files. • Safe Signals Highlight positive engineering signals when detected, such as no obvious secrets, no hidden Unicode, lockfile presence, security files, or safer workflow patterns. • Copyable Markdown reports Copy a clean Markdown inspection report for PR review, documentation, or collaboration. Privacy and security: GitHub AI Code Inspector runs inspection logic locally in your browser. No external AI API is required. Pasted diffs are analyzed locally. Repository code is not sent to third-party AI services. No GitHub OAuth is required. The extension does not request repo write permissions and does not automatically comment on pull requests. For public GitHub pages, the extension can work without a GitHub token. An optional GitHub token may be added only to improve GitHub API access or rate limits where supported. If provided, the token is stored in Chrome storage and used only for requests to GitHub API endpoints. Important limitations: GitHub AI Code Inspector is a developer assistance tool. It does not replace manual code review, security review, dependency auditing, or professional security assessment. It provides heuristic risk signals and recommendations, but it cannot guarantee that every issue or vulnerability will be detected. Some repository scans may be partial depending on what GitHub page data is visible or accessible. Best used for: • Reviewing AI-generated GitHub projects • Checking repositories before cloning or running them • Inspecting pull requests before merge • Reviewing package.json and dependency scripts • Checking GitHub Actions workflows • Reviewing MCP and agent configuration files • Finding README and implementation mismatches • Spotting risky package scripts or workflow changes • Creating lightweight Markdown audit reports Built by Catalayer.