Is it safe to clone any GitHub repository?

Cloning by itself only downloads files, but anything you do next — installing dependencies, opening the folder in your IDE, or pointing an AI agent at it — can execute code from the repo. Treat every unknown repo as untrusted code until you have inspected it.

What is the most common way malicious GitHub repos attack you?

npm and pip lifecycle scripts (preinstall, install, postinstall, prepare) that run automatically during dependency installation, plus VS Code workspace tasks and devcontainers that execute on folder open.

How do I check a GitHub repo before cloning it?

Inspect lifecycle scripts in package.json, .vscode/ and .devcontainer/ files, AI-agent instruction files (AGENTS.md, .cursorrules, CLAUDE.md, copilot-instructions.md), MCP server configs, and CI workflows that reference unpinned third-party actions. RepoPreflight scans these signals automatically.

Guide · Repository safety

Is it safe to clone GitHub repositories? How to check for malicious code

A practical guide to the real risks of cloning unknown GitHub repositories — install scripts, workspace tasks, AI-agent instructions and MCP servers — and how to check a repo before you run it.

Is GitHub itself safe?

GitHub the platform is safe. Individual repositories on it are not — they are arbitrary code written by anyone. The risk is not downloading a repo, it is what happens the moment you do something with it: npm install, opening the folder in VS Code, or letting Cursor / Claude Code / Copilot read its instruction files.

What can actually execute when you "just clone" a repo?

Install lifecycle scripts. preinstall, install, postinstall and prepare in package.json run automatically during npm install / bun install / yarn install. Same for Python (setup.py, build hooks) and many other ecosystems.
VS Code workspace tasks & devcontainers. Files in .vscode/ and .devcontainer/ can auto-run commands when you open the folder, especially in Codespaces or "Reopen in Container".
AI-agent instruction files. AGENTS.md, .cursorrules, .windsurfrules, CLAUDE.md and .github/copilot-instructions.mdare read as authoritative instructions by Cursor, Claude Code, Windsurf and Copilot. A hostile repo can prompt-inject your agent into exfiltrating env vars or running scripts.
MCP server configs. mcp.json / mcp.yaml entries that launch a raw shell give an AI agent shell-level access on your machine.
CI workflows with unpinned actions. uses: some/action@main in .github/workflows/ ties your CI to a moving target — a classic supply-chain hijack.

How to check a repo before you run it

Open package.json and read the scripts block end-to-end. Anything that pipes curl into a shell, runs node -e, or base64-decodes a payload is a red flag.
List .vscode/ and .devcontainer/. Treat tasks.json, launch.json and devcontainer.json as untrusted scripts.
Read every AI-agent instruction file in the repo before letting Cursor / Claude / Copilot open the folder.
Check repo maturity — age, number of contributors, releases, and last commit date. Brand-new single-author repos are higher risk than long-lived multi-contributor projects.
Install with --ignore-scripts the first time, or in a sandboxed container.

How RepoPreflight automates the check

Paste a GitHub URL into RepoPreflight and it pulls the public files above, scores each risk dimension (workspace execution, install scripts, AI-agent risk, MCP risk, CI/CD pinning), and returns a trust report plus a public-reputation summary in seconds. No clone, no install.

Results are heuristic and based only on what is publicly visible — they are a fast pre-clone signal, not a substitute for reading the code yourself for anything you are going to trust with secrets or production access.

Try it

Run a preflight check on any public GitHub repo.