expressjs.com
Fast, minimalist web framework.
ClaudeRabbit
Free open-source malware scanning.
router.js
1
2
3
4
AdhirajSinghEntrepreneur/pockit88
Dart1.2k
expressjs.com
Fast, minimalist web framework.
ClaudeRabbit
Free open-source malware scanning.
router.js
1
2
3
4
AdhirajSinghEntrepreneur/pockit88
Dart1.2k
app.py
1
2
3
4
expressjs/express98
JavaScript69.2k
requests.readthedocs.io
HTTP for humans.
gorilla/mux95
Go21.8k
app.py
1
2
3
4
expressjs/express98
JavaScript69.2k
requests.readthedocs.io
HTTP for humans.
gorilla/mux95
Go21.8k
Design system
AaInstrument Serif · Geist
index.ts
1
2
3
4
palletsprojects.com
Web development, one drop at a time.
requests.readthedocs.io
HTTP for humans.
Design system
AaInstrument Serif · Geist
index.ts
1
2
3
4
palletsprojects.com
Web development, one drop at a time.
requests.readthedocs.io
HTTP for humans.
ClaudeRabbit
AIdhirajSingh/clauderabbit
A security product for open source

Open source ships malware, too.

ClaudeRabbit is a free, open-source security product for the developer community. Paste any public GitHub repo and we clone it into an isolated sandbox, run it for real, and hand back one honest safety score: what the project is, what it did when we ran it, and what we could not verify.

Free and open source. No account needed — sign in only to save your history.
expressjs.com
Fast, minimalist web framework.
router.js
1
2
3
4
Design system
AaInstrument Serif · Geist
pallets/flask98
Python71.7k
expressjs.com
Fast, minimalist web framework.
router.js
1
2
3
4
Design system
AaInstrument Serif · Geist
pallets/flask98
Python71.7k
ClaudeRabbit
Free open-source malware scanning.
gorilla/mux95
Go21.8k
index.ts
1
2
3
4
flask.palletsprojects.com
Web development, one drop at a time.
ClaudeRabbit
Free open-source malware scanning.
gorilla/mux95
Go21.8k
index.ts
1
2
3
4
flask.palletsprojects.com
Web development, one drop at a time.
Lowest scores on record

The danger board

The lowest-scoring repositories we’ve flagged, named and ranked as they change.

Nothing caught yet.
The board lists only repos we’ve flagged scoring low. Real catches appear here as they land.

We protect the world from open-source malware.

ClaudeRabbit is a real security product — free and open-source — with one mission: protect the world from open-source malware, and grow from there toward cybersecurity more broadly. We start where the threat is most personal: the developers who clone and run unknown code every day. A repo or package can run hostile code the moment you install it, draining GitHub tokens, cloud keys, and crypto wallets before a build even finishes. More than 454,600 new malicious open-source packages appeared in 2025 — up 75% in a year — and the attacks that matter carry no CVE at all; they only exist at runtime. So we run the code: every scan clones the repo into a disposable, isolated sandbox, executes it, and watches what it actually does.

It is a public good. Every scan we finish becomes a permanent public report, growing a shared, vetted-repo database that belongs to the whole community — never locked behind a paywall. Signing in only saves your history and adds to that shared record; it never buys you more.

01
Cloning a tutorial
You found a repo on a forum and you are about to npm install. We run it in a sandbox and hand back an honest score in seconds.
02
Vetting a dependency
A library looks useful but the owner is unfamiliar. We surface what it does at install time and whether the account is real.
03
The take-home task
A recruiter sent a repo to clone and run — the oldest trick in the book. We run it in a sandbox and report exactly what it tried to do.
04
Agents that clone and run
Autonomous coding agents pull and execute code with no human watching. A scan is the guardrail before they run.

Use it everywhere you already work.

The web report is one surface. ClaudeRabbit also ships as an MCP server and a CLI, so the same honest, evidence-backed verdict is one call away — from an AI coding tool, a terminal, or a pre-install hook — without ever leaving where you already are.

MCP server
Give any MCP-compatible AI coding tool — Claude Code, Claude Desktop, and others — a safety check before it installs or runs anything. One cache-aware scan tool: already-scanned repos return instantly, new ones get a real scan. No API key, but a free ClaudeRabbit account is required.
claude mcp add clauderabbit -- npx clauderabbit-mcp
CLI
Run the same cache-aware scan from a terminal, or wire it in as an opt-in shell hook that checks a repo or package before npm install / pnpm install / git clone actually run. Never a bare “Safe” — always the score, the verdict, and what was and wasn’t verified.
npx clauderabbit scan owner/repo