from Hacker News

Show HN: CLI that spots fake GitHub stars, risky dependencies and licence traps

by artski on 5/12/25, 12:59 PM with 72 comments

When I came across a study that traced 4.5 million fake GitHub stars, it confirmed a suspicion I’d had for a while: stars are noisy. The issue is they’re visible, they’re persuasive, and they still shape hiring decisions, VC term sheets, and dependency choices—but they say very little about actual quality.

I wrote StarGuard to put that number in perspective based on my own methodology inspired with what they did and to fold a broader supply-chain check into one command-line run.

It starts with the simplest raw input: every starred_at timestamp GitHub will give. It applies a median-absolute-deviation test to locate sudden bursts. For each spike, StarGuard pulls a random sample of the accounts behind it and asks: how old is the user? Any followers? Any contribution history? Still using the default avatar? From that, it computes a Fake Star Index, between 0 (organic) and 1 (fully synthetic).

But inflated stars are just one issue. In parallel, StarGuard parses dependency manifests or SBOMs and flags common risk signs: unpinned versions, direct Git URLs, lookalike package names. It also scans licences—AGPL sneaking into a repo claiming MIT, or other inconsistencies that can turn into compliance headaches.

It checks contributor patterns too. If 90% of commits come from one person who hasn’t pushed in months, that’s flagged. It skims for obvious code red flags: eval calls, minified blobs, sketchy install scripts—because sometimes the problem is hiding in plain sight.

All of this feeds into a weighted scoring model. The final Trust Score (0–100) reflects repo health at a glance, with direct penalties for fake-star behaviour, so a pretty README badge can’t hide inorganic hype.

I added for the fun of it it generating a cool little badge for the trust score lol.

Under the hood, its all uses, heuristics, and a lot of GitHub API paging. Run it on any public repo with:

python starguard.py owner/repo --format markdown It works without a token, but you’ll hit rate limits sooner.

Please provide any feedback you can.

  • by the__alchemist on 5/12/25, 4:09 PM

    > It checks contributor patterns too. If 90% of commits come from one person who hasn’t pushed in months, that’s flagged.

    IMO this is a slight green flag; not red.

  • by coffeeboy on 5/12/25, 7:25 PM

    Very nice! I'm personally looking into bot account detection for my own service and have come up with very similar heuristics (albeit simpler ones since I'm doing this at scale) so I will provide some additional ones that I have discovered:

    1. Fork to stars ratio. I've noticed that several of the "bot" repos have the same number of forks as stars (or rather, most ratios are above 0.5). Typically a project doesn't have nearly as many forks as stars.

    2. Fake repo owners clone real projects and push them directly to their account (not fork) and impersonate the real project to try and make their account look real.

    Example bot account with both strategies employed: https://github.com/algariis

  • by hungryhobbit on 5/12/25, 3:03 PM

    Dependencies: PyPI, Maven, Go, Ruby

    This looks like a cool project, but why on earth would it need Python, Java, Go, AND Ruby?

  • by catboybotnet on 5/13/25, 3:14 AM

    Why care about stars in the first place? Github is a repo of source repos, using it like social media is pretty silly. If I like a project, it goes into a folder in my bookmarks, that's the 'star' everyone should use. For VCs? What, are you looking to make an open source todo app into a multi million dollar B2B SaaS? VCs are the almighty gods of the world, and us humble peons do not need to lend our assistance into helping them lose money :-)

    Outside of that, neat project.

  • by ngangaga on 5/12/25, 8:47 PM

    > they still shape hiring decisions, VC term sheets, and dependency choices

    This is nuts to me. A star is a "like". It has carries no signal of quality and even its popularity proxy is quite weak. I can't remember the last time I looked at stars and considered them meaningful.

  • by Yiling-J on 5/13/25, 2:03 AM

    It would be interesting if there were an AI tool to analyze the growth pattern of an OSS project. The tool should work based on star info from the GitHub API and perform some web searches based on that info.

    For example: the project gets 1,000 stars on 2024-07-23 because it was posted on Hacker News and received 100 comments (<link>). Below is the static info of stargazers during this period: ...

  • by knowitnone on 5/12/25, 4:12 PM

    Great idea. This should be done by Github though. I'm surprised Github hasn't been sued for serving malware.

  • by binary132 on 5/12/25, 6:34 PM

    I approve! It would be cool to have customizable and transparent heuristics. That way if you know for example that a burst of stars was organic, or you don’t care and want to look at other metrics, you can, or you can at least see a report that explains the reasoning.

  • by feverzsj on 5/12/25, 5:43 PM

    CTOs don't care about github stars. They are behind tons of screening processes.

  • by zxilly on 5/12/25, 9:00 PM

    Frankly, I think this program is ai generated.

    1. there are hallucinatory descriptions in the Readme (make test), and also in the code, such as the rate limit set at line 158, which is the wrong number

    2. all commits are done on github webui, checking the signature confirms this

    3. too verbose function names and a 2000 line python file

    I don't have a complaint about ai, but the code quality clearly needs improvement, the license only lists a few common examples, the thresholds for detection seem to be set randomly, _get_stargazers_graphql the entire function is commented out and performs no action, it says "Currently bypassed by get_ stargazers", did you generate the code without even reading through it?

    Bad code like this gets over 100stars, it seems like you're doing a satirical fake-star performance art.

  • by Am4TIfIsER0ppos on 5/12/25, 3:37 PM

    What is a license trap? This "AGPL sneaking into a repo claiming MIT"? Isn't that just a plain old license violation?

  • by sesm on 5/12/25, 11:05 PM

    How does it differentiate between organic (like project posted on HN) and inorganic star spikes?

  • by nfriedly on 5/12/25, 6:43 PM

    I love the idea! How feasible would it be to turn it into a browser extension?

  • by edoceo on 5/12/25, 4:18 PM

    Could you add support for PHP via package.json? Accept patch?

  • by nottorp on 5/12/25, 3:19 PM

    Of course, github could just drop the stars, but everything has to entshittify towards "engagement" and add social network features.

    Or users could ignore the stars and go old school and you know, research their dependencies before they rely on them.