Scan a GitHub or GitLab repository for security issues before installing it as a skill, tool, or MCP server. Use when the user wants to check, vet, scan, or review a repository for safety before installation. Detects hardcoded secrets, known CVEs, supply chain risks, and build provenance.
HoneyBadger is a security scanner for software plugins. Before anything gets installed on your family server or development machine, HoneyBadger checks it.
HoneyBadger don't care. HoneyBadger checks anyway.
Use this skill when the user:
The honeybadger binary must be in PATH. If not installed:
go install github.com/famclaw/honeybadger/cmd/honeybadger@latest
Basic scan (default: family paranoia level):
honeybadger scan <repo-url> --format text
With specific paranoia level:
honeybadger scan <repo-url> --paranoia minimal|family|strict|paranoid --format text
For update verification (rug-pull detection):
honeybadger scan <repo-url> --installed-sha <sha256-of-installed-archive>
Exit codes: 0=PASS, 1=WARN, 2=FAIL, 3=scan error
With --format text: human-readable summary.
With --format ndjson: one JSON event per line. The final line
("type":"result") contains the verdict and reasoning.
Always show the verdict and reasoning to the user.
If verdict is WARN or FAIL, quote the key_finding field.
If verdict is FAIL, tell the user not to install.
User: "Is github.com/some-user/some-skill safe to install?"
honeybadger scan github.com/some-user/some-skill --format text
Report the verdict and reasoning to the user in plain language.