GitHub AI Code Inspector reads public GitHub repository files via the GitHub public API to perform local, rule-based analysis. It does not:

• Send your data to any server
• Require authentication or credentials
• Access private repositories
• Use AI APIs, cloud processing, or external analytics
• Store or transmit any browsing data

All computation happens in your browser.

This tool is not a security scanner. It cannot:

• Detect sophisticated malware or obfuscated exploits
• Execute code in a sandbox
• Replace a professional security audit
• Guarantee that a flagged repo is malicious, or that a clean-scored repo is safe

All findings should be treated as signals for human review, not verdicts.

If you discover a security issue with the extension itself (e.g., a way the extension could be exploited by a malicious GitHub page), please open an issue on GitHub with the label security and the details.

Do not report security issues in scanned repositories as vulnerabilities in this project.

• Never run code from an unknown repository with real credentials or in a production environment.
• Use a sandboxed environment (VM, Docker, isolated machine) for first-run testing of unfamiliar code.
• The presence of a postinstall/preinstall script in package.json means code runs automatically on npm install. Review it before installing.
• A committed .env file may contain real credentials. Do not copy or use them.
• curl | bash and similar patterns in setup scripts execute remote code. Audit before running.

The extension requests minimal permissions:

• storage — reserved for optional GitHub token in a future version
• activeTab — communicate with the current GitHub tab from the popup
• https://api.github.com/* — GitHub REST API access (public endpoints only)
• https://raw.githubusercontent.com/* — raw file content fetching (public repos only)