scan_bounty
Check GitHub repository bounties for legitimacy with a 0-5 security score to identify potential scams before engagement.
Instructions
Anti-scam scanner — checks if a GitHub repo's bounty is legitimate (0-5 score)
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| repo | Yes | GitHub owner/repo (e.g. Expensify/App) |
Implementation Reference
- src/index.ts:436-444 (handler)The tool handler for "scan_bounty" which calls the scanRepo helper function.
case "scan_bounty": { const result = scanRepo((args as any).repo); return { content: [{ type: "text", text: `BOUNTY SCAN: ${result.repo}\nScore: ${result.score}/5 — ${result.verdict}\n\nRed Flags:\n${result.red_flags.map((f) => ` - ${f}`).join("\n") || " None"}\n\nGreen Flags:\n${result.green_flags.map((f) => ` + ${f}`).join("\n") || " None"}`, }], }; } - src/index.ts:162-220 (helper)The implementation of scanRepo that performs the bounty scanning logic.
function scanRepo(repo: string): ScamScore { const db = loadDB(); // Check known lists if (db.scam_list.includes(repo)) { return { repo, score: 0, verdict: "KNOWN SCAM", red_flags: ["In known scam list"], green_flags: [], }; } if (db.legit_list.includes(repo)) { return { repo, score: 5, verdict: "KNOWN LEGIT", red_flags: [], green_flags: ["In known legit list"], }; } let score = 3; // Start neutral const red_flags: string[] = []; const green_flags: string[] = []; // Check repo data const repoData = ghApi(`repos/${repo}`); if (!repoData) { return { repo, score: 1, verdict: "CANNOT VERIFY", red_flags: ["Repo not accessible"], green_flags: [] }; } const data = JSON.parse(repoData); // Stars if (data.stargazers_count > 100) { score++; green_flags.push(`${data.stargazers_count} stars`); } if (data.stargazers_count < 5) { score--; red_flags.push(`Only ${data.stargazers_count} stars`); } // Age const created = new Date(data.created_at); const ageMonths = (Date.now() - created.getTime()) / (30 * 24 * 60 * 60 * 1000); if (ageMonths < 1) { score--; red_flags.push("Repo created less than 1 month ago"); } if (ageMonths > 12) { green_flags.push(`Repo age: ${Math.floor(ageMonths)} months`); } // Forks if (data.forks_count > 10) { green_flags.push(`${data.forks_count} forks`); } // Organization if (data.owner?.type === "Organization") { score++; green_flags.push("Owned by organization"); } // Check closed PRs without merging const closedPRs = ghApi(`repos/${repo}/pulls?state=closed&per_page=20`); if (closedPRs) { const prs = JSON.parse(closedPRs); const closedNotMerged = prs.filter((p: any) => !p.merged_at).length; if (closedNotMerged > 15) { score--; red_flags.push(`${closedNotMerged}/20 PRs closed without merge — possible bounty bait`); - src/index.ts:295-305 (registration)The MCP tool definition/registration for "scan_bounty".
{ name: "scan_bounty", description: "Anti-scam scanner — checks if a GitHub repo's bounty is legitimate (0-5 score)", inputSchema: { type: "object" as const, required: ["repo"], properties: { repo: { type: "string", description: "GitHub owner/repo (e.g. Expensify/App)" }, }, }, },