Transparent rule-based GitHub fake-star detector — LOW/MEDIUM/HIGH with per-rule evidence.
Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"fake-star-audit": {
"args": [
"fake-star-audit"
],
"command": "uvx"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
A transparent, dependency-free GitHub fake-star checker. One Python file, no token, no install — point it at a repo and get a LOW / MEDIUM / HIGH risk verdict with every rule explained.
Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.
uvx 'fake-star-audit' 2>&1 | head -1 && echo "✓ Server started successfully"
After testing, let us know if it worked:
Five weighted categories — click any category to see the underlying evidence.
No known CVEs.
Checked fake-star-audit against OSV.dev.
Click any tool to inspect its schema.
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in other
Pi Coding Agent extension (CLI-first) — routes bash/read/grep/find/ls through lean-ctx CLI for strong token savings. Optional MCP bridge can register advanced tools.
Autonomous spec-to-product coding-agent CLI with an MCP server exposing 34 tools over stdio.
97% token reduction for AI coding sessions — zero deps, 21 languages, MCP server
App framework, testing framework, and inspector for MCP Apps.
MCP Security Weekly
Get CVE alerts and security updates for io.github.ardev-lab/fake-star-audit and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.
A transparent, dependency-free GitHub fake-star checker. One Python file, no
token, no install — point it at a repo and get a LOW / MEDIUM / HIGH
risk verdict with every rule explained.
$ python3 audit.py --repo someowner/somerepo
🔴 someowner/somerepo — risk: HIGH
422★ / 0 forks / age 66.9h
windows: earliest=100, latest=22
axes: page1_sliding_window, sequential_id_cluster, same_second_cluster
[FLAG] page1_sliding_window earliest: BURST: 100 stars in 0.55h (~183 stars/h)
[FLAG] sequential_id_cluster earliest: 4+ time-consecutive stargazers within id range <200k
[FLAG] same_second_cluster earliest: max 4 stars within a 30s window
GitHub stars are used as a proxy for trust — by investors doing due-diligence, by engineers picking dependencies, by recruiters reading résumés. But there is a paid market for fake stars: bot accounts and "star farms" inflate a repo to look popular. (See the CMU study estimating millions of suspected fake stars.)
fake-star-audit gives you a fast, explainable gut-check: is this repo's
star count believable?
There are already excellent fake-star tools — see How it compares. This one is deliberately the smallest, most portable option:
pip install.GITHUB_TOKEN or any environment variable, and never writes files.audit.py anywhere and run it.It is not trying to replace at-scale academic crawlers or full due-diligence suites. It's the dependency-free, AI-friendly first look.
# no install needed — just the one file
python3 audit.py --repo facebook/react
python3 audit.py --repo facebook/react --json # machine-readable
Or install from PyPI (pip install fake-star-audit) and run the
fake-star-audit-cli command. Note: the bare fake-star-audit command is the
MCP server (see below), not the CLI.
Drop the skill/ folder into ~/.claude/skills/ (see skill/SKILL.md),
then in Claude Code:
You: is github.com/someowner/somerepo fake-starred? Claude: HIGH risk — 100 stars landed in the first 33 minutes after the repo was created, with near-sequential account IDs. That's a bootstrap injection pattern, not organic growth.
An optional MCP wrapper exposes the audit as
the audit_repo tool. It runs over stdio — your MCP client launches it as a
local subprocess; it opens no network server and reads no environment variables.
Easiest — via the package (uvx). Published on PyPI as fake-star-audit
and in the MCP Registry as
io.github.ardev-lab/fake-star-audit. Register it with your client, e.g. Claude
Desktop's claude_desktop_config.json:
{
"mcpServers": {
"fake-star-audit": {
"command": "uvx",
"args": ["fake-star-audit"]
}
}
}
From a local checkout. Requires Python 3.10+ and the mcp package (the core
audit.py itself needs neither):
pip install -r requirements.txt # installs `mcp`
{
"mcpServers": {
"fake-star-audit": {
"command": "python3",
"args": ["/absolute/path/to/fake-star-audit/mcp_server.py"]
}
}
}
Now ask your assistant "audit the stars on owner/repo" and it will call the
audit_repo tool.
The tool inspects two windows of stargazers