Legion Health (YC S21) Is Hiring Founding Engineers to Fix Mental Health with AI (workatastartup.com)

When I came across a study that traced 4.5 million fake GitHub stars, it confirmed a suspicion I’d had for a while: stars are noisy. The issue is they’re visible, they’re persuasive, and they still shape hiring decisions, VC term sheets, and dependency choices—but they say very little about actual quality.

I wrote StarGuard to put that number in perspective based on my own methodology inspired with what they did and to fold a broader supply-chain check into one command-line run.

It starts with the simplest raw input: every starred_at timestamp GitHub will give. It applies a median-absolute-deviation test to locate sudden bursts. For each spike, StarGuard pulls a random sample of the accounts behind it and asks: how old is the user? Any followers? Any contribution history? Still using the default avatar? From that, it computes a Fake Star Index, between 0 (organic) and 1 (fully synthetic).

But inflated stars are just one issue. In parallel, StarGuard parses dependency manifests or SBOMs and flags common risk signs: unpinned versions, direct Git URLs, lookalike package names. It also scans licences—AGPL sneaking into a repo claiming MIT, or other inconsistencies that can turn into compliance headaches.

It checks contributor patterns too. If 90% of commits come from one person who hasn’t pushed in months, that’s flagged. It skims for obvious code red flags: eval calls, minified blobs, sketchy install scripts—because sometimes the problem is hiding in plain sight.

All of this feeds into a weighted scoring model. The final Trust Score (0–100) reflects repo health at a glance, with direct penalties for fake-star behaviour, so a pretty README badge can’t hide inorganic hype.

I added for the fun of it it generating a cool little badge for the trust score lol.

Under the hood, its all uses, heuristics, and a lot of GitHub API paging. Run it on any public repo with:

python starguard.py owner/repo --format markdown It works without a token, but you’ll hit rate limits sooner.

Please provide any feedback you can.

Comments (23)

the__alchemist · 1h ago

> It checks contributor patterns too. If 90% of commits come from one person who hasn’t pushed in months, that’s flagged.

IMO this is a slight green flag; not red.

sethops1 · 1h ago

I have to agree - the highest quality libraries in my experience are the ones maintained that one dedicated person as their pet project. There's no glory, no money, no large community, no Twitter followers - just a person with a problem to solve and making the solution open source for the benefit of others.

artski · 1h ago

Fair take—it's definitely context-dependent. In some cases, solo-maintainer projects can be great, especially if they’re stable or purpose-built. But from a trust and maintenance standpoint, it’s worth flagging as a signal: if 90% of commits are from one person who’s now inactive, it could mean slow responses to bugs or no updates for security issues. Doesn’t mean the project is bad—just something to consider alongside other factors.

Heuristics are never perfect and it's all iterative but it's all about understanding the underlying assumptions and taking the knowledge you get out of it with your own context. Probably could enhance it slightly by a run through an LLM with a prompt but I prefer to keep things purely statistical for now.

mlhpdx · 2m ago

The signal here is how many unpatched vulnerabilities there are maybe multiplied by how long they’ve been out there. Purely statistical. And an actual signal.

85392_school · 1h ago

It could also mean that the project is stable. Since you only look at the one repository's commit activity, a stable project with a maintainer who's still active on GitHub in other places would be "less trustworthy" than a project that's a work in progress.

No comments yet

delfinom · 1h ago

The problem is your audience is:

> CTOs, security teams, and VCs automate open-source due diligence in seconds.

The people that probably have less brain cells than the average programmer to understand the nuance in the flagging.

artski · 59m ago

Lol yeah tbh - I just made it without really thinking of an audience, just was looking for a project to work on till I saw the paper and figured it would be cool to check it out on some repositories out there. That part is just me asking gpt to make the read me better.

lispisok · 1h ago

It's gonna flag most of the clojure ecosystem

nottorp · 2h ago

Of course, github could just drop the stars, but everything has to entshittify towards "engagement" and add social network features.

Or users could ignore the stars and go old school and you know, research their dependencies before they rely on them.

Vanclief · 1h ago

Stars are just a signal. When I am looking at multiple libraries that do the same, I am going to trust more a repo with 200 starts that one with 0. Its not perfect, but I don't have the time to go through the entire codebase and try it out. If the repo works for me I will star it to contribute to the signal.

shlomo_z · 1h ago

If that works for you, great. I don't do that. I don't even check how many stars it has.

I check the docs, features, and sometimes the code quality. Sometimes I check the date of the last commit.

benwilber0 · 23m ago

Github was a "social network" from its very beginning. The whole premise was geared around git hosting and "social coding". I don't think it became enshittified later since that was the entire value proposition from day 1.

nottorp · 15m ago

Funny, I'm pretty sure I paid them just so I don't have to maintain my own git hosting.

I never even noticed the stupid stars until they started being mentioned on HN.

knowitnone · 1h ago

Great idea. This should be done by Github though. I'm surprised Github hasn't been sued for serving malware.

swyx · 40m ago

> I'm surprised Github hasn't been sued for serving malware.

do you want a world where people can randomly sue you for any random damages they suffer or do you want nice things like free code hosting?

artski · 1h ago

Yeah to be fair would be great, sometimes just giving a nudge and showing people want these features is the first step to getting an official integration.

hungryhobbit · 2h ago

Dependencies: PyPI, Maven, Go, Ruby

This looks like a cool project, but why on earth would it need Python, Java, Go, AND Ruby?

deltaknight · 2h ago

I think these are just the package managers that it supports parsing dependencies for. The actual script seems to just be a single python file.

It does seem like the repo is missing some files though; make is mentioned in the README but no makefile and no list of python dependencies for the script that I can see.

artski · 2h ago

Yeah to be fair I need to clean it up, was stuck in the testing diff strategies and making it work and just wanted to get feedback asap before moving on to the next step (didn't want to spend too much time on something and turns out I was wrong about something badly) - next step is to get it all cleaned up.

27theo · 2h ago

It doesn't need them, it parses SBOMs and manifests from their ecosystems. I think you misunderstood this section of the README.

> Dependencies | SBOM / manifest parsing across npm, PyPI, Maven, Go, Ruby; flags unpinned, shadow, or non-registry deps.

The project seems like it only requires Python >= 3.9!

edoceo · 1h ago

Could you add support for PHP via package.json? Accept patch?

Am4TIfIsER0ppos · 1h ago

What is a license trap? This "AGPL sneaking into a repo claiming MIT"? Isn't that just a plain old license violation?

artski · 1h ago

Basically what I mean by it is for example a repository appears to be under a permissive license like MIT, Apache, or BSD, but actually includes code that’s governed by a much stricter or viral license—like GPL or AGPL—often buried in a subdirectory, dependency, or embedded snippet. The problem is, if you reuse or build on that code assuming it’s fully permissive, you could end up violating the terms of the stricter license without realising it. It’s a trap because the original authors might have mixed incompatible licenses, knowingly or not, and the legal risk then falls on downstream users. So yeah essentially a plain old license violation which are relatively easy to miss or not think about

I hacked a dating app (and how not to treat a security researcher) (alexschapiro.com)

Embeddings Are Underrated (technicalwriting.dev)

The Barbican (arslan.io)

RIP Usenix ATC (bcantrill.dtrace.org)

Launch HN: ParaQuery (YC X25) – GPU Accelerated Spark/SQL

Traffic Fatalities Are a Choice (asteriskmag.com)

Legion Health (YC S21) Is Hiring Founding Engineers to Fix Mental Health with AI (workatastartup.com)

University of Texas-led team solves a big problem for fusion energy (news.utexas.edu)

A community-led fork of Organic Maps (comaps.app)

Why GADTs matter for performance (2015) (blog.janestreet.com)

Demonstrably Secure Software Supply Chains with Nix (nixcademy.com)

Tailscale 4via6 – Connect Edge Deployments at Scale (tailscale.com)

Reviving a Modular Cargo Bike Design from the 1930s (core77.com)

Ruby 3.5 Feature: Namespace on read (bugs.ruby-lang.org)

OpenEoX to Standardize End-of-Life (EOL) and End-of-Support (EOS) Information (openeox.org)

Show HN: CLI that spots fake GitHub stars, risky dependencies and licence traps (github.com)

Spade Hardware Description Language (spade-lang.org)

Universe expected to decay in 10⁷⁸ years, much sooner than previously thought (phys.org)

The FTC puts off enforcing its 'click-to-cancel' rule (theverge.com)

I ruined my vacation by reverse engineering WSC (blog.es3n1n.eu)

Optimizing My Hacker News Experience (reorientinglife.substack.com)

A Typical Workday at a Japanese Hardware Tool Store [video] (youtube.com)

Ex-UK Special Forces break silence on 'war crimes' by colleagues (bbc.com)

Show HN: Airweave – Let agents search any app (github.com)

Ash (Almquist Shell) Variants (in-ulm.de)

Continuous glucose monitors reveal variable glucose responses to the same meals (examine.com)

Continuous Thought Machines (pub.sakana.ai)

Intellect-2 Release: The First 32B Model Trained Through Globally Distributed RL (primeintellect.ai)

Armbian Updates: OMV support, boot improvents, Rockchip optimizations (armbian.com)

Implicit UVs: Real-time semi-global parameterization of implicit surfaces [pdf] (baptiste-genest.github.io)

Making PyPI's test suite faster (blog.trailofbits.com)

CrowdStrike CEO cuts his voting power by 92% with unexplained gifts (bloomberg.com)

Why Bell Labs Worked (1517.substack.com)

Plain Vanilla Web (plainvanillaweb.com)

Car companies are in a billion-dollar software war (insideevs.com)

Access to the United States' President for Sale via Meme Coin (mastodon.social)

Absolute Zero Reasoner (andrewzh112.github.io)

High-school shop students attract skilled-trades job offers (wsj.com)

Scraperr – A Self Hosted Webscraper (github.com)

US Copyright Office found AI companies breach copyright. Its boss was fired (theregister.com)

Writing an LLM from scratch, part 13 – attention heads are dumb (gilesthomas.com)

Gig Companies Violate Workers Rights (hrw.org)

Title of work deciphered in sealed Herculaneum scroll via digital unwrapping (finebooksmagazine.com)

The Audio Stack Is a Crime Scene (fireborn.mataroa.blog)

How friction is being redistributed in today's economy (kyla.substack.com)

I hacked my clock to control my focus (paepper.com)

Ask HN: Cursor or Windsurf?

ToyDB rewritten: a distributed SQL database in Rust, for education (github.com)

A simple 16x16 dot animation from simple math rules (tixy.land)

LSP client in Clojure in 200 lines of code (vlaaad.github.io)

Show HN: CLI that spots fake GitHub stars, risky dependencies and licence traps

Comments (23)