sncheck-cli
The SNCheck CLI.
The first real SNCheck product: an open-source static scanner that inspects subnet repos for Bittensor-specific risk signals before you clone, install, or run them.
Install
Recommended (isolated):
$ pipx install sncheck
From source:
$ git clone https://github.com/sncheck/sncheck-cli$ cd sncheck-cli$ python -m venv .venv && source .venv/bin/activate$ pip install -e ".[dev]"
Usage
$ sncheck check https://github.com/example/subnet$ sncheck check ./local-subnet-repo$ sncheck check ./repo --format json$ sncheck check ./repo --fail-on high# other commands$ sncheck rules list$ sncheck rules explain SH-CURL-BASH-001$ sncheck version
Example output
$ sncheck check https://github.com/example/subnetOverall risk: High[HIGH] SH-CURL-BASH-001 Remote script piped to shellFile: setup.sh:12Evidence: curl https://example.com/install.sh | bash
Rule categories
High severity is reserved for code that does something dangerous with wallet material — a plain wallet, hotkey, or coldkey reference is treated as low/info context.
Wallet risk
Detects wallet path, hotkey, coldkey, and mnemonic references — and flags code that reads or exfiltrates key material.
Install risk
Flags curl-to-shell, wget-to-shell, base64 execution, and risky setup scripts.
Python execution risk
Detects eval, exec, os.system, subprocess shell usage, and unsafe pickle loads.
Repo trust
Future verification for official subnet repositories and monitored commits.
Limitations
- SNCheck performs static analysis only. It never executes scanned repository code.
- A clean report does not guarantee a repository is safe. Rules detect known risky patterns, not every possible threat.
- Some findings are context-dependent and require manual review.
Contribute
SNCheck is open-source and Apache-2.0 licensed. New rules, false positive reports, and subnet-specific knowledge are all welcome.