I maintain a small open-source project called pubm, a tool for complex publish and release workflows.
Because the project is still small, I use GitHub issues as my planning system. Every idea becomes an issue, and I work from those issues like tickets.
A few days ago, someone commented on one of my feature issues. The comment sounded helpful. They talked about testing, workflows, and how they could help me validate the project.
I was excited.
English is not my first language, and small open-source projects are always hungry for attention. So when someone seemed interested, I wanted to believe it was real.
But the conversation started to feel off.
The replies were friendly, but broad. They sounded related to the issue without being specific to the actual release workflow problem I had written about. Then the account suggested moving the conversation to
Telegram or email.
That was the moment I stopped and looked more carefully.
I checked the account activity, found similar outreach patterns across other repositories, and saw public signals that made me uncomfortable continuing as if this was a normal contributor conversation.
This is the actual public review comment my new bot posted on the issue:
https://github.com/syi0808/pubm/issues/36#issuecomment-4364206862
That became the first real case for a tool I started building: Get Out Spam.
Get Out Spam is a GitHub App that helps maintainers review suspicious issue comments before replying, moving off-platform, or sharing access.
GitHub App page:
https://github.com/apps/get-out-spam
The source repo is still private while I finish the public release checklist, but the app is already posting review comments in my own repo.
It is not meant to be a spam verdict system. I do not want to publicly label people as scammers or create a blacklist.
The goal is smaller:
When a GitHub comment looks suspicious, show the maintainer a neutral review hint based on public signals.
The current scanner looks at things like:
- recently created or sparse public accounts
- broad comment activity across repositories
- similar outreach patterns
- requests to move off-platform
- prior public moderation signals when available
The default recommendation is intentionally boring:
Keep the discussion on GitHub and ask for a concrete technical proposal before sharing private access or moving off-platform.
That is exactly the reminder I needed.
I am looking for maintainer feedback:
- Would you want this as a public bot comment, a private maintainer-only check, or both?
- Which public signals feel fair?
- Which signals would create too many false positives?
- Have you seen this kind of vague “I can help” GitHub issue outreach before?