i do a lighter version on a small repo. first-time contributors get a "what problem were you hitting?" question before i look at the diff. genuine ones answer in two sentences. the spam PRs either go silent or paste back something that doesn't match their own changes and too long. even those with em dash terminator are still easy to spot. it costs 30 seconds and filters almost everything. a proper profile is also a must. i mean, we can all spot fake facebook pages. i believe we can spot auto generated github profiles. and if their bot is actually good? why not? fix
> and if their bot is actually good? why not? fix
One reason: automating the construction of a "trustworthy" profile lowers the bar for attackers who want to plant xz-style backdoors. Not to mention polluting the various signals people use to evaluate candidates for jobs.