๐จ Unexpected lesson from running a technical portfolio on GitHub Pages โ ๏ธ
Recently my GitHub Pages site was flagged as a "Dangerous site" by Google Safe Browsing and I've only found out today when publishing my favorite SOQL queries in a cheat sheet page.
I've checked and there are no malware, no phishing forms, no credential capture. The root cause was automated heuristics.
In my case, browser-based AI/WebGPU experiments - running ONNX transformer models locally with transformers.js and calculating fractals on the browser - likely triggered the flag.
For a security crawler, patterns like large binary downloads, WebAssembly, WebGPU initialization, and heavy client-side compute may look indistinguishable from malware loaders.
So if you are hosting demos or portfolios, these may be important points:
๐ username.github.io is a single reputation boundary
๐ one demo can poison the entire site if it looks "risky"
๐ automated classifiers will not consider your disclaimers and open-source code
I've removed those demos and made an appeal - I have yet to see the result.
Fortunately this was not a security incident but it has a negative reputation effect.
If you host AI, WebGPU, WASM, or client-side ML demos it may be better to isolate them on a separate domain or subdomain. Also, avoid auto-loading models on page load and put a gate with explicit user interaction before proceeding with heavy computation.
Modern security systems optimize for minimizing false negatives, no matter how many false positives it gets. These advanced browser-side public experimentations seem to be at that boundary.
I hope that by sharing this it saves someone else a few days of confusion.