These days, a significant portion of open-source software (OSS) is necessary to develop a software. There has been a few measurement that can verify safety of OSS, but technologies for automation are insufficient. To address this problem, we propose AutoMetric, an automatic tool for measuring security metrics of OSS in repository level. Using AutoMetric which only collects repository address of the project, it is possible to inspect many projects at once regardless of its size and scope. AutoMetric contains five metrics: Mean Time to Update (MU), Mean Time to Commit (MC), Number of Contributors (NC), Inactive Period (IP), and Branch Protection (BP). These indicators can be calculated quickly even if the source code changes. By comparing metrics in AutoMetric with 2,675 reported vulnerabilities in GitHub Advisory Database (GAD), the result shows that the more frequent updates and commits and the shorter the inactivity period, the more vulnerabilities were found.