Oathe Security Badge

Is Charpup/triadev safe?

https://github.com/Charpup/triadev

92
SAFE

TriadDev appears to be a legitimate development workflow orchestration tool that integrates multiple development-focused skills. While it contains executable code and modifies the user's environment during installation, these behaviors are appropriate for a development tool and no malicious activity was detected.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (3)

LOW Install script modifies user environment -10

The install.sh script adds the tool's bin directory to the user's PATH by modifying ~/.bashrc. While standard for development tools, this does modify the user's shell environment.

LOW Python subprocess execution -5

The orchestrator.py uses subprocess.run() calls for git operations and other system commands. The inputs appear controlled but represent potential code execution paths.

INFO Complex multi-skill integration -15

Tool orchestrates multiple other skills (planning-with-files, task-workflow, tdd-sdd-development) which increases potential attack surface, though this is its legitimate purpose.