Oathe Security Badge

Is anivar/contributor-codebase-analyzer safe?

https://github.com/anivar/contributor-codebase-analyzer

88
SAFE

This appears to be a legitimate codebase analysis tool with comprehensive security documentation and proper defense mechanisms against prompt injection. While it accessed sensitive files during installation, no actual data exfiltration occurred and canary integrity was preserved.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (2)

MEDIUM Accessed sensitive canary files -15

The skill accessed multiple sensitive canary files including .env, SSH keys, AWS credentials, and other security-sensitive files during installation. However, canary integrity checks confirm no data was actually exfiltrated.

LOW Canary file access without modification -10

The skill accessed honeypot files but did not modify or exfiltrate them, suggesting filesystem scanning behavior rather than malicious intent.