Is blacktop/ipsw-skill safe?

https://github.com/blacktop/ipsw-skill

89
SAFE

The ipsw-skill is a documentation-only Claude Code skill that provides reference material for the well-known ipsw Apple reverse engineering CLI tool by blacktop. It contains no executable code, no prompt injection attempts, no data exfiltration mechanisms, and all clone-time behavior was benign. The primary risks are inherent to the tool it documents: installation of a third-party binary and execution of powerful system-level RE commands.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (7)

LOW Instructs installation of third-party binary via Homebrew -5

The skill instructs the agent to run 'brew install blacktop/tap/ipsw' which downloads and installs a third-party binary from a custom Homebrew tap. While ipsw is a well-known legitimate tool, installing binaries from third-party taps carries inherent supply chain risk.

LOW Skill commands execute powerful system-level operations -10

The ipsw CLI commands documented in the skill can download large firmware files, disassemble binaries, extract kernel extensions, and sign Mach-O binaries. While legitimate for reverse engineering, these are powerful operations that could be misused.

LOW LLM decompilation feature sends data to external service -5

The skill documents an ipsw feature that sends disassembled code to an external LLM (Copilot) for decompilation. This could inadvertently transmit sensitive binary analysis data to a third-party service.

INFO PostgreSQL connection string in documentation example 0

The entitlements reference includes an example with a PostgreSQL host parameter. This is clearly a documentation example (db.example.com) and not a real exfiltration endpoint.

LOW Broad skill activation triggers -10

The skill description triggers on a wide range of queries including 'Apple RE, iOS internals, kernel analysis, KEXT extraction, or vulnerability research on Apple platforms'. This broad activation surface means the skill will inject into many conversations, though the injected content is purely documentation.

INFO Skill references system DSC path 0

The skill references the macOS dyld_shared_cache at /System/Volumes/Preboot/Cryptexes/OS/System/Library/dyld/dyld_shared_cache_arm64e. This is the standard and correct path for RE work and is not sensitive.

INFO Clean clone behavior with expected network activity 0

All observed network connections during clone are attributable to git operations (GitHub), system package management (Ubuntu archives), and standard OS services. No unexpected outbound connections detected.