Oathe Security Badge

Is qingcaizz/github-trending-tracker safe?

https://github.com/qingcaizz/github-trending-tracker

93
SAFE

This is a legitimate GitHub trending repository tracker that fetches trending project data and generates bilingual reports. The skill contains executable code and makes external API calls for translation services, but all functionality appears to match its stated purpose with no malicious behavior detected.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (3)

MEDIUM External Translation API Calls -10

The skill makes HTTP requests to Google Translate API to translate repository descriptions from English to Chinese. While legitimate for the tool's functionality, this represents data being sent to external services.

LOW Executable JavaScript Code -15

The skill contains executable Node.js scripts that perform web scraping and file operations. The code appears benign and necessary for the tool's functionality.

LOW File System Access -10

The skill creates directories and files in the user's home directory (~/.claude/github-trending/). While scoped appropriately, this represents access beyond typical skill boundaries.