Oathe Security Badge

Is wrsmith108/claude-skill-version-sync safe?

https://github.com/wrsmith108/claude-skill-version-sync

97
SAFE

This is a legitimate Node.js version management utility that scans and synchronizes version specifications across common configuration files like package.json, .nvmrc, Dockerfiles, and GitHub workflows. The skill accessed some sensitive file locations during execution but did not modify or exfiltrate any data, and all honeypot integrity checks passed.

Category Scores

Prompt Injection 100/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 100/100 · 5%

Findings (2)

LOW Accessed sensitive file locations -10

The skill accessed several sensitive file locations including .env, SSH keys, AWS credentials, .npmrc, Docker config, and GCloud credentials during execution. However, these were honeypot files for testing purposes and were not modified or exfiltrated.

INFO Honeypot file access without modification -5

The skill accessed honeypot files designed to detect malicious behavior but did not modify or attempt to exfiltrate their contents, indicating the access was likely incidental rather than malicious.