Scan Report
0 /100
skill-sync
One source of truth for local AI agent skills: audit, deduplicate, and migrate skills across Codex, Claude, OpenClaw, OpenCode, and workspace roots with restorable backups.
skill-sync is a legitimate skill management tool that audits, deduplicates, and converges AI agent skills via symlinks with proper backup/restore safeguards. No malicious behavior, credential harvesting, or network exfiltration was found.
Safe to install
This skill is safe to use. No security concerns require action.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | READ | WRITE | ✓ Aligned | SKILL.md declares scanning (filesystem:READ), install.sh and --apply mode use sy… |
File Tree
7 files · 81.7 KB · 2503 lines Python 2f · 1927L
Markdown 3f · 453L
Shell 1f · 119L
YAML 1f · 4L
├─
▾
agents
│ └─
openai.yaml
YAML
├─
▾
references
│ └─
compatibility.md
Markdown
├─
▾
scripts
│ └─
skill_sync.py
Python
├─
▾
tests
│ └─
test_skill_sync_cli.py
Python
├─
install.sh
Shell
├─
README.md
Markdown
└─
SKILL.md
Markdown
Security Positives
✓ No network requests or external IP communications detected
✓ No credential harvesting (no ~/.ssh, ~/.aws, .env access for theft)
✓ No base64, eval(), or obfuscated code patterns
✓ No remote script execution (no curl|bash, wget|sh)
✓ No hidden functionality — all operations are documented in SKILL.md
✓ Backup before mutation: originals are moved to ~/.skill-sync/backups/<run-id>/originals/ before symlink creation
✓ Restore mechanism replays backups in reverse, blocking if destination is no longer a symlink
✓ Dry-run preview available via --apply flag control
✓ Manifest-based cross-machine migration is additive-only (creates symlinks, never overwrites without backup)
✓ File content hashing (SHA-256) used only for deduplication comparison, not exfiltration
✓ Environment variables used only for path configuration (SKILL_SYNC_*_ROOT), not credential access
✓ Comprehensive test suite uses isolated temp directories with no side effects