A code-security-review SKILL.md 0 ▲ Panagiotis Vryonis 2 hours ago · Tech · hide · 0 comments I install a lot of small tools. A CLI from someone's GitHub, a Homebrew tap with twelve stars, a Rust binary that does one thing well. This is how I like software, and there has never been more of it. Unless it’s a really established project, with many eyes on it, it’s a leap of faith. How do I know what the code actually does? In theory, I could review it. But let’s be realistic, no one is fluent enough in every programming language, and no one has the time to carefully review the code of every tool they want to try; at least not me. README is a claim Every decent repo has a README, and the README file is a claim. The code is the fact. The insight The real question is what’s the gap between the claim (README) and the fact (code). A tool that says "renames files based on EXIF data" has no business making network calls, reading ~/.ssh, or spawning subprocesses. If it does, you don't need threat modeling or a CVE database. You've found it. Most malicious code reveals itself exactly at… No comments yet. Log in to reply on the Fediverse. Comments will appear here.