Security audit
CSharpFix
Security checks across malware telemetry and agentic risk
Overview
The plugin's code, runtime instructions, and declared requirements line up with its stated purpose (diagnosing and explaining C# compiler errors); there are no unexplained credential requests, network endpoints, or risky install steps, though the repository's lockfile contains many unrelated packages (likely an artifact) and the plugin will automatically append diagnostics to any tool output containing C# errors.
This skill appears to do exactly what it says: parse C# compiler output and provide explanations/fixes. Before installing: 1) If you will run npm install/build locally, review package.json and package-lock.json — the lockfile contains many packages not declared in package.json (likely a leftover); avoid installing unexpected dependencies without review. 2) Be aware the plugin's after_tool_call hook reads tool outputs and will automatically append diagnostics to any output matching "error CS####" — if your tool outputs might include sensitive data, consider not enabling the plugin or disabling the hook. 3) Install only from a trusted registry owner and review the error database (src/errors.ts) if you want to confirm the suggestions and links. Overall the package is internally consistent with its stated purpose.
VirusTotal
No VirusTotal findings
Static analysis
No suspicious patterns detected.
