Is BeMoreDifferent/bluesky_claude_skill safe?
https://github.com/BeMoreDifferent/bluesky_claude_skill
This is a well-implemented Bluesky client skill with comprehensive safety controls. While it has powerful capabilities including code execution and social media posting, it implements strong safeguards requiring explicit user consent for destructive actions and provides dry-run modes for testing.
Category Scores
Findings (5)
LOW Model invocation enabled -5 ▶
The skill has disable-model-invocation set to false, allowing the AI agent to trigger it automatically. However, this is well-mitigated by comprehensive safety rules requiring explicit user consent for destructive actions.
LOW Automatic build script execution -10 ▶
The npm prepare script automatically runs during installation, executing TypeScript compilation and creating wrapper scripts. This is standard behavior but represents automatic code execution.
MEDIUM Node.js command execution capability -5 ▶
The skill is configured to execute Node.js commands via the Bash tool. While necessary for its CLI functionality, this represents significant code execution capability.
LOW API credentials required -10 ▶
The skill requires Bluesky API credentials to be stored as environment variables, which could be a privacy concern if credentials are compromised.
INFO Powerful but well-guarded capabilities -15 ▶
The skill has significant capabilities for posting and managing Bluesky content, but implements comprehensive safety rules including dry-run mode, confirmation requirements, and explicit user consent for destructive actions.