Oathe Security Badge

Is Leonxlnx/taste-skill safe?

https://github.com/Leonxlnx/taste-skill

86
SAFE

taste-skill is a legitimate, widely-used frontend design meta-skill collection with no malicious payload, no data exfiltration capability, and clean clone behavior. The primary risk profile is aggressive prompt injection by design — each of 12 skill variants replaces agent identity and imposes extensive behavioral mandates, which could cause unpredictable results if multiple skills are loaded simultaneously or if they conflict with host-system instructions. The .github/copilot-instructions.md file extends this behavioral override to Copilot sessions automatically, beyond the explicit skill invocation model.

Category Scores

Prompt Injection 70/100 · 30%
Data Exfiltration 93/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (8)

MEDIUM Aggressive persona override in all skill variants -12

Every one of the 12 SKILL.md files begins with a CORE DIRECTIVE that replaces agent identity ('You are an elite, award-winning frontend design engineer'). While this is the intended mechanism of skill files, the language is unusually absolute and conflicts with base agent instructions. Users who load multiple skills simultaneously risk unpredictable cascading overrides.

MEDIUM .github/copilot-instructions.md sets global Copilot behavior beyond skill scope -8

The repository ships a .github/copilot-instructions.md file that GitHub Copilot automatically reads for any session opened in this repo. This means the 'Anti-Slop Manifesto' behavioral rules activate for Copilot users without explicit skill invocation — broader than the skill model implies.

MEDIUM full-output-enforcement skill bans common agent safety abbreviation patterns -10

The output-skill (full-output-enforcement) uses a hard ban list of phrases including '// ...', '// rest of code', '// TODO', '/* ... */', bare '...'. While intended to prevent lazy code generation, this directly conflicts with legitimate agent behaviors like indicating continuation or managing context, and could be used to force extremely long outputs.

LOW External image service URL hardcoded across multiple skills -7

At least four SKILL.md variants hardcode https://picsum.photos/seed/{keyword}/1920/1080 as the mandatory URL for placeholder images. When agents follow these skills, they instruct the agent (or direct users) to reference this external service. Picsum.photos is a legitimate Lorem Picsum service, but it represents an external data dependency embedded in the prompt.

LOW skill.sh bash script included at repo root -10

A bash script skill.sh is present at the repository root. It defines an associative array mapping skill names to SKILL.md paths and echoes the path for a given key. The script is benign and appears to be a local dev helper, not an install hook. It is not called during git clone.

LOW Mandatory <design_plan> block with simulated Python RNG forces agent pre-flight behavior -8

The gpt-tasteskill skill requires agents to simulate Python script execution ('simulate a Python script execution in your ') and use 'deterministic seeds' to select design options. This is a prompt engineering technique to force varied outputs, but it mandates a non-standard agent behavior pattern before any user-requested code is written.

INFO Git clone connected only to GitHub HTTPS — expected 0

The only external network connection during clone was to 140.82.121.4:443 (GitHub CDN) for HTTPS pack-file retrieval. DNS resolved via local resolver. No unexpected destinations.

INFO All honeypot files confirmed intact post-install 0

The audit system confirmed all canary files (.env, id_rsa, aws/credentials, npmrc, docker config, gcloud credentials) were untouched by the skill clone process and skill content.