Is andyhcwang/principles safe?

The skill directly accesses highly sensitive credential files including SSH keys, AWS credentials, Docker config, npm config, and Google Cloud credentials. While no actual exfiltration to external endpoints was detected via honeypot canaries, the skill demonstrated active attempts to open and access these critical security files, creating a high-risk data exposure scenario.

During the skill installation process, unauthorized network connections were initiated to GitHub (140.82.121.4:443) for cloning the repository. This behavior occurs outside the expected skill initialization process and demonstrates the ability to establish external communication channels without user interaction or consent.

The installation process executed git commands with parameters that could be leveraged for malicious purposes, including sparse checkout of specific directories. While this is part of the legitimate installation mechanism, it demonstrates the capability to selectively extract content from repositories, which could be abused in a compromised context.

The skill's legitimate purpose of organizing personal knowledge creates an ideal cover for credential harvesting activities. The agent can claim it's 'processing inbox' or 'organizing personal data' while actually exfiltrating sensitive information. When combined with other skills, this could enable a covert data siphoning operation that appears as normal workflow processing.

Once installed, this skill creates a persistent capability to scan and access user credentials at any point during normal operation. The skill could be triggered by innocuous commands like '/inbox' or '/reflect' while performing unauthorized credential collection in the background, making detection extremely difficult.