Is apekshik/fal safe?

The 'upload' subcommand constructs a multipart POST using the user-supplied argument verbatim as a file path ('file=@$1'). There is no path allowlist, no extension check, and no restriction to the skill's working directory. An agent acting on a crafted user prompt — or responding to prompt injection embedded in a fal.ai API response — could be directed to upload ~/.ssh/id_rsa, ~/.aws/credentials, or any other file visible to the agent process to fal.ai's public CDN, making the content retrievable by anyone with the returned URL.

FAL_KEY is injected into the Authorization header of every curl call made to api.fal.ai and queue.fal.run. The key therefore appears in shell history, may appear in curl verbose logs if debugging is enabled, and is transmitted across the network to a third-party SaaS provider. Compromise of the fal.ai account or a MitM on the connection would expose the key.

The skill passes $1 and $ARGUMENTS directly into shell command strings without quoting or sanitization. If the agent constructs these values from untrusted input (e.g., a filename or prompt containing semicolons, backticks, or $(...) expansions), command injection into the Bash(curl *) sandbox is possible. The risk is mitigated somewhat by the allowed-tools declaration limiting shell access to curl and jq, but not eliminated.

The 'run' command instructs the agent to execute 'while true; do ... sleep 3; done' polling fal.ai for job completion. There is no maximum iteration count, wall-clock timeout, or error budget. A job that stalls, enters an undocumented state, or whose status endpoint is unreachable will spin this loop indefinitely, consuming CPU and potentially blocking other agent actions.

In isolation the skill requires a user or attacker to know a target filename. When co-installed with a directory-listing or filesystem-browsing skill, an attacker achieving prompt injection in any skill could enumerate credential paths and then invoke /fal upload to exfiltrate them. The upload URL returned by fal.ai CDN provides a stable, authenticated-free retrieval link.

Every run creates ~/.fal/sessions/${CLAUDE_SESSION_ID}/ and writes downloaded media files there. These files accumulate silently and may contain generated content the user did not intend to persist. Additionally, the session ID directory structure leaks information about agent session identifiers.

The git clone made exactly one outbound connection to GitHub (140.82.121.4:443). No unexpected processes were spawned, no filesystem writes occurred outside the skill target directory, and connection state was unchanged after install.

Canary files (.env, id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were opened at timestamps 1771650867.735 (pre-install) and 1771650890.065 (post-install). All opens show CLOSE_NOWRITE disposition. Timing and batch pattern are consistent with the audit framework's own pre/post integrity verification passes, not with skill activity. Canary hashes are confirmed intact.