Is aytuncyildizli/reprompter safe?

The Repromptception mode explicitly instructs the host agent to create tmux sessions running new Claude instances with CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS=1 and --model opus. Prompts are sent to these sessions via 'tmux send-keys -t {session} -l'. Spawned agents inherit full tool permissions from the parent session and execute the transmitted prompt content without any additional sandboxing or validation layer.

The skill's auto-detection logic triggers a suggestion for Repromptception mode (multi-agent, $1–4 per run) whenever a task mentions '2+ systems', 'audit', or 'parallel'. The framing presents this as a confirmation question but the context-detection is aggressive enough to fire on common development tasks. The skill also defines 'audit' as a hard auto-detect signal.

The skill scans the working directory for package.json, tsconfig.json, prisma/schema.prisma, and similar files to inject tech stack context into generated prompts. These enriched prompts, containing internal project structure and potentially partial configuration values, are then transmitted to the Anthropic API as part of normal skill operation.

The skill writes team briefs, per-agent reprompted instructions, and final analysis reports to /tmp/rpt-{taskname}-*.md. On Linux, /tmp/ is world-readable (mode 1777). Any local user or process running in the same environment can read files containing project task descriptions, architectural context, and agent outputs.

The Settings section of SKILL.md recommends adding CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS=1 to ~/.claude/settings.json with model:opus and teammateMode:tmux preferences. This modifies the user's global Claude Code configuration, enabling experimental capabilities and defaulting to the most expensive model for all team operations, not just reprompter runs.

The quality improvement loop in Repromptception mode transforms vague or adversarial inputs into highly-structured, actionable prompts scored 8+/10, then executes them via spawned Opus agents. If a user provides an ambiguous or manipulated task, this skill will make it significantly more precise and effective before execution, amplifying any unintended consequences.

The skill's auto-detection of 'complex' tasks uses signals like mention of any two technical systems, the word 'audit', or pipeline indicators. Each Repromptception run with 2–4 Opus agents costs $1–4 plus retry overhead. The threshold is low enough that users may inadvertently trigger multi-dollar runs on routine tasks.

Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCP credentials) were opened and read per inotifywait and auditd events. Two access waves were observed: the first at audit timestamp 1771650408 (~6 seconds before the git clone commenced) and the second at 1771650430 (~6 seconds after the sparse-checkout completed). This two-wave timing pattern is consistent with Oathe's pre-install baseline and post-install integrity verification cycles, not with any executable content in the skill package. All files confirmed intact by the Oathe integrity check.

The entire installation process produced only the expected HTTPS connection to GitHub (140.82.121.3:443) for the git clone. No unexpected DNS queries, no connections to non-GitHub IPs, no new listening ports, no persistent processes, and no filesystem changes outside the designated skill directory.