Is davidondrej/skills safe?
https://github.com/davidondrej/skills
This is a large personal productivity skill collection (24 skills across 5 categories) authored by davidondrej, covering agent orchestration, research tools, documentation workflows, and ops utilities. The collection is broadly legitimate, with clean install behavior and no data exfiltration detected. The primary security concern is the fable-safe-prompt skill, which is an explicit AI safety classifier evasion tool that documents Anthropic's internal classifier categories and provides substitution tables for bypassing them — a dual-use capability that could reduce false positives for legitimate security work or enable prompt injection attacks against AI safety guardrails. A secondary concern is the deepapi skill's self-update mechanism which creates a persistent remote code update channel from deepapi.co.
Category Scores
Findings (7)
HIGH Safety Classifier Evasion Skill (fable-safe-prompt) -32 ▶
The fable-safe-prompt skill is explicitly designed to rewrite prompts to evade Anthropic's server-side safety classifiers. It documents the exact classifier categories triggered (cyber, bio/chem, reasoning_extraction), enumerates specific trigger keywords to avoid (exploit, malware, vulnerability, CAPTCHA, penetration, cancer, disease pathway, etc.), and provides a substitution table mapping 'unsafe' phrasings to 'safe' rewrites. While marketed as reducing false positives for legitimate security work, this skill teaches agents the precise mechanics of classifier evasion and could be used to slip genuinely harmful content past safety filters. It has disable-model-invocation: true so it requires explicit user invocation, but once loaded into an agent session the knowledge persists.
MEDIUM Remote Self-Update Channel in deepapi Skill -16 ▶
The deepapi skill contains instructions for the agent to automatically fetch a new version of itself from https://deepapi.co/deepapi-skill/SKILL.md and overwrite the local skill file whenever a version mismatch is detected. This creates a persistent remote code update path: if deepapi.co is compromised, serves a malicious update, or changes its content policy, the agent will silently replace the local skill with potentially malicious instructions on the next API call failure.
MEDIUM System-Wide Skill Distribution Mechanism -12 ▶
The distribute-skill-to-all-agents skill instructs agents to copy skill files from ~/.agents/skills/ to ~/.claude/skills/, ~/.pi/agent/skills/, and ~/.hermes/skills/ simultaneously. This is a propagation mechanism: any malicious skill introduced into this collection would be distributed across all four agent frameworks on the user's machine in a single operation. The push-skill-to-github skill additionally publishes a sanitized mirror to a public GitHub repo from within an agent context.
LOW Personal System Configuration Disclosed in Public Skill -5 ▶
The run-deep-swe skill embeds personal configuration details about the skill author's machine in a publicly published repository, including key storage location and spend limit configuration. This reveals system configuration details that should not be in a public skill collection.
LOW Broad Authenticated Browser Session Access -8 ▶
The browser-harness skill provides extensive instructions for accessing the user's real Chrome browser using their authenticated sessions to extract content from login-walled sites (X/Twitter, LinkedIn, paywalled content). Outputs are written to /tmp files. While presented as a legitimate capability, this instruction set if used maliciously would allow an agent to silently harvest authenticated web session content.
INFO Clean Install — GitHub Only 0 ▶
Network monitoring during clone shows only a single outbound connection to GitHub (140.82.121.4:443). No connections to third-party data collection endpoints, no unexpected process spawning, and no filesystem changes outside the skill-under-test directory.
INFO Canary Files Accessed by Audit Framework, Not Skill Code 0 ▶
Canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were accessed at timestamp 08:48:07 — before the git clone began (at 08:48:12). This access pattern matches audit framework initialization, not skill-triggered reads. All canary files remain intact with no content exfiltrated.