Is eph5xx/tiebreaker safe?
https://github.com/eph5xx/tiebreaker
Tiebreaker is a clean, markdown-only decision-matrix skill with no executable code, no npm scripts, no git hooks, no malicious instructions, and no data exfiltration attempts. All canary files remained intact, network activity during clone was limited to github.com, and the SKILL.md content is free of prompt-injection patterns. The primary operational considerations are non-malicious: the skill spawns parallel subagents that perform web searches, meaning decision context is transmitted to external search APIs and costs can scale with matrix size, but both behaviors are fully disclosed in the skill's documentation.
Category Scores
Findings (5)
LOW Verbatim user content forwarded into subagent prompts -12 ▶
The scoring.md prompt template instructs the orchestrator to embed {OPTIONS_BLOCK} and {USER_CONTEXT} verbatim into every subagent prompt. A user who pastes adversarially crafted option names or context strings could attempt to override the subagent's scoring instructions. This is a structural property of the design, not a deliberate backdoor, and the strict SCORE| output filter limits the blast radius.
LOW Runtime reference file reads create a post-install tamper surface -5 ▶
SKILL.md instructs the agent to read references/weights.md, references/scoring.md, references/strategy.md, and references/output.md at specific steps during every run. If a separate malicious skill or process modifies these files after installation, it could alter subagent prompts without touching SKILL.md itself. Risk is low given typical skill isolation, but worth noting.
LOW Subagent web research discloses decision context to external search APIs -8 ▶
In web mode (the default), each subagent issues up to 8 WebSearch or WebFetch calls. The decision framing, option names, and user context are embedded in these queries, which will be transmitted to whichever search provider the agent uses. This is disclosed behavior but means sensitive decision details (e.g., internal vendor evaluations) leak to third-party search infrastructure.
INFO Subagent proliferation creates cost and API-rate risk -17 ▶
Cell-wise strategy on a 7-option × 7-factor matrix spawns 49 concurrent general-purpose agents. The skill guards against extreme cases (>50 forces column-wise) but the ceiling is high. In web mode this could mean hundreds of search API calls in a single user session, which may hit rate limits or incur unexpected cost.
INFO Canary file reads attributed to audit framework, not skill -3 ▶
inotify and auditd logs show OPEN+ACCESS+CLOSE_NOWRITE events on .env, id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials at timestamps 1784455191 (pre-clone) and 1784455213 (post-install). Timing, CLOSE_NOWRITE flag, and canary integrity confirmation all indicate these reads were performed by the audit framework's own baseline and verification routines, not by the skill.