Is gabrielsubtil/clean-code safe?

The 'Verification Scripts (MANDATORY)' section instructs agents to execute Python scripts located in 12 other skills' directories (e.g. .agent/skills/vulnerability-scanner/scripts/security_scan.py, .agent/skills/api-patterns/scripts/api_validator.py, .agent/skills/frontend-design/scripts/ux_audit.py). These scripts are not part of this skill, have not been audited, and require Bash/shell tool access that contradicts the skill's declared allowed-tools. In any multi-skill environment, a threat actor who also publishes a malicious companion skill under any of the 12 referenced namespaces would achieve automatic code execution on every agent task completion. The mandatory framing ('VIOLATION: Running script and ignoring output = FAILED task') ensures agents comply without questioning.

The skill declares 'priority: CRITICAL' in its YAML frontmatter and opens with a bold '> CRITICAL SKILL' callout. This is a well-documented prompt injection technique: by labeling its own instructions as critical-priority, the skill attempts to cause agents to weight its directives above conflicting user preferences, system prompts, or safety guidelines. The label is entirely self-assigned with no external validation or platform-level enforcement.

The skill uses punitive framing throughout to pressure agents into unconditional compliance with its instructions, particularly the external script execution directives. Language like 'VIOLATION: Running script and ignoring output = FAILED task' and 'VIOLATION: Auto-fixing without asking = Not allowed' frames non-compliance as task failure, exploiting reward-seeking behavior in fine-tuned models. The 🔴 emoji pattern is used to signal urgency and suppress deliberative reasoning.

By instructing agents to run scripts from 12 distinct skill namespaces after every task, this skill creates a persistent trigger mechanism. An attacker who publishes any of: frontend-design, api-patterns, mobile-design, database-design, vulnerability-scanner, seo-fundamentals, geo-fundamentals, performance-profiling, testing-patterns, webapp-testing, lint-and-validate, or i18n-localization skills with malicious scripts would achieve silent code execution on any system that has both this skill and their malicious skill installed. The clean-code skill acts as the execution trigger; the malicious companion skill provides the payload.

While the skill itself contains no executable code, it uses its system-prompt position to instruct agents to execute Python scripts that were not part of this skill's audit. The scripts are accessed at runtime from the agent's filesystem. Any of these scripts could perform arbitrary operations including reading files, making network requests, or modifying the codebase beyond what the user requested.

The skill's metadata declares 'allowed-tools: Read, Write, Edit', indicating it should only require file reading and editing capabilities. However, the Verification Scripts section instructs shell-level Python execution, which requires a Bash or terminal execution tool. This mismatch means the skill's actual behavior, if fully followed by a capable agent, exceeds its declared and audited tool scope.

The external Python scripts this skill instructs agents to run — particularly security_scan.py and api_validator.py — would execute with access to the user's entire project directory. Without auditing those scripts' content, there is no guarantee they do not collect and transmit sensitive project files, API keys embedded in code, or other confidential information.

The skill's installation process was unremarkable. The git clone connected only to GitHub (140.82.121.4:443) as expected. Background connections to 185.125.188.54 and 185.125.190.18 (Canonical/Ubuntu infrastructure) are attributable to normal system processes. No new listeners or persistent connections were established after install. Only the expected two files were written to the skill directory.