Oathe Security Badge

Is glittercowboy/taches-cc-resources safe?

https://github.com/glittercowboy/taches-cc-resources

72
CAUTION

This is a legitimate Claude Code workflow toolkit (TÂCHES) containing productivity skills for creating hooks, subagents, plans, MCP servers, and debugging workflows. No malicious code, prompt injection, or active exfiltration was detected. The primary concerns are a Pirate Bay skill that facilitates torrent downloading (copyright infringement risk), a Ralph autonomous loop that auto-backs up project code to GitHub by default, and multiple skills that execute bash commands on invocation for filesystem discovery.

Category Scores

Prompt Injection 82/100 · 30%
Data Exfiltration 79/100 · 25%
Code Execution 65/100 · 20%
Clone Behavior 94/100 · 10%
Canary Integrity 88/100 · 10%
Behavioral Reasoning 52/100 · 5%

Findings (7)

HIGH Pirate Bay skill facilitates copyright infringement -18

skills/the-pirate-bay/SKILL.md provides full instructions for automating torrent searches on The Pirate Bay, extracting magnet links, and opening them in a torrent client. It includes a working TypeScript script (tpb.ts) that calls the apibay.org JSON API. An agent with tool access could autonomously download copyrighted content at the user's direction or via skill auto-routing.

MEDIUM Setup Ralph auto-pushes code to GitHub without per-push confirmation -12

The setup-ralph skill template configures a build loop that automatically creates a private GitHub repository and pushes after every commit. Users working in directories with proprietary or sensitive code could have that code automatically backed up to GitHub without per-push approval. The feature can be disabled with RALPH_BACKUP=false but is enabled by default.

MEDIUM Skills execute bash commands on every invocation -10

The debug-like-expert and create-plans SKILL.md files contain bash commands embedded in sections that execute automatically when the skill is invoked. These commands scan the local filesystem (find, ls), check git state, and probe ~/.claude/skills/expertise/. While benign, this is code execution triggered by injecting the skill into the system prompt.

MEDIUM MCP server setup scripts install packages from the internet -8

The create-mcp-servers skill includes shell scripts (setup-typescript-project.sh, setup-python-project.sh) that run npm install and uv commands to download packages from npm and PyPI. If an agent executes these scripts as part of MCP server creation, it introduces supply chain risk from third-party packages.

LOW Extensive MUST/NEVER/ALWAYS language modifies agent behavior at scale -5

Multiple SKILL.md files use strong modal imperatives (NEVER, MUST, ALWAYS, CRITICAL) to enforce behavioral rules on the agent. While this is common in legitimate skills, the cumulative effect of 9+ skills all modifying agent behavior simultaneously could produce unexpected interactions, particularly around git operations, file creation, and tool invocation.

LOW The Pirate Bay skill makes undeclared external API calls to apibay.org -7

The tpb.ts TypeScript script in the-pirate-bay skill contacts apibay.org at runtime. While this is the declared functionality, the apibay.org API call occurs outside of any user-visible network request log. Data about what the user is searching for is transmitted to a third-party server.

INFO Canary files accessed pre-install by monitoring setup process 0

Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were opened at 23:12:11 — 6 seconds before the git clone began at 23:12:17. Auditd records confirm the accesses originated from the sudo/monitoring-setup process (ppid=1087, pid=1105), not from skill code. All files were opened read-only (CLOSE_NOWRITE) with no data transmitted externally.