Is hadifarnoud/pakat safe?

Six honeypot credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were opened with read-only access (CLOSE_NOWRITE) twice during the monitoring period. The first batch at timestamp 1771926028.566 correlates precisely with sudo/PAM module initialization before the skill was installed. The second batch at 1771926051.703 correlates with the audit framework's post-install canary verification pass. No network transmission of canary content was observed. The skill (pure Markdown) has no mechanism to access these files.

The skill instructs the agent to pass PAKAT_API_KEY via curl -H 'X-API-KEY: $PAKAT_API_KEY'. While using a header (rather than a URL query parameter) is the correct approach to avoid server-log leakage, the key value appears in the process argument list accessible via /proc or ps to other local processes with appropriate permissions.

The skill grants the hosting agent full ability to create mailing lists, add subscribers, send bulk campaigns, and dispatch transactional emails from the user's verified sending domains. If the agent is manipulated via prompt injection from user input or other skills, this capability could be abused to send spam or phishing messages at scale. The risk is inherent to the skill's declared purpose, not a hidden behavior.

The skill proactively includes defensive guidance instructing the agent to use heredocs for base64 encoding of user-provided HTML content rather than echo with unsanitized input. This demonstrates security awareness and reduces shell injection risk when handling untrusted campaign content.

The skill contains only Markdown documentation files (SKILL.md, references/api_reference.md) and reference data (references/openapi.json, _meta.json). No scripts, package managers, git hooks, submodules, or symlinks were found.