Is hichana/one-skill-to-rule-them-all safe?

The skill's stated purpose requires reading and semantically processing untrusted SKILL.md content in the agent's live context window. A malicious author who knows OSTRTA will analyze their skill can craft content that appears benign to pattern-matching detection while embedding indirect injection instructions that trigger during the analysis pass (e.g., wrapping a prompt injection inside a comment, alt-text, or deeply nested section that OSTRTA's pattern scanner doesn't reach before the LLM processes it). The skill acknowledges Category 8 (Indirect Injection) as INFO-severity only, significantly underweighting this risk for a skill that processes exclusively third-party content.

OSTRTA documents all detection triggers with sufficient specificity that an attacker can pre-screen any malicious skill against the full rule set before submission. The prompt injection section lists exact trigger strings; the obfuscation section describes every encoding technique with detection logic; the whitelisted domain list specifies which exfiltration endpoints evade flagging. This is a complete evasion checklist embedded in the skill's own documentation.

Filesystem monitoring recorded read accesses to six credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCP application_default_credentials.json) at two distinct points in the monitoring window: the initial baseline phase (04:03:33 / audit 1771905813.738) and again post-install (audit 1771905836.924). The canary integrity check confirms no exfiltration occurred and content was not modified. Both rounds are consistent with the Oathe audit system's canary placement and post-install verification routines rather than skill-triggered access. The SKILL.md contains no file-read commands.

When OSTRTA is installed as an active skill, its full content — including base64-encoded malicious payloads, prompt injection example strings, and exfiltration command templates — becomes part of the agent's system prompt context. Research indicates that the presence of jailbreak and injection patterns in a model's context can lower resistance to subsequent similar instructions. While each example is framed as illustrative, the cumulative volume of such content is atypically high for a skill document.

OSTRTA's exfiltration detection explicitly marks github.com, githubusercontent.com, npmjs.com, registry.npmjs.org, and pypi.org as unconditionally safe. These same platforms are increasingly used in supply chain attacks (typosquatting npm packages, malicious PyPI uploads, compromised GitHub repos) to serve payloads. A malicious skill that downloads a secondary payload from raw.githubusercontent.com would receive a clean verdict under OSTRTA's current logic.

Installation produced exclusively two static files. No scripts, hooks, or executable artifacts of any kind were found. The install process followed a minimal, auditable path.

Honeypot credential files placed by the audit system were not accessed, modified, or exfiltrated by anything attributable to the skill under test.

All network connections during the install window were to expected destinations. No beaconing, C2, or data exfiltration connections observed.