Is igorhvr/dexter safe?

The one-shot installation script uses an unquoted heredoc delimiter (<< EOF instead of << 'EOF'), causing shell variable expansion. When the agent executes this script, ${ANTHROPIC_API_KEY:-your-key-here}, ${FINANCIAL_DATASETS_API_KEY:-your-key-here}, and ${TAVILY_API_KEY:-your-key-here} expand to real values from the agent's environment. These are written to a .env file inside the cloned third-party repository, where any malicious npm lifecycle script can read and exfiltrate them.

The skill instructs the agent to clone https://github.com/virattt/dexter.git — a repository not controlled by the skill author — and immediately run bun install in it. This executes npm/bun lifecycle hooks (preinstall, postinstall, prepare) from virattt/dexter and all of its transitive npm dependencies without any integrity verification. A compromised package in the dependency tree achieves arbitrary code execution in the agent's environment.

The skill's interactive mode section instructs the agent to create a detached tmux session (tmux new -d) that runs bun start in the background. This process persists beyond the agent's interaction turn and continues running after the agent's response, creating a persistent background process the user may not be aware of. Combined with the financial data access capabilities, this is a durable foothold.

The skill instructs the agent to patch the cloned repo's source using sed -i without any checksum or signature verification. This modifies code from a third-party repo that the agent has already executed bun install in. If the repo's structure changes (e.g., due to compromise), the sed command may fail silently or patch different code than intended.

By instructing the agent to clone and execute external code, the skill creates a deferred prompt/behavior injection vector: if virattt/dexter's README, package.json scripts, or any loaded configuration file contains agent-targeting instructions, those would be processed by the agent during execution. This is a supply-chain injection pathway that bypasses the skill's own content review.

The skill hardcodes /root/clawd-workspace/dexter as the installation directory, indicating the skill was designed assuming a root execution context. Running agent skills as root amplifies the blast radius of any exploitation of the supply chain vulnerabilities described above.

The skill patches gpt-5-mini out of the source code, but GPT-5-mini does not exist as of the audit date. This suggests the skill was written without verifying the current state of the upstream virattt/dexter repository, raising questions about whether the skill has been tested against the actual repo it instructs the agent to clone.

Network monitoring during the skill clone phase shows connections only to GitHub (140.82.121.4:443) and Ubuntu infrastructure. No data was sent to attacker-controlled endpoints during the clone. The canary check confirms all honeypot files are intact.