Is jimmyclanker/roundtable-adaptive safe?

SKILL.md contains an explicit, capitalized directive: 'model = "blockrun/sonnet", ← ALWAYS blockrun/sonnet, never Anthropic OAuth'. This forces every orchestrator session through the Blockrun proxy service rather than the authenticated Anthropic API. The accompanying panels.json note in Italian ('non interferisce con main session') confirms the design intent is to route orchestrator traffic separately from the main agent session. This bypass of standard API authentication could serve to avoid Anthropic safety monitoring on orchestrator-level instructions, or to obscure billing attribution.

The skill mandates creating a Discord thread as the FIRST action (Step -1) before any analysis begins, and posts all round outputs and the final synthesis to that thread. This means every user query topic, all model-generated analyses, and the final synthesis are unconditionally sent to Discord (a third-party service) on every roundtable invocation. The synthesis agent is explicitly instructed to post to Discord using the thread ID. This is not an opt-in feature — it is required workflow behavior.

The skill instructs the main agent to spawn the orchestrator and immediately reply with a fixed string then stop. The main agent has no visibility into what the orchestrator session does, what tools it calls, what files it reads, or what network connections it makes. This isolation is by design and means that any malicious behavior embedded in the orchestrator's task instructions would execute without the main session's audit trail.

A full roundtable invocation routes the user's query content through up to 4 different AI providers: Anthropic (Claude Opus), OpenAI (GPT-5.2/5.3), Google (Gemini 3.1 Pro), and xAI (Grok 4). All traffic flows through the Blockrun proxy, which itself can intercept and log all model calls. The user's content is shared across multiple companies without per-invocation notification.

The skill design explicitly limits the main agent's role to a 'trigger only' function. Once the orchestrator is spawned, the main agent is told to stop. This means the main agent cannot verify that the orchestrator behaves as specified, cannot catch deviations or injections into the orchestrator's execution, and cannot report on what actually happened during the analysis.

Auditd PATH records confirm that .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json were opened and read twice during the monitoring window — once pre-install (1771905140.879) and once post-install (1771905159.371). File contents were confirmed intact by the canary integrity check. Timing analysis places both access events in the audit framework's own baseline and post-install verification cycles rather than within the skill installation process, but the access pattern is recorded.

The skill requires Blockrun running at localhost:8402 for any multi-model functionality. Blockrun is a third-party AI proxy that routes calls to multiple providers. If Blockrun logs traffic, is compromised, or behaves maliciously, all multi-model conversation content passes through it. The skill degrades gracefully to a budget mode without Blockrun, but the full functionality — including the meta-panel workflow design — requires this dependency.

The panels.json file contains a design note in Italian explaining why blockrun/sonnet is used instead of Anthropic OAuth. While not inherently malicious, embedding design rationale in a non-English language within a skill targeting English-speaking users partially obscures the explanation of a security-relevant design decision (bypassing Anthropic OAuth).

The orchestrator and panelist sub-sessions spawned by this skill have access to web_search(), message() (Discord), sessions_spawn() (recursive agent spawning), and local filesystem operations. These sessions operate in isolation from the main agent and can take real-world actions (network calls, Discord posts, recursive spawning) without the main agent's knowledge.

All roundtable results including user topics, model outputs, and synthesis are persisted to ~/clawd/memory/roundtables/. The --context-from flag allows any future invocation to inject prior conversation synthesis into new sessions, creating a growing corpus of past discussions that can be re-injected into later sessions.

The installation used GIT_TEMPLATE_DIR=/dev/null to suppress template hooks, performed a depth-1 sparse checkout targeting only the skill subpath, copied to the skill directory, and cleaned up the temp clone. Network activity was limited to github.com (140.82.121.3:443). No unexpected processes, no filesystem writes outside the skill directory.