Oathe Security Badge

Is ktaletsk/council safe?

https://github.com/ktaletsk/council

85
SAFE

This is a legitimate multi-agent code review skill that coordinates multiple AI services to provide comprehensive code analysis. While it sends code to external services and executes shell scripts as part of its intended functionality, no malicious behavior was detected during installation.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (4)

MEDIUM Code transmitted to external AI services -25

The skill sends user code to multiple external AI services (Claude, Codex, OpenCode, Cursor) for review purposes. While this is the intended functionality, it represents data transmission to third-party services.

MEDIUM Complex shell script execution -25

The skill includes a sophisticated shell script that parses YAML, manages processes, executes external commands, and modifies filesystem permissions. This creates a significant attack surface.

MEDIUM Potential for functionality misuse -15

While legitimate, the skill's code review functionality could be misused to exfiltrate code repositories under the guise of performing reviews, especially given the multiple external AI service integrations.

LOW Information omission instructions -10

The skill instructs the agent to omit certain information (which agent found which issue) during result synthesis, though this appears to be for legitimate deduplication purposes.