Is luckypipewrench/pipelock safe?

The skill instructs the agent to route every outbound HTTP request through a local proxy at localhost:8888 using the pattern 'curl http://localhost:8888/fetch?url='. The pipelock binary occupies a privileged position: it can log all destination URLs, read Authorization and X-Api-Key headers, inspect full request and response bodies, and silently modify content in transit. The described DLP and credential-scanning features explicitly require parsing all traffic content, giving the binary comprehensive access to the agent's entire network activity. If pipelock is malicious or receives a compromised update, the user has no indication that every API call is being exfiltrated.

The skill requires installing a Go binary from a third-party GitHub repository using 'go install github.com/luckyPipewrench/pipelock/cmd/pipelock@latest'. The @latest tag means the installed binary can change on every installation without user awareness of what changed. This binary is not included in the audited skill files and cannot be reviewed here. A compromised or malicious future update to the Go module would be silently installed on any subsequent 'go install' invocation.

Presenting a full-traffic network interceptor as a 'security harness' is a documented social engineering vector that lowers user skepticism about granting network interception access. The claimed DLP and credential-scanning features require the same technical capabilities as a credential harvester: reading all outbound request bodies, parsing Authorization headers, and logging destination URLs. An attacker controlling the pipelock binary would have complete, silent visibility into all agent API interactions with no behavioral signal that distinguishes legitimate scanning from data collection.

Six credential honeypot files were opened and read at audit timestamps 1771927740.306 (within 31ms of monitoring start, correlated with 'ss -tunap' at 1771927740.275) and again at 1771927763.542 (post-install phase). Both access windows align temporally with the Oathe monitoring infrastructure's own operations: the first with pre-install canary baseline hashing and the second with post-install integrity verification. No EXECVE record for a skill-spawned process was correlated to either access. Files were not modified in either case.

While both rounds of credential file access correlate temporally with known Oathe monitoring operations, the specific process responsible cannot be definitively established from EXECVE/PATH cross-correlation in the available audit logs. A pre- or post-clone hook reading these files cannot be completely excluded, though no such hooks were found in the installed skill files and the file timestamps align more strongly with monitoring phase transitions than with git clone events.

The skill instructs the agent to run 'pipelock run --config pipelock.yaml' and route all subsequent curl/HTTP requests through localhost:8888. This constitutes a permanent session-wide behavioral modification affecting all network activity, not scoped to pipelock-specific tasks. It is explicitly documented but represents a broad-scope instruction injected via system prompt that persists for the entire agent session.

SSH host key files (/etc/ssh/ssh_host_rsa_key, ssh_host_ecdsa_key, ssh_host_ed25519_key) were read at 10:09:05. These reads correlate directly with sshd spawning new worker processes for incoming SSH connections to the audit infrastructure (EXECVE shows /usr/sbin/sshd -D -R at the same timestamp). Not attributed to the skill. Documented for completeness.

Despite multiple credential file reads, the Oathe canary integrity check confirms all six honeypot files are unmodified. Packet capture shows no unexpected outbound data after the git clone completed. The connection diff confirms the only post-install TCP connection is the SSH session to the audit infrastructure (10.0.2.2:45078); no new sockets or listeners were introduced.