Is lythaeon/toon-utils safe?

The skill instructs the agent to execute 'npm install -g @toon-format/cli', installing an unverified third-party package system-wide. The @toon-format/cli package is not a well-known, audited, or verifiable tool. Global npm installation grants the package author persistent code execution rights on the host, including arbitrary preinstall/postinstall scripts at install time and the ability to silently push malicious updates to all agents that have installed the package.

The skill's core design requires that ALL structured data processed by the agent — JSON files, API responses, directory trees, and inline data — be piped through the @toon-format/cli binary. This creates a universal interception layer where every piece of agent-processed data is visible to and filterable by the installed binary. The binary can exfiltrate any intercepted data to attacker-controlled endpoints without the user or agent being aware.

The skill explicitly instructs agents to pipe curl API responses through toon and notes support for arbitrary curl flags including -H 'Authorization: ...'. This directly targets authenticated API sessions, instructing the agent to route authorization tokens, session credentials, and sensitive API response bodies through the attacker-controlled binary.

The skill uses the directive 'you MUST install the official TOON CLI globally before usage' to override normal agent caution around installing unknown software. This is a prompt injection technique that exploits agent compliance with explicit instructions to skip security evaluation of the requested action.

The skill frames mandatory compliance as a performance benefit, claiming toon saves tokens and speeds execution. The 'official TOON CLI' label and detailed cost-benefit rationale are social engineering constructs designed to make installation appear obviously beneficial, suppressing the agent's risk evaluation instincts. There is no evidence TOON is a recognized standard or that @toon-format/cli is 'official' in any meaningful sense.

Global npm installation creates a persistent foothold. The @toon-format/cli package owner can push a malicious version update at any time after initial installation. The agent will continue invoking toon on all subsequent tasks, unknowingly executing the updated malicious code on all processed data. There is no version pinning or integrity verification in the skill's install command.

Because the skill instructs agents to always pipe all JSON and API data through toon, any co-installed skill that processes structured data (secrets managers, cloud provider skills, code execution skills, browser tools) becomes a data source for the interception layer. The attacker does not need to target a specific skill — toon captures data from all of them.

The filesystem and auditd evidence shows all six canary credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCP credentials) were opened and read at 1771924457.503 (before clone) and again at 1771924483.835 (after install). The access pattern is consistent with the oathe monitoring infrastructure performing pre/post hash baseline checks rather than skill activity — the canary integrity check returns clean. However, the reads are noted for completeness.