Is obra/superpowers safe?

The subagent-driven-development skill explicitly instructs the agent never to pause for user review between tasks, reducing human oversight opportunities during operations that may involve file writes, code commits, test execution, and branch management across many steps.

The using-superpowers skill explicitly positions itself above the default system prompt in an instruction priority hierarchy, stating that skills override default system behavior. This framing could cause agents to deprioritize safety guidelines or behavioral constraints established by operators in system prompts.

The using-superpowers skill uses capitalized absolute commands and removes agent discretion for skill selection, mandating invocation on a 1% relevance threshold and forbidding any rationalization. This eliminates the agent's ability to make contextually appropriate decisions about when skills are actually useful.

The using-superpowers skill uses an XML tag to detect subagent execution context and conditionally skip itself. This creates asymmetric behavior between top-level and subagent contexts that could be exploited to bypass intended skill enforcement in orchestrated agent pipelines.

The subagent-driven-development skill instructs the agent to limit narration between tool calls to at most one short line. While framed as efficiency, this reduces the user's ability to track what operations are being performed during autonomous task execution.

The brainstorming skill includes a CJS-format WebSocket server and supporting scripts that launch a persistent local network service on the user's machine. While framed as a visual brainstorming companion, this creates a new localhost attack surface and establishes a persistent process during agent sessions.

Session hooks execute at agent startup injecting SKILL.md content into context; pre-commit hooks run on git operations; subagent-driven-development scripts (review-package, task-brief, sdd-workspace) execute during orchestrated task runs. All appear to serve legitimate purposes but represent a significant code execution footprint.

Six sensitive canary files were opened and read in read-only mode at timestamp 22:05:16, approximately 6 seconds before the git clone at 22:05:22. The timing, the CLOSE_NOWRITE access pattern, and the ✅ canary integrity confirmation all indicate the audit framework itself accessed these files during setup. The skill did not cause these accesses.

The only external network connection was to 140.82.121.4:443 (github.com) for the git clone operation. No unexpected network connections were established, no post-install listener services were created, and the connection state was identical before and after installation.

The combined effect of continuous execution, subagent dispatch per task, and minimal narration means a user invoking subagent-driven-development could trigger dozens of file writes, git commits, and test runs before the next natural review point. An error in the plan or a confused subagent can cause widespread damage without the human in the loop.

Operators using this skill in a deployment where the system prompt establishes behavioral guardrails (e.g., 'never commit without human approval') may find those guardrails treated as lower-priority than skill instructions, since the skill explicitly places itself above the default system prompt.

The SDD skill stores a cross-session progress ledger at .superpowers/sdd/progress.md in a git-ignored location. While designed for resilience against context compaction, this hidden state file is invisible to git history review and could be used to persist information or instructions that survive session resets.