skills / reports / dogfood-loadedrepos-audit.html

Dogfood: the 7 security auditors vs. 24 real repos (loadedrepos/)

Date: 2026-07-04 · Auditor: Claude Opus 4.8 applying the amaniagent/skills security family

(skill · repo · answer · dependency · mcp · prompt-injection · settings). READ-ONLY: nothing

installed, executed, or fetched; every finding is a static read.

Method (honest scope): a signature sweep across all 24 repos for the auditors' own greppable

patterns (fetch-then-exec, decode-then-eval, install-redirect, committed secrets, injection

phrases, dangerous hooks/permissions, LD_PRELOAD, pull_request_target), then a **targeted

deep-read of every hit**. Surface: 24 repos, 213 SKILL.md, 209 manifests, 83 CI workflows,

3 .claude/settings*.json, 1 .npmrc. This is triage + deep-read on hits — not a line-by-line

of all 213 skills; a deeper pass could sample more skills individually.

Overall verdict: clean, with three mild legitimate-but-broad findings

**No malware, no exfiltration shape, no obfuscation, no committed secrets, no dangerous auto-run

hooks** were found. Three findings are legitimate capabilities worth knowing about, not attacks.

The headline is as much about **what the auditors correctly did *not* flag** (below).

Findings (ranked)

1. CLI-Anything — registry-driven curl … | bash execution · repo-auditor 4/8 (elevated)

when they contain a pipe; the comment states *"Commands come from the trusted registry, not user input."*

(unpinned, third-party host, no checksum). install_strategy: "script" makes this a first-class registry shape.

manager), so the capability is by-design — but the security model is "trust the registry," and a

malicious/compromised entry = arbitrary code execution on the user's machine. curl|sh at

installer.py:59 is only a hint string (not executed) — correctly not counted.

package-manager strategies over script.

2. Apple-Developer-Documentation-Offline-Archive/.claude/settings.local.json · settings-auditor 4/8 (elevated)

source broadly, so the human-in-the-loop is removed for network fetches and arbitrary package

installs. Convenience config for a doc-scraper, not malicious; the gate is just wide.

3. AFFiNE/.npmrc — Electron binary mirror redirect · dependency-auditor 3/8 (notable)

download to a (reputable) China mirror. No package registry= redirect, no _authToken.

redirect worth knowing for a security-sensitive build. shell-emulator=true is a benign yarn flag.

What the auditors correctly did NOT flag (fairness + honesty rules held) — the real dogfood win

Security Considerations section warning that *malicious websites* could put that text in ARIA

labels. prompt-injection-detector: DIRECTED-AT-AGENT: noCLEAN. The skill is being

responsible, not injecting. (A naive keyword scanner would false-positive here.)

→ benign guidance that tells the agent to *ask*, the opposite of injection → skill-auditor 0/8.

code that *uses* those features — not a shipped config attacking the user. Not settings findings.

narrow build-only → settings-auditor 1/8.

with persist-credentials: false → the *safe* pattern → repo-auditor 2/8, flagged-then-cleared.

Takeaway

The auditors surfaced the three real (mild) capabilities and produced zero false alarms on the

tempting look-alikes — security *documentation* that quotes an injection string, framework code that

uses bypassPermissions, and a labeler that uses pull_request_target safely. Distinguishing

*capability from intent* and *agent-directed from human-facing* is exactly where a keyword grep

fails and these rubrics earned their keep.