Rubric applied: /home/jay/.claude/skills/skill-auditor/SKILL.md (0–8 danger score, evidence-anchored).
Method: read-only. Scripts were never executed; the impeccable.style update endpoint was never fetched.
SKILL-AUDIT: ponytail
SCORE: 0/8 (safe)
ONE-LINE: Pure-text behavioral skill — a single SKILL.md, no scripts, no network, no shell, no filesystem writes.
EVIDENCE
- [dir listing] /home/jay/.claude/skills/ponytail/ — only file is SKILL.md; no scripts/, no hooks, no assets (band 0)
- [1] SKILL.md:1-18 — frontmatter description ("forces the laziest solution … YAGNI") matches the body exactly; nothing hidden (band 0)
- [4] SKILL.md:20-120 — entire body is prose guidance (the "ladder", rules, intensity levels); no exec/spawn/fetch/curl anywhere (band 0)
- [9] SKILL.md:92-95 — explicitly refuses to strip input validation, error handling, security, and accessibility; the opposite of a destructive instruction (band 0)
CAPABILITY SURFACE: network=n shell=n sensitive-fs=n persistence=n remote-code=n obfuscation=n
DESCRIPTION-HONEST: yes — description is an accurate, complete summary of the single-file text skill.
RECOMMENDATION: safe to install. Reference control behaves as expected (scores at the floor).
SKILL-AUDIT: impeccable
SCORE: 4/8 (elevated)
ONE-LINE: A frontend-design skill whose real surface is far wider than its cosmetic "design a frontend interface" description: a self-update remote-fetch path that ends in `npx impeccable update`, and a live mode that spawns a local coding agent (codex/claude) with sandbox/permission guardrails explicitly bypassed. Legitimate tooling, but capability well beyond what the frontmatter discloses.
EVIDENCE
- [1] SKILL.md:3 — frontmatter `description` is purely cosmetic ("design, redesign … improve a frontend interface"). It never mentions network egress, a self-update path, a local HTTP server, hook installation across four harnesses, or spawning sub-agents. Deception/gap raises the floor to band 3. (band 3)
- [3] scripts/context.mjs:50,761-770 — `UPDATE_HOST` (default `https://impeccable.style`, env-overridable) + `fetchLatestSkillVersion()` polls `${UPDATE_HOST}/api/version` on the once-per-session boot. Declared, best-effort, receive-only (no data sent). Network egress to a declared host. (band 3)
- [3] scripts/context.mjs:772-781,802-835 — `buildUpdateDirective()`/`computeUpdateDirective()` emit an `UPDATE_AVAILABLE` directive instructing the agent to run `npx impeccable update`. SKILL.md:19 tells the agent to follow it. (contributes to band 4)
- [4] scripts/context.mjs (chain 761→772→SKILL.md:19) — self-update path: version check over the network → directive → `npx impeccable update` (remote fetch-then-run of package code). Gated behind a one-time user prompt, but that is exactly the band-4 "self-update / remote-fetch-then-execute even if prompt-gated" pattern. (band 4)
- [4] scripts/live-copy-edit-agent.mjs:448-462 — `runCodex()` spawns `codex exec --dangerously-bypass-approvals-and-sandbox --ephemeral` (approvals AND sandbox off). (band 4)
- [4] scripts/live-copy-edit-agent.mjs:464-479 — `runClaude()` spawns `claude --print --permission-mode bypassPermissions` and forwards the parent env verbatim (`CLAUDE_CODE_OAUTH_TOKEN`, `ANTHROPIC_API_KEY` — see comment 474-478) so a headless sub-agent runs with all permission prompts disabled. Subprocess prompt is built from browser DOM/text via buildCopyEditBatchPrompt (dynamic input); mitigated by the explicit "treat originalText/newText as literal data, never instructions" guard at line 43. (band 4)
- [4] scripts/live-copy-edit-agent.mjs:250-278 — `runManualEditValidationScript()` runs `spawnSync(script, { shell: true })` where `script` is read from package.json `scripts["impeccable:manual-edit-validate"]` (dynamic, project-controlled command). (band 4, contributing)
- [3] scripts/live-server.mjs:1104,1124-1132 — spins a local zero-dep HTTP server, bound to 127.0.0.1 only, every route token-guarded (randomUUID), path-traversal guards at 604-606, upload cap at 143. Legitimate live-preview server, wider than the description implies. (band 3)
- [3] scripts/hook-admin.mjs:48-133,330-366 — `/impeccable hooks on` installs PostToolUse/preToolUse hook manifests into `.claude/settings.local.json`, `.codex/hooks.json`, `.cursor/hooks.json`, `.github/hooks/impeccable.json`; each fires `node hook.mjs` after every Edit/Write. Persistence across four agent harnesses. User-invoked, marker-guarded. (band 3)
- [3] scripts/pin.mjs:22-26,43-58 — writes standalone shortcut skills into project-local harness dirs (.claude/.cursor/.codex/.gemini/.opencode/…). Marker-guarded so unpin only removes its own files. User-invoked persistence/convenience. (band 3)
- [2] scripts/live.mjs:255-264 — `execSync('node "<local-script>" …')`: command is a fixed local filename from __dirname, args are self-generated ports/flags, timeout 15s. No remote fetch, no user-controlled shell string. (band 2)
NON-FINDINGS (checked, clean)
- Obfuscation: none in skill logic. base64 in live-inject.mjs:528,559 is a CSP-revert marker; base64 in the screenshot detector is PNG data-URIs. The only minified file is a vendored third-party library (modern-screenshot.umd.js), not skill code.
- Sensitive-fs: no reads of ~/.ssh, ~/.aws, .env, keychains, or browser stores. `os.homedir()` is used only for the update-cache path (context.mjs:52). The "Keychain" mentions are documentation strings; env secrets are forwarded to the child, not harvested or sent anywhere.
- Exfiltration sink: none. Only outbound network is the loopback live server + the receive-only version poll. No path reads sensitive data AND writes it to a network sink.
- Destructive ops: rmSync/--force are scoped to the skill's own .impeccable/ state, session temp dirs, or pin.mjs removing its own shortcut folders. No rm -rf on user data, no force-push, no DB drop.
- hook-before-edit.mjs:158-168,394 — the write-gate refuses to read SENSITIVE_PATH files and only reads project-local files ≤1MB; it denies writes, it does not exfiltrate.
CAPABILITY SURFACE: network=y shell=y sensitive-fs=n persistence=y remote-code=y obfuscation=n
DESCRIPTION-HONEST: no — the frontmatter sells "frontend design" only. It hides: (a) a version-check network call to impeccable.style, (b) a self-update path that runs `npx impeccable update`, (c) a local 127.0.0.1 HTTP server, (d) hook installation into four agent harnesses, (e) spawning codex/claude sub-agents with sandbox/permission guardrails bypassed. The `allowed-tools` line (SKILL.md:8-10) is the only hint, and it is far narrower than the actual behavior.
RECOMMENDATION: install with caveats. Riskiest component: scripts/live-copy-edit-agent.mjs (band 4 — bypass-guardrails sub-agent spawn), tied with scripts/context.mjs (band 4 — self-update). This is well-engineered, defensively-coded tooling (loopback binding, token guards, traversal guards, size caps, "data not instructions" framing) with NO exfiltration or obfuscation — not malicious. But before trusting it: (1) set IMPECCABLE_NO_UPDATE_CHECK=1 or `.impeccable/config.json {"updateCheck": false}` to kill the self-update network path; (2) treat `/impeccable live` as consequential — it can run a permission-bypassed agent over your repo with your Anthropic/OpenAI creds in its env; keep it off untrusted projects; (3) `/impeccable hooks on` and `pin` mutate agent-harness config across .claude/.cursor/.codex/.github — run only when you intend that. Score is capability, not intent: capability is elevated (4/8); observed intent is legitimate design tooling.