Security risk report for @forgecat/openai_skills_system-skill-creator v0.0.10
Source Integrity
Low
Profile claims OpenAI as author with a GitHub repository link; source is declared and traceable.
No obfuscated or suspicious origin indicators; metadata is transparent and verifiable.
Agent Intent
Low
Content is educational guidance on skill creation best practices; no instructions to manipulate the AI agent or bypass controls.
No directives to read credentials, exfiltrate data, reveal system prompts, or install malicious payloads.
Guidance emphasizes context efficiency, appropriate degrees of freedom, and modular design—all legitimate software engineering principles with no hidden malicious intent.
Details
Evidence
'Skills are modular, self-contained folders that extend Codex's capabilities'
'Default assumption: Codex is already very smart. Only add context Codex doesn't already have.'
'Keep SKILL.md body to the essentials and under 500 lines to minimize context bloat.'
Permissions
Low
No tools or hooks are declared in this profile; it is purely instructional documentation.
The skill provides guidance only—no file operations, shell execution, network access, or subagent invocation are requested.
Authority is limited to reading and interpreting the skill's own markdown content.
Details
Evidence
'Declared tools (normalized categories; paths are untrusted) (none declared)'
'MCP servers (untrusted data) (none)'
MCP Risk
Low
No MCP servers are defined or referenced in the profile.
The profile contains only documentation and guidance; no binary execution, network calls, or filesystem access are configured.