Read-only commands are safe. Commands that install skills always require explicit user intent. No automatic skill installation without consent.

top-repo skills (source === 'top-repo'):

• Uses npx skills add <repo> --skill <name> -g
• Fails fast if npx is unavailable
• Timeout: 60 seconds per skill

original skills (source === 'original'):

• Uses fs.copyFileSync from bundled skills/original/<name>/SKILL.md
• No shell execution — pure file copy
• Fails if source file is missing

The hook command filters out trivial tasks to prevent noise. Tasks matching this pattern always return shouldSuggest: false:

• Empty or single-token descriptions
• Simple words: hi, hello, ok, yes, thanks, bye, etc.

This is enforced in src/core/ranker.ts → isTrivialTask().

Trusted owners (skills.sh repositories):

• vercel-labs, anthropics, microsoft, mattpocock, obra, supabase, nextlevelbuilder, codepuri

All skills in the catalog are reviewed. Skills.sh repos are vetted before addition.

• No eval() or dynamic code execution
• No hardcoded credentials or API keys
• All spawnSync calls have timeouts (60s max)
• All filesystem operations wrapped in try/catch
• No fs.writeFileSync without fs.mkdirSync (ensureDir)
• Error messages don't leak internal paths
• No external network calls without timeout (25s for skills find)
• Skill names validated against catalog before install
• Cache reads always have fallbacks (never throw on corrupt JSON)

npm audit

Dependencies: @types/node (dev), typescript (dev) only. No runtime dependencies.

1. Do NOT open a public GitHub issue
2. Contact the maintainer directly at the GitHub repo
3. Allow 48 hours for initial response