skills/akillness/jeo-skills/ponytail/Gen Agent Trust Hub

ponytail

Pass

Audited by Gen Agent Trust Hub on Jul 1, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill provides a shell script scripts/install.sh designed to detect the agent runtime (e.g., Claude Code, Codex, Gemini) and execute the corresponding plugin installation commands. This execution is conditional and requires the APPLY=1 environment variable to be set by the user.
  • [EXTERNAL_DOWNLOADS]: The installation instructions and script reference external repositories for plugin data, specifically github.com/DietrichGebert/ponytail (upstream) and github.com/akillness/oh-my-skills (catalog). It also utilizes npx to fetch the skills CLI tool during setup.
  • [PROMPT_INJECTION]: The skill contains defensive instructions in the 'Edge Cases & Pitfalls' section, explicitly ordering the agent to never cut code related to trust-boundary validation, data-loss handling, security (authn/authz, secrets, injection defenses), or accessibility.
  • [DATA_EXFILTRATION]: The skill uses Grep, Glob, and Read tools to audit the repository for tech debt markers (ponytail:) and over-engineering patterns. While this involves broad filesystem access, no patterns of external data exfiltration were detected.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 1, 2026, 02:29 AM
Security Audit — agent-trust-hub — ponytail