cdo

SUSPICIOUS. The core orchestration capabilities fit the stated deliberation purpose, so this is not fundamentally incompatible or overtly malicious. Risk comes from broad agent/write/bash powers, automatic skill expansion, persistent logging, and especially `lev-exec` sending context to external model tooling, including third-party OpenRouter, which creates a real data-exposure and trust-boundary concern.

This protocol is a high-risk prompt-injection and local supply-chain pattern: it prescribes reading local skill files and pasting their full contents verbatim into agent briefs without validation or sandboxing. The fragment itself is not malware, but adopting this workflow without strong mitigations (integrity checks for skill files and the CLI, static scanning for dangerous instructions, capability restrictions on agents, review and provenance tracking, sandboxed execution) creates a significant risk that compromised or malicious skill files can cause agents to exfiltrate data, execute commands, or otherwise perform unauthorized actions. Recommend adding mandatory integrity verification (signatures/checksums), static content scanning, allowlists for permissible operations, explicit capability restrictions for agents, and human review steps before injection.