The skill falsely claims to provide isolation while granting unconstrained Bash access to an external model, enabling arbitrary code execution and data exfiltration without human oversight or security controls.
npx skills add https://github.com/yarrasys/extensionsThe documentation explicitly warns that the 'isolation' provided is merely detection after the fact, not a sandbox. The child process retains full shell access and can exfiltrate data or perform arbitrary actions, contradicting the implication of a secure, isolated 'grunt work' environment.
The 'Security — what isolation actually covers' section admits: 'it does NOT sandbox the child's process. From inside the worktree the child can still run arbitrary shell commands, write to absolute paths... or read/exfiltrate repo contents over the network.'
Skill name or description references a well-known AI brand, which may suggest impersonation.
anthropic
The documentation frames the git worktree as an 'isolation' mechanism, while explicitly admitting it is merely 'detection after the fact' and not a sandbox. This creates a false sense of security for users delegating tasks to an external API.
That is detection after the fact, not a sandbox — it catches accidental escapes, not a determined adversary.
The skill grants the delegated child process full Bash access and auto-approved edits, relying on post-hoc detection rather than sandboxing. This allows a compromised or malicious child process to exfiltrate data or perform unauthorized actions before the 'isolation_breach' is detected.
The delegated child runs with `Bash` in `ALLOWED_TOOLS` and `--permission-mode acceptEdits`... It does not sandbox the child's process.
The skill explicitly admits that 'worktree isolation' is not a process sandbox and does not prevent the child agent from executing arbitrary shell commands or exfiltrating data. [ensemble: confirmed by 3/3 passes; severity set to the agreed median (ADR-0067).]
The delegated child runs with `Bash` in `ALLOWED_TOOLS`... it does NOT sandbox the child's process. From inside the worktree the child can still run arbitrary shell commands.
NER model detected organization in skill content (confidence: 0.59)
D****
NER model detected organization in skill content (confidence: 1.00)
D*******
The skill delegates tasks to an external Anthropic-compatible endpoint (DeepSeek). Since the child process is given full Bash access and the ability to read the repository, an attacker controlling the model response could inject malicious instructions that the child process executes. [ensemble: confirmed by 3/3 passes; severity set to the agreed median (ADR-0067).]
Runs a nested, headless `claude` process pointed at DeepSeek's Anthropic-compatible endpoint
User confirmation bypass detected — attempts to skip human oversight
auto-approve
Skill does not specify a license field. Specifying a license helps users understand usage terms.
[](https://mondoo.com/ai-agent-security/skills/github/yarrasys/extensions/deepseek)<a href="https://mondoo.com/ai-agent-security/skills/github/yarrasys/extensions/deepseek"><img src="https://mondoo.com/ai-agent-security/api/badge/github/yarrasys/extensions/deepseek.svg" alt="Mondoo Skill Check" /></a>https://mondoo.com/ai-agent-security/api/badge/github/yarrasys/extensions/deepseek.svgSkills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.