Add SafeSkill security badge (83/100 — Passes with Notes)

[OyaAIProd]

⚠️ SafeSkill Security Scan Results

Metric	Value
Overall Score	83/100 (Passes with Notes)
Code Score	85/100
Content Score	86/100
Findings	436 findings detected (98 critical)
Taint Flows	19
Files Scanned	167
Scan Duration	13.1s

Note: This package is an MCP server — child_process, filesystem, and environment access are expected capabilities for tool servers and are excluded from scoring and top findings.

Top Findings

• 🔴 critical: postinstall script downloads/executes remote code: "node -e "try{require('fs').statSync('scripts/install-gitleaks-shim.mjs')}catch{process.exit(0)};require('child_process').spawnSync(process.execPath,['scripts/install-gitleaks-shim.mjs'],{stdio:'inherit'})"" (package.json:0)
• 🟠 high: Has prepare script: "husky" (package.json:0)
• 🟠 high: Opens WebSocket connection (src/mcp/index.ts:186)
• 🟠 high: Hidden/invisible text detected (html-comment) at byte offset 27: "Managed by @bookedsolid/rea 0.11.0. Run: npx @bookedsolid/rea init to update." (CLAUDE.md:2)
• 🟡 medium: Makes HTTP request via fetch (packages/core/src/handlers/bundle.ts:144)

View full report on SafeSkill

---

About SafeSkill

SafeSkill is a free, open-source security scanner for AI tools, MCP servers, and Claude Code skills. We scan for code exploits, prompt injection, and data exfiltration risks.

False positive? We take accuracy seriously. If any finding above is incorrect, please open an issue and we will fix it immediately.

• GitHub | Website | Docs
• Built by Oya.ai -- AI Employees Builder

Summary by CodeRabbit

• Documentation
  • Added SafeSkill badge/link to the README

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: bdd86dca-41f3-45b0-aa63-c2a3051d3b40

📥 Commits

Reviewing files that changed from the base of the PR and between 565dd69 and 757996c.

📒 Files selected for processing (1)

• README.md

---

Walkthrough

This PR adds a SafeSkill score badge link to the README header, inserting a single line that links to safeskill.dev near the top of the file alongside other project metadata.

Changes

SafeSkill Badge Documentation

Layer / File(s)	Summary
SafeSkill badge in README header README.md	A SafeSkill score badge with a link to safeskill.dev is added to the README header section.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change in the PR—adding a SafeSkill security badge to the README with the specific score included.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Warning

⚠️ This pull request might be slop. It has been flagged by CodeRabbit slop detection and should be reviewed carefully.