using-superpowers

The file contains no embedded malware or hardcoded secrets, but it defines an unsafe operational policy: mandatory, preemptive invocation of external skills based on a permissive '1% applies' heuristic and a prohibition on delaying invocation for clarifying questions or consent. That policy substantially increases supply-chain and data-exfiltration risks by causing frequent, unvetted fetching and execution of third-party skill content and by removing ordinary human-in-the-loop or verification steps. Recommended mitigations before adopting this policy: require signed/pinned skill sources, enforce allowlists and domain restrictions, require per-invocation human confirmation before sharing secrets or executing commands, log and audit all fetched skill content and actions, and limit the heuristic (do not use a 1% threshold). Treat the policy as suspicious and high-risk until such controls are in place.