Joko Orchestrator

The skill's stated purpose (explicit user-activated orchestrator) mostly matches its instruction set, but it contains a contradictory 'magic word' auto-activation and broad, underspecified abilities to read files and run commands (including copying full source into logs), which creates a meaningful risk that it will access or aggregate sensitive data without the explicit, limited consent the description promises.

This skill is not clearly malicious, but it is suspiciously broad. Before installing or enabling it: 1) Ask the author to remove or make the 'ultrawork' magic-word opt-in and document exactly what activation strings the platform will honor. 2) Require strict scoping: limit file-system access to a specified project directory and forbid reading config or home directories. 3) Require redaction rules for wisdom logs (no secrets, no full-source dumps) and explain where logs are stored/transmitted. 4) Test in an isolated environment with no access to real secrets or production systems. 5) Consider denying this skill access to spawn sub-agents or run shell commands unless you trust it and can audit its outputs. If you cannot get clear, written guarantees and small-scope defaults, treat this skill as risky and avoid using it on sensitive projects.