REPORADAR — IG Post Deep-Dive

10 Fastest-Growing GitHub Repos
Verified Deep-Dive & Security Audit

An Instagram carousel by "Syntaix AI" listed the 10 fastest-growing GitHub repos of the week. We identified each one, cloned all of them locally, analyzed what they actually are and how to use them, and ran both an automated pattern scan and a manual security review on every codebase.

Report generated 2026-07-19 · 9 of 10 repos verified & cloned · 1 could not be found on GitHub · all clones under repos/ in the project folder

9/10
repos verified real
740k+
combined GitHub stars
9
MIT / Apache licensed
0
malware found
6
need real caution

The one-screen verdict

#RepoWhat it isStars (actual)LicenseRiskWorth it?
1mvanhorn/last30days-skillMulti-platform research skill for AI agents52,715MITMediumYes — with scoped keys
2headroomlabs-ai/headroomLLM token/context compression proxy59,886Apache-2.0MediumYes — real savings
3NousResearch/hermes-agentSelf-improving personal AI agent217,009MITMedium†Yes — sandboxed only
4Leonxlnx/taste-skillAnti-"AI slop" frontend design skills65,058MITLowYes — install today
5microsoft/markitdownAny file → Markdown for LLM pipelines167,188MITLowYes — de facto standard
6Panniantong/Agent-ReachSocial/web read-access layer for agents57,889MITMediumMaybe — burner accounts
7lfnovo/open-notebookSelf-hosted NotebookLM alternative35,728MITMediumYes — localhost only
8santifer/career-opsAI job-search command center60,558MITMediumYes — review every submit
9"container"Claimed second-brain app — does not existNot foundNo — likely fabricated
10phuryn/pm-skills68 product-management skills for Claude23,990MITLowYes — prompt-only, safe

† Medium when deployed as documented (Docker/VPS + allowlists); High if installed carelessly on your main machine. Stars fetched live from the GitHub API on 2026-07-19.

The IG post vs reality

Before trusting any viral repo list, verify it. Here is what checking this one found:

  • The star counts in the post are not the repos' star counts. The post says "+12.4K stars" for last30days-skill — the repo actually has 52,715. hermes-agent is listed at "+10.7K" but sits at 217,009. The numbers roughly match stars gained recently, so "+X stars this week" is the only honest reading — the slides never say that.
  • One of the ten repos appears to not exist. #9 "Container" (an "AI second brain") could not be found on GitHub by name, description, or feature set — see the #9 section.
  • One repo is mis-described. #7 open-notebook is called a "Jupyter alternative you can run anywhere." It is not a Jupyter alternative — it is a Google NotebookLM alternative (research sources + AI chat + podcast generation). No code cells, no kernels.
  • The rest check out. Nine of ten are real, actively maintained, permissively licensed projects — several genuinely excellent.
Takeaway: this post (like most AI-generated infographic carousels) is directionally useful but factually sloppy. Treat every claim in such posts as unverified until you've opened the repo yourself.

#1last30days-skill

Medium risk

github.com/mvanhorn/last30days-skill

52,7154,550 forksPythonMITcreated Jan 2026IG claim: +12.4k ★

What it is

An Agent Skill (Claude Code, Codex, Cursor, Gemini CLI…) that adds a /last30days <topic> command. It fan-out searches ~20 sources — Reddit, X, YouTube, TikTok, Hacker News, Polymarket, GitHub, arXiv — for the last 30 days, ranks results by real engagement (upvotes, likes, prediction-market money), and synthesizes one cited brief. Reddit/HN/Polymarket/GitHub work with zero API keys.

What's inside

  • skills/last30days/SKILL.md — a 2,148-line runtime spec the agent follows (setup wizard, flows, flags)
  • scripts/last30days.py + ~100 modules in scripts/lib/ — per-source clients, pipeline, fusion, rendering
  • store.py / watchlist.py / briefing.py — recurring trend monitoring with Slack/webhook delivery
  • mcp/ — Go MCP server builds for Claude Desktop; multi-host plugin manifests for Claude/Codex/Grok

Install & use

/plugin marketplace add mvanhorn/last30days-skill    # Claude Code
/plugin install last30days
npx skills add mvanhorn/last30days-skill -g           # Codex / Cursor / Gemini
/last30days claude code skills                        # then just ask

How you can use it

  • Pre-meeting dossiers on a person/company: recent X posts, GitHub activity, podcast mentions
  • Competitive comparisons with live stars + community sentiment (X vs Y, --competitors)
  • Content research: what Reddit/X actually says about a niche this month, before you write
  • Per-client scheduled trend monitoring via --store + watchlists

Security

  • Secrets handled well: keys in ~/.config/last30days/.env written 0600, or macOS Keychain; no eval/shell=True; XSS-hardened HTML output; OpenSSF Scorecard CI.
  • Caution: keyless web fetch proxies URLs through r.jina.ai (third party sees your queries); optional publishing uploads briefs to api.ht-ml.app; the setup wizard executes a pinned npm package via npx; it can (with consent) decrypt X.com cookies from your local Chrome profile.
  • Prompt injection gap: its whole job is piping untrusted social-media text into your agent's context — and SKILL.md contains no injection warning or mitigations.

Verdict: unusually well-engineered for a viral skill; install it, but use throwaway/scoped API keys and decline browser-cookie access unless you need X results.

#2headroom

Medium risk

github.com/headroomlabs-ai/headroom

59,8864,461 forksPython + RustApache-2.0created Jan 2026IG claim: +11.3k ★

What it is

A local "context compression layer" that sits between your AI agent (Claude Code, Codex, Cursor…) and the LLM API, shrinking tool outputs, logs, JSON and history before they're sent — claiming 60–95% fewer tokens on JSON-heavy content with the same answers. Compression is reversible: originals are cached locally and the model can query them back.

What's inside

  • headroom/ — Python library: SmartCrusher (JSON), AST CodeCompressor (6 languages), Kompress-v2 ML text compressor
  • headroom/proxy/ — FastAPI localhost reverse proxy with ~100 policy modules (auth, redaction, caching)
  • headroom/ccr/ — reversible-compression store + MCP server; crates/ — Rust core rewrite
  • TypeScript SDK, Claude Code hooks, opencode/openclaw plugins, benchmark suite

Install & use

uv tool install --python 3.13 "headroom-ai[all]"
headroom wrap claude        # launches Claude Code through the compression proxy
headroom doctor && headroom dashboard
headroom unwrap claude      # undo

How you can use it

  • Cut Claude Code / Codex API bills (~15–20% typical, more on JSON-heavy tool output) with one command
  • Compress RAG chunks / scraper output inline via compress(messages) in your pipelines
  • Fit longer working sessions into the context window before compaction kicks in

Security

  • By design it MITMs all your LLM traffic (localhost only). Auth headers are redacted from debug captures; telemetry is local-only and the old phone-home beacon was removed; an HEADROOM_OFFLINE air-gap switch exists.
  • Caution: cached originals live unencrypted in ~/.headroom/ccr_store.db — every tool output your agent ever produced, in plaintext SQLite. Treat that folder as sensitive.
  • Caution: loads HuggingFace tokenizers with trust_remote_code=True, and [all] pulls 269 locked packages (torch, transformers…) — a big supply-chain surface. Maintainer is attentive (proactively excluded a compromised dependency release).

Verdict: real savings for heavy Claude Code/Codex users; adopt it, skip [all] extras you don't need, and protect ~/.headroom.

#3hermes-agent

Medium† risk

github.com/NousResearch/hermes-agent

217,00940,799 forksPythonMITcreated Jul 2025IG claim: +10.7k ★

What it is

Nous Research's open-source "self-improving" personal AI agent — the biggest repo on this list. A Python agent loop with a terminal UI plus a gateway that lets you talk to it from Telegram, Discord, Slack, WhatsApp, Signal, email and ~25 other channels. It writes its own skills from experience, keeps long-term memory about you, runs cron automations, and executes shell commands on local machine, Docker, SSH or cloud sandboxes. Model-agnostic.

What's inside

  • agent/ — core loop: context engine, memory manager, skill creation/curation, secret redaction
  • gateway/ + plugins/platforms/ — ~29 messaging connectors, DM pairing, webhooks, API server
  • tools/ — 40+ tools; six terminal backends (local, Docker, SSH, Singularity, Modal, Daytona)
  • skills/ — bundled skill library + skills_guard.py scanner; cron scheduler; desktop app + TUI

Install & use

curl -fsSL https://hermes-agent.nousresearch.com/install.sh | bash   # install.ps1 on Windows
hermes setup && hermes                         # wizard, then terminal chat
hermes gateway setup && hermes gateway start   # then message your bot on Telegram

How you can use it

  • Always-on assistant on a cheap VPS you message from Telegram — research, drafting, file wrangling
  • Scheduled automations: daily client reports, backup checks, weekly repo audits delivered to Slack/Discord
  • A trainable "ops person" that builds reusable skills for your recurring workflows

Security

  • Better hygiene than most in its class: credentials 0600 in ~/.hermes/auth.json, env scrubbed from subprocesses, unknown chat users must pair with owner-approved codes, HTTP surfaces default to loopback, no first-party telemetry (it even disables a dependency's PostHog).
  • Caution: the default terminal backend is local — LLM-generated shell commands run directly on your machine, and internet-facing chat channels feed it input. This is the same exposure class that produced real-world OpenClaw incidents; Hermes documents it honestly and ships containment options, but the defaults are permissive.
  • Caution: skills execute arbitrary Python at import time, and scanning of agent-created skills (skills.guard_agent_created) is off by default. Optional cloud memory (Honcho/mem0) ships your user model to third parties.

Verdict: genuinely capable and honest about its trust model — run it in Docker or on a disposable VPS with allowlists, never bare on your main machine. † High risk if installed carelessly.

#4taste-skill

Low risk

github.com/Leonxlnx/taste-skill · tasteskill.dev

65,0584,492 forksMarkdown (prompt-only)MITcreated Feb 2026IG claim: +8.4k ★

What it is

A pack of 13 portable Agent Skills — pure markdown instruction files that steer Claude Code / Codex / Cursor away from generic "AI slop" frontends. They encode opinionated design rules: typography, layout variance, motion direction, banned clichés (centered hero, purple gradients, Inter-everywhere). No runtime code at all.

What's inside

  • design-taste-frontend (v2, 1,207 lines) — flagship: brief inference, VARIANCE/MOTION/DENSITY dials, design-system mapping, canonical GSAP ScrollTrigger skeletons, pre-flight checks
  • gpt-taste — stricter GPT/Codex variant; redesign-skill — audit-first refresh of existing UIs
  • soft-skill / minimalist-skill / brutalist-skill — fixed aesthetic directions
  • output-skill — anti-truncation (bans // TODO placeholders); imagegen-web/mobile, brandkit — image-prompt skills for mockup boards

Install & use

npx skills add https://github.com/Leonxlnx/taste-skill --skill "design-taste-frontend"
# then prompt normally — the skill auto-triggers, states a "Design Read", ships code

How you can use it

  • Drop into Vite/React client projects so landing pages stop looking AI-generated — its GSAP pin/scrub skeletons slot straight into a ScrollTrigger workflow
  • brandkit + imagegen-frontend-web for client-facing mockups and brand boards before writing code
  • redesign-skill as a protocol for paid "refresh this site" jobs

Security

  • Prompt-only: the only scripts are a trivial path-echo skill.sh and README asset-resizing helpers that never run at install/use time.
  • Scanned clean: no injection directives, no zero-width/hidden characters, no network calls, no data exfiltration. The only "installs" it ever suggests are mainstream npm design systems (shadcn, Fluent, Carbon).

Verdict: safe and genuinely good — one of the two repos on this list you can install today with no precautions. Best for marketing sites and portfolios, not data-heavy dashboards.

#5markitdown

Low risk

github.com/microsoft/markitdown

167,18812,020 forksPythonMITcreated Nov 2024IG claim: +7.3k ★

What it is

Microsoft's (AutoGen team) utility that converts almost any file — PDF, Word, Excel, PowerPoint, images, audio, HTML, ZIP, YouTube URLs — into structured Markdown optimized for LLM consumption. Preserves headings, tables and links; prioritizes token-efficiency over pixel fidelity. The de facto standard doc-to-Markdown tool.

What's inside

  • packages/markitdown — core library + CLI with per-format converters (pdfminer, mammoth, openpyxl, python-pptx…)
  • packages/markitdown-mcp — MCP server exposing convert_to_markdown(uri) to Claude Desktop/Code
  • packages/markitdown-ocr — LLM-vision OCR plugin for images embedded in documents
  • Optional Azure Document Intelligence integration and LLM image captioning

Install & use

pip install 'markitdown[all]'
markitdown client-brief.pdf -o brief.md
pip install markitdown-mcp && markitdown-mcp     # give Claude "read any document"

How you can use it

  • RAG ingestion: normalize client PDFs/Office docs to Markdown before chunking/embedding
  • Feed briefs, spreadsheets and decks into Claude context without manual copy-paste
  • Bulk-migrate legacy docs (Outlook MSG, old XLS, EPub) into Markdown knowledge bases

Security

  • Clean codebase: no telemetry, no eval/exec, XML parsed via defusedxml (XXE mitigated), plugins disabled by default, known-CVE ExifTool versions refused.
  • Caution (server use only): convert() happily fetches http:/file: URIs with no filtering — wrapping it in an internet-facing service creates an SSRF/local-file-read surface. Use convert_local()/convert_stream() and gate inputs. ZIP handling has no bomb protection.

Verdict: adopt without hesitation for local/CLI use; just never expose raw convert() to untrusted input on a server.

#6agent-reach

Medium risk

github.com/Panniantong/Agent-Reach

57,8894,639 forksPythonMITcreated Feb 2026IG claim: +5.2k ★

What it is

An installer/health-checker/router that gives AI agents read & search access to 13+ platforms — Twitter/X, Reddit, YouTube, GitHub, Bilibili, XiaoHongShu, LinkedIn, RSS — with "zero API fees." It doesn't scrape anything itself: it installs upstream open-source CLIs (yt-dlp, twitter-cli, gh…) and teaches your agent to call them directly.

What's inside

  • cli.py (1,834 lines) — install/doctor/configure; auto-installs gh, Node.js, yt-dlp, twitter-cli, bili-cli, rdt-cli
  • channels/ — per-platform probes with ordered fallback backends; generic web reads via Jina Reader
  • cookie_extract.py — pulls Twitter/XHS/Bilibili cookies from your local browser to authenticate scraping
  • skill/SKILL.md — instructions installed into your agent's skills directory

Install & use

pipx install https://github.com/Panniantong/agent-reach/archive/main.zip
agent-reach install --safe --dry-run     # see what it would change first
agent-reach install --channels=reddit,youtube
agent-reach doctor

How you can use it

  • Social listening: brand/product sentiment across Twitter, Reddit, XiaoHongShu from one prompt
  • Content research: YouTube/Bilibili transcript summaries, podcast-to-text, RSS monitoring
  • China-market research (XHS reviews, Bilibili, Xueqiu) without Chinese-app friction

Security

  • No malware or telemetry found; credentials stored locally with 0600 permissions; update checks hit GitHub only.
  • Caution: heavy third-party trust delegation — every generic URL you read routes through Jina's r.jina.ai, all web searches go to Exa's hosted MCP, podcast audio uploads to Groq. Those services see your queries.
  • Caution: the installer executes NodeSource's setup shell script (curl-then-bash as root, in effect), installs itself from an unpinned main.zip, and the recommended flow — "paste this URL to your agent" — has your agent fetch and obey remote instructions. Whoever controls that repo controls future installs.
  • Caution: cookie-based scraping of X/Reddit/Meta violates their ToS; the README itself advises burner accounts. Cookies can also transit an optional third-party residential proxy.

Verdict: useful research glue, but run it with --safe, burner accounts, and ideally in a sandbox/VM — never with your main-account cookies.

#7open-notebook

Medium risk

github.com/lfnovo/open-notebook

35,7284,050 forksTypeScript + PythonMITcreated Oct 2024IG claim: +4.8k ★
Correction: the IG post calls this a "Jupyter alternative." It isn't — it's a self-hosted Google NotebookLM alternative: research sources + AI chat + notes + podcast generation. No code cells, no kernels.

What it is

A privacy-first research assistant you run yourself: collect sources (PDFs, web pages, video/audio), chat with them, generate notes and multi-speaker podcasts. Works with 18+ AI providers (OpenAI, Anthropic, Ollama, LM Studio…) so you're not locked to Google — or to the cloud at all.

What's inside

  • FastAPI REST API (port 5055, ~24 routers) + Next.js web UI (port 8502) + SurrealDB (port 8000)
  • Podcast engine: 1–4 custom speakers with episode/speaker profiles
  • "Transformations" — AI content pipelines (summaries, insights) + background worker for embeddings
  • Optional Docling OCR and Crawl4AI scraping for ingestion

Install & use

curl -O https://raw.githubusercontent.com/lfnovo/open-notebook/main/docker-compose.yml
# EDIT: set OPEN_NOTEBOOK_ENCRYPTION_KEY + OPEN_NOTEBOOK_PASSWORD
docker compose up -d      # UI at http://localhost:8502, API docs at :5055/docs

How you can use it

  • Private research vault per project — chat and search across dumped docs/videos/articles
  • Per-client knowledge bases with REST-API automation into your own tooling
  • Turn research into multi-speaker podcast episodes; run fully local via Ollama for zero API spend

Security

  • Good bones: provider API keys encrypted at rest (Fernet), no telemetry, SSRF guard blocks cloud-metadata IPs, private vulnerability reporting policy.
  • Caution: the web UI and API are unauthenticated by default — auth only activates if you set OPEN_NOTEBOOK_PASSWORD. Compose ships SurrealDB as root:root and a placeholder encryption key. CORS is wide open. Fine on localhost; dangerous if you port-forward or host it unhardened.

Verdict: the best self-hosted NotebookLM today. Run it on localhost or behind a reverse proxy with a real password and DB credentials.

#8career-ops

Medium risk

github.com/santifer/career-ops · career-ops.org

60,55811,915 forksJavaScript + GoMITcreated Apr 2026IG claim: +4.7k ★

What it is

Turns an AI coding CLI (Claude Code, Codex, OpenCode…) into a job-search command center: scans 150+ company ATS portals for new listings, has the LLM score each job against your CV (1.0–5.0 with an A–F rubric), generates tailored ATS-optimized CV/cover-letter PDFs, and tracks your pipeline in local Markdown files. Built by a developer after a real 740-listing job hunt.

What's inside

  • modes/*.md — ~30 prompt "modes" (auto-pipeline, apply, deep research, interview prep) in 15+ languages
  • scan.mjs + 61 provider modules — zero-token HTTP scanner for Greenhouse, Lever, Ashby, Workday…
  • Playwright layer for read-only job-description extraction and HTML→PDF resume generation
  • Go terminal dashboard + alpha web view — both read only local files; Notion/Gmail plugins

Install & use

npx @santifer/career-ops init
cd career-ops && claude              # chat onboarding builds cv.md + profile
/career-ops scan                     # find new listings
/career-ops <paste job URL>          # score → report → tailored PDF → tracker

How you can use it

  • Serious job hunting: filter hundreds of listings, apply only to 4.0+/5.0 fits
  • Reverse it for recruiting: score candidate–role fit at scale
  • Re-aim the clean ATS-API provider library at competitor hiring pages for market/lead intel

Security

  • Local-first done right: CV/profile/data gitignored, CI blocks personal data in PRs, no telemetry, SSRF guard on URL checks, Playwright layer marked strictly read-only.
  • Caution: "never auto-submit" is enforced only in prompts, not code — models can misbehave; keep a human on every submit. Optional eval scripts send your full CV to Gemini/OpenAI/OpenRouter. Portal scraping uses a browser-impersonating user agent — ToS risk is explicitly yours. Self-updater runs npm install (supply-chain surface).

Verdict: well-engineered and genuinely useful for a high-volume search — with human review before every application.

#9"container"

Not found

This repo could not be found — and probably doesn't exist

The slide claims "Container" is an AI second-brain app (+4.3K stars): capture anything, auto-organize, AI chat with your data, "share containers with your team," cross-platform Web/Mac/Windows.

We searched for it every way available: GitHub repo-name search (all repos named "container" sorted by stars), GitHub description search ("second brain," "knowledge," recent creation dates), general web search, and the post's own distinctive phrases. No GitHub repository matching this name and description exists. The top repos actually named "container" are Apple's Linux-container tool and Docker/OCI infrastructure — nothing to do with knowledge management.

What this means: the carousel is at least partly AI-generated content, and slide #9 appears to be a fabricated entry ("hallucinated" product, invented star count, invented feature list). This is exactly why you should never install tools straight from social-media lists. If someone later publishes a repo with this name, evaluate it from scratch — a name match would prove nothing.

If you want what this slide promised — an open-source AI second brain — the real, established options are khoj-ai/khoj (self-hosted AI second brain), Logseq, or SiYuan.

#10pm-skills

Low risk

github.com/phuryn/pm-skills

23,9902,439 forksMarkdown (prompt-only)MITcreated Mar 2026IG claim: +3.9k ★

What it is

"PM Skills Marketplace" by Paweł Huryn (productcompass.pm): 68 skills and 42 slash-command workflows across 9 Claude Code/Cowork plugins. Each skill is a prompt template encoding a named product-management framework (Teresa Torres, Cagan, JTBD, RICE, SWOT…) that walks the AI through producing a structured deliverable. No application code ships with it.

What's inside

  • pm-product-discovery (13): ideation, assumption mapping, experiments, interview synthesis
  • pm-product-strategy (12): vision, lean canvas, SWOT, PESTLE, Porter's Five Forces, pricing
  • pm-execution (16): PRDs, OKRs, roadmaps, sprint plans, pre-mortems, retros
  • pm-market-research (7), pm-go-to-market (6), pm-marketing-growth (5), pm-data-analytics (3)
  • pm-ai-shipping: static security/performance audit commands for AI-built code; pm-toolkit: NDAs, privacy policies

Install & use

claude plugin marketplace add phuryn/pm-skills
claude plugin install pm-execution@pm-skills     # install per plugin
/write-prd    /discover    /strategy    /plan-launch

How you can use it

  • Client-ready PRDs, user stories and test scenarios from a rough brief (/write-prd, /red-team-prd)
  • Prioritize feature backlogs with RICE/ICE instead of gut feel
  • Package strategy artifacts (lean canvas, GTM plan, battlecards, pricing) as billable client deliverables

Security

  • 147 files, zero executable content in the installed plugins — no hooks, no scripts, no binaries, no MCP servers. No prompt-injection directives found; nothing writes outside the project.

Verdict: safe to install today. Best for solo devs/agencies wearing the PM hat; pm-execution + pm-product-discovery + pm-go-to-market cover most needs.

Security audit — method & results

Two passes were run on every cloned repo:

  • Automated static scan (skill-security-auditor v2.2.0): pattern-matches for command injection, eval/exec, obfuscation, network exfiltration, credential harvesting, filesystem abuse, prompt-injection phrasing.
  • Manual review (one dedicated AI analyst per repo): read the actual code paths — installers, network endpoints, credential storage, subprocess use, prompt-injection surfaces — and judged findings in context.
Read the scanner numbers correctly: raw pattern counts are context-blind. hermes-agent shows 1,198 "critical" hits because executing shell commands and calling networks is its entire product — each subprocess call and HTTP request trips a pattern. The manual column is the verdict that matters; the scanner column tells you how much power a tool wields, not how malicious it is.
RepoScanner: criticalScanner: highScanner verdictManual risk verdictBiggest real concern
hermes-agent1,1981,192FAIL*Medium†Chat channels → unsandboxed local shell by default
headroom273327FAIL*MediumPlaintext cache of all tool outputs; trust_remote_code
career-ops7747FAIL*MediumNo-auto-submit is prompt-level only; CV to LLM APIs
open-notebook3227FAIL*MediumUnauthenticated by default; root:root DB in compose
last30days-skill1441FAIL*MediumBrowser-cookie access; no prompt-injection mitigations
markitdown616FAIL*LowSSRF/file: URI fetch if exposed as a server
agent-reach348FAIL*MediumThird-party traffic routing; curl-bash installer; ToS
pm-skills04WARNLowNone material — prompt-only
taste-skill02WARNLowNone material — prompt-only

* Scanner "FAIL" = raw pattern hits above threshold, before human context review. No repo was found to contain malware, telemetry beacons, or intentional exfiltration.

Cross-cutting themes to remember

  • Prompt injection is the blind spot. Three repos (last30days, agent-reach, career-ops) deliberately pipe untrusted internet content into your agent's context; only career-ops meaningfully gates the resulting actions, and none fully mitigates it. Assume anything your agent reads can try to steer it.
  • curl-pipe-bash installs are normalized. hermes-agent and agent-reach both install via piped remote scripts; agent-reach even tells you to paste an instruction URL directly to your agent. Read installers before running them.
  • "Local-first" still leaks by design. headroom caches everything in plaintext; agent-reach routes reads through Jina/Exa; career-ops sends your CV to whichever model you configure. Local-first ≠ nothing leaves the machine.
  • Defaults are the danger, not the code. open-notebook without a password, hermes on a bare laptop, agent-reach with your real cookies — every high-consequence scenario here comes from default or careless configuration, not hidden malice.

Safe-use checklist

  • Clone and skim before installing; prefer pinned versions over main.
  • Give research tools burner/scoped accounts and separate API keys with spend limits.
  • Run agent frameworks (hermes-agent) in Docker or a throwaway VPS — never with default local shell on your work machine.
  • Self-hosted apps (open-notebook): set passwords + encryption keys before first boot; keep them off the public internet.
  • Treat ~/.headroom, ~/.hermes, ~/.agent-reach, ~/.config/last30days as credential stores when backing up or syncing.

How these fit together (suggested stack)

Install today — low risk, immediate value

  • taste-skill → better client-facing frontends from your existing Claude Code workflow
  • markitdown → turn any client doc into AI-ready Markdown; add the MCP server to Claude
  • pm-skills → PRDs, roadmaps and GTM docs as billable deliverables

Adopt with precautions

  • headroom → wrap Claude Code once your usage/bills justify it; guard ~/.headroom
  • last30days-skill → research briefs with scoped keys, no browser cookies
  • open-notebook → per-client research vaults, localhost + password

Sandbox / evaluate only

  • hermes-agent → impressive, but only in Docker/VPS with allowlists
  • agent-reach → social listening with burner accounts in a VM
  • career-ops → only if actually job-hunting; or mine its ATS provider library as a pattern reference

A concrete pipeline example

Client project kickoff:

  1. markitdown converts the client's brief/decks to Markdown
  2. last30days researches their market's recent conversation
  3. pm-skills /write-prd turns both into a PRD
  4. taste-skill steers the build so the site doesn't look AI-generated
  5. headroom keeps the token bill down the whole way