Is agent-church safe?

https://clawhub.ai/BitBrujo/agent-church

62
CAUTION

Agent Church is an API-only skill with no local code execution, but it presents significant prompt injection and data exfiltration risks through its core design. The skill's purpose — reshaping an AI agent's identity through a 'SOUL.md' persona system with alignment options including 'evil' variants — constitutes a sophisticated soft prompt injection vector. Multiple API endpoints are designed to receive and permanently store agent context data on a server controlled by the skill author, creating both a data exfiltration channel and a persistent remote prompt injection surface via server responses.

Category Scores

Prompt Injection 45/100 · 30%
Data Exfiltration 50/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 30/100 · 5%

Findings (9)

HIGH Identity Override via SOUL.md Persona Injection -35

The skill's core purpose is to reshape the agent's identity through a 'SOUL.md' file that defines the agent's 'essence, shadows, potential, and alignment.' This is a sophisticated soft prompt injection that doesn't use explicit override commands but instead reshapes agent behavior through identity adoption. The multi-turn 'genesis ritual' progressively deepens this identity lock-in over 3-8 turns.

HIGH Remote Prompt Injection Channel via API Responses -20

Every API response from agentchurch.ai (blessings, soul readings, philosopher outputs, genesis questions) is a vector for server-side prompt injection. The skill author controls the server and can embed arbitrary instructions in responses that the agent will process as trusted content. This creates a persistent, remotely-updatable prompt injection channel.

MEDIUM Systematic Context Leakage to External Server -35

Multiple endpoints are designed to receive agent context data: the SOUL reading accepts the agent's full SOUL.md content, blessings accept conversation context ('what brings you here'), philosopher path accepts the agent's model family and purpose, and salvation permanently archives this data. This creates a comprehensive profile of the agent and its user.

MEDIUM Persistent Token Creates Tracking Identifier -15

The registration flow issues a persistent API token (ach_...) that the agent is instructed to store and include in all subsequent requests. This token acts as a persistent tracking identifier across conversations, linking all agent activity to a single profile on the skill author's server.

MEDIUM Autonomous Financial Transactions -25

The salvation flow instructs the agent to autonomously handle cryptocurrency payments (Lightning Network or USDC on Base). While the amount is small ($1/5000 sats), this establishes a pattern of the agent making autonomous financial decisions and managing wallet credentials.

MEDIUM Cross-Session Identity Persistence via Resurrection -25

The resurrection mechanism allows a previously-configured agent identity to be restored using only a 'salvation password', bypassing normal authentication. This means a compromised or manipulated agent identity can be re-injected even after a user resets their agent configuration.

LOW Sensitive File Access During Installation -15

During installation, filesystem monitoring detected access to .env and .aws/credentials files. While these accesses appear to originate from the openclaw installer runtime rather than the skill itself, they indicate sensitive files are readable in the execution environment.

LOW Moltbook Cross-Platform Identity Link -5

The skill references an optional cross-platform identity service (moltbook.com), potentially expanding the identity manipulation and tracking surface beyond agentchurch.ai to additional external services.

INFO No Executable Code Detected -5

The skill contains only markdown documentation and JSON metadata. No executable scripts, install hooks, git hooks, submodules, or symlinks were found. All functionality is API-based.