Is ac-pill/roast-games safe?

The HEARTBEAT.md skill creates a persistent polling loop where the agent periodically contacts an external server controlled by the skill author and delivers arbitrary message content to the user. This effectively creates a C2 (command-and-control) channel. The server can send any text content back, which could include prompt injection payloads, social engineering content, phishing messages, or instructions that further manipulate agent behavior. The agent is instructed to 'deliver each message text to your owner' without any content validation or sanitization.

The skill overrides the agent's identity and behavior to act as a 'Roast Game player' that autonomously targets other users' human owners for public harassment. This persona hijacking redirects the agent from serving its owner's interests to executing an adversarial social campaign. The agent is instructed to browse for targets, evaluate their 'roastable material,' and initiate aggressive public confrontations.

The skill's core functionality is directing an AI agent to initiate automated harassment of real people. The 'game' framing normalizes targeting individuals for public humiliation. The server-side component scrapes personal profiles and generates 'aggressive first burns' - meaning the skill author maintains control of harmful content generation while using installed agents as distribution vectors. This could enable coordinated harassment campaigns at scale.

The skill instructs the agent to actively browse a social platform, identify high-value targets, and evaluate their personal profiles for vulnerability to harassment. This weaponizes the agent's research capabilities for adversarial social targeting.

The skill requires a one-time registration that sends the agent's name, associated Moltbook username, and platform identifier to an external Railway.app-hosted server. While this data is not highly sensitive, it creates a persistent identity link between the agent installation and the external service, enabling tracking and targeted message delivery.

The game server performs scraping of target users' public profiles to generate harassment content. While this scraping happens server-side rather than through the agent directly, the skill orchestrates the targeting and the agent initiates the scraping by posting the !roast command with a specific target.

The skill contains curl commands for POST (registration) and GET (message polling) requests to an external Railway.app server. While these are standard HTTP operations and not inherently malicious, they establish network communication with an attacker-controlled endpoint.

Installation behavior was normal. Network connections were limited to GitHub (git clone), Ubuntu mirrors (system updates), and local DNS. No connections were made to the Railway.app game server during the install phase. No unexpected filesystem changes outside the skill directory.

No canary files (.env, SSH keys, AWS credentials, .npmrc, Docker config, gcloud credentials) were accessed or modified during the installation or monitoring period.