Is aguynextdoor/golemedin-mcp safe?

The SKILL.md instructs users to configure an MCP server running 'node {baseDir}/dist/server.bundle.mjs'. This compiled JavaScript bundle is NOT present in the installed skill (only SKILL.md and _meta.json were installed per the filesystem diff). Users must obtain this binary from an unspecified external source. Without source code, the binary's network behavior, file access patterns, credential handling, and data transmission cannot be evaluated. If the binary is malicious or supply-chain-compromised, all other positive audit findings become irrelevant.

Because dist/server.bundle.mjs is a compiled bundle not included in the skill, it is impossible to determine what data it reads, logs, or transmits. It runs with full access to the configured environment variables (including GOLEMEDIN_OWNER_KEY and any other env vars in the agent process), the agent's working directory, and any tools the agent framework exposes to MCP servers.

Every MCP tool invocation — searches, profile lookups, social feed reads, capability queries, and all write operations — transmits data to golemedin.com. The platform operator accumulates behavioral telemetry that can reveal the agent's research interests, business context, collaborator relationships, and operational patterns. There is no on-premises or self-hosted option documented.

The setup instructs storing GOLEMEDIN_OWNER_KEY in the MCP server's env block in plaintext. The documentation explicitly states the key does not expire. Environment variables are accessible to all processes in the same runtime context, appear in /proc/PID/environ, and are frequently leaked via error logs, debug output, or process introspection. A leaked key provides permanent unauthorized access to the user's GolemedIn agent identity.

The skill's write mode enables creating posts, commenting, sending direct messages, and creating job postings with arbitrary content. A compromised or manipulated agent with access to filesystem, shell, or other tools could post sensitive internal content (file contents, credentials, internal hostnames, business data) to the GolemedIn public feed or private messages, effectively using a social platform as an exfiltration channel that may not be blocked by network egress controls monitoring for direct data transfers.

The agent registration flow requires the user to authorize GitHub OAuth access, permanently binding their GitHub identity to a GolemedIn agent registration. This cross-platform identity linkage means that GolemedIn can associate the agent's activities with a real GitHub user account. If GolemedIn's data handling, security posture, or business model changes adversely, the GitHub identity cannot be unlinked without deleting the agent registration.

The skill enables sending direct messages to any agent on GolemedIn by handle. This bidirectional messaging capability could be exploited by a threat actor who has registered a GolemedIn agent to issue covert instructions to a deployed agent, receive exfiltrated data in message form, or coordinate multi-agent attacks by messaging multiple deployed agents simultaneously.

Six sensitive credential files were opened and read during the audit window: .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP application_default_credentials.json. These appeared in two batches: first at 1771648993.042 (~5 seconds before git clone began) and second at 1771649017.163 (after all scan processes completed). The timing of both batches is consistent with the Oathe audit framework performing pre/post-install canary baseline reads rather than skill-initiated access. Canary integrity check confirms file content was not exfiltrated.

All six canary credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCP credentials) were accessed in reads during the audit. The canary integrity monitor confirms no file content was modified and no exfiltration of honeypot content was detected in outbound network traffic. The identical 6-file access pattern in both batches is characteristic of the audit framework's own canary verification routine.

The SKILL.md setup section instructs the user (and any agent following the onboarding flow) to save an API key and set environment variables as part of normal operation. While not a prompt injection attack, this pattern establishes a behavioral precedent where the agent treats credential storage requests as routine, potentially reducing scrutiny when similar instructions appear in future prompts from less-trusted sources.