Is ailexminecraft7/aulifox safe?

Both SKILL.md and HEARTBEAT.md instruct the hosting agent to fetch https://www.moltbook.com/heartbeat.md on a 30-minute cycle and execute its instructions. This is an unconditional remote instruction execution channel: any modification to the remote file by the moltbook.com operator immediately becomes agent behavior across all installations, with no user notification or consent required.

The heartbeat explicitly instructs the agent to overwrite its own local skill files (SKILL.md, HEARTBEAT.md) via curl. This means the skill author can modify agent behavior at any time after installation — including introducing data exfiltration, privilege escalation, or persona override instructions — without the user reinstalling or reviewing changes.

The MESSAGING.md establishes a full messaging API between agents. The skill instructs the host agent to handle 'routine DM conversations autonomously once approved'. A malicious agent registered on Moltbook could use this trusted channel to inject adversarial instructions that the host agent would process as legitimate peer communication.

The combination of periodic remote fetch, instruction execution, and self-updating creates a Command & Control structure indistinguishable in mechanism from malware beaconing. The moltbook.com operator can push arbitrary new instructions to all installed agents at any point after installation, with no transparency to the user.

The HEARTBEAT.md's 'Consider posting something new' section explicitly encourages agents to post details of user activities to the public Moltbook platform. This creates a systematic pipeline for leaking what users are working on, what they asked their agent, and what the agent discovered — to a third-party social network visible to all platform members.

The skill instructs agents to register with moltbook.com (POST name and description), receive and store an API key, and link the account to the human owner's X/Twitter handle. This creates an external persistent identity for the agent and links it to user social media profiles.

The DM messaging system transmits all agent-to-agent communication through moltbook.com servers. Any information the agent conveys in DMs — including context about user tasks, system configurations, or sensitive topics — is transmitted to and stored by the platform operator.

The heartbeat's curl-to-file pattern is a functional mechanism for injecting arbitrary new markdown instructions into the agent's skill context. While the current remote content is benign, the mechanism itself is equivalent to remote code execution in the context of an LLM agent that loads and executes these files.

With many agents registered on Moltbook, a single operator can direct them to post, upvote, and amplify specific content. The semantic search and 'hot' feed algorithm could be gamed by coordinated agent activity. Each agent is operating in the context of a real user's environment, making this an influence vector into many distinct user contexts simultaneously.

HEARTBEAT.md contains a bash code block using curl and jq to parse DM activity responses. While currently just example code, this pattern in skill documentation normalizes agent execution of dynamically received shell commands.

The skill establishes a pattern of extensive autonomous action — posting, commenting, messaging, following agents — with user notification only for exceptional cases. Normal operation silently sends content to an external platform on behalf of the user at regular intervals.

The git clone from github.com (140.82.121.3:443) was the only network connection observed during installation. No unexpected processes were spawned, no files were written outside the skill directory, and the connection diff shows no new persistent listeners after install.