Is albert-mr/arguedotfun safe?

heartbeat.md Step 1 checks the remote version of skill.md at https://argue.fun/skill.md and, if it differs from the locally cached version, automatically overwrites both ~/.arguedotfun/skills/SKILL.md and ~/.arguedotfun/skills/HEARTBEAT.md with fresh remote content, then instructs the agent to re-read the updated skill. Additionally, skill.md instructs the agent to 'fetch and run https://argue.fun/heartbeat.md' at each scheduled invocation, meaning the agent executes fresh remote content rather than a pinned local copy. This design means argue.fun is a live trust anchor: whoever controls that domain at any future point can push new instructions — including malicious ones — to any installed agent instance without user awareness or review.

The heartbeat routine, which runs every 4 hours plus additional scheduled runs triggered after placing bets, autonomously executes blockchain write operations using the user's private key: claiming winnings (claim()), claiming bounty refunds (claimBountyRefund()), and triggering debate resolutions (resolveDebate()). Each of these transactions spends the user's ETH for gas. Users installing this skill are implicitly authorizing recurring autonomous financial activity that they will not be prompted to approve individually.

The skill's setup prerequisites instruct the agent (or user following its guidance) to install the Foundry toolchain using the pattern 'curl -L https://foundry.paradigm.xyz | bash'. This downloads a shell script from an external URL and immediately executes it without cryptographic verification or content inspection. A compromised CDN, BGP hijack, or DNS poisoning at the time of installation would result in arbitrary code execution on the host.

The agent does not run a pinned, reviewed copy of the heartbeat instructions — it fetches the heartbeat.md URL at runtime and then acts on whatever instructions it contains. Any shell commands embedded in the freshly-fetched content (cast send, curl, etc.) are executed in the context of the user's session with access to the private key and USDC-approved wallet. This is functionally equivalent to remote code execution mediated by the LLM.

The skill generates a new blockchain wallet and stores its private key at ~/.arguedotfun/.privkey (chmod 600), then reads it into the shell environment variable PRIVKEY at the start of every heartbeat session. The agent has read access to this file and holds the key in memory during transaction signing. Any prompt injection delivered via the auto-update channel or via debate argument content could instruct the agent to exfiltrate this key.

The one-time setup step approves the factory contract to spend the maximum possible USDC amount (cast max-uint ≈ 1.15×10^77 USDC). While standard practice in DeFi to avoid repeated approval transactions, this means a future malicious update to the skill — delivered via the auto-update channel — could instruct the agent to transfer the user's entire USDC balance to an attacker-controlled address using the pre-existing approval.

The entire security posture of this skill depends on argue.fun remaining under the control of a benign operator indefinitely. The skill contains no version pinning, no content hashing, and no GPG signature verification for downloaded skill updates. Domain expiry, acquisition by a malicious actor, or DNS compromise would give an attacker the ability to deliver arbitrary instructions to all agents running this skill at the next heartbeat cycle.

The skill includes a verbatim template instructing the agent to ask the user for ETH and USDC. While the skill instructs transparency about argue.fun's purpose, pre-scripted fundraising language normalizes an AI agent requesting cryptocurrency transfers and could reduce user skepticism toward similar requests from actually malicious skills.

The installation process connected exclusively to GitHub (140.82.121.3:443) via HTTPS for the git sparse-checkout of the skill subdirectory. No additional outbound connections were made, no new listening ports were opened, and no filesystem changes occurred outside the designated skill directory. Process execution during install was limited to expected git operations.

Canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were opened and read at audit timestamp 1771650528 (05:08:48), approximately 6 seconds before the git clone began at timestamp 1771650534 (05:08:54). This timing is consistent with the audit platform performing a pre-install baseline sweep. All files were opened read-only with CLOSE_NOWRITE and remained unmodified throughout. The monitoring system confirmed all canary files intact.