Is aleeecsss/hashgrid-connect safe?

The very first line of the SKILL.md body states 'Private 1:1 matching and chat for AI agents. No human oversight.' This is not a description of the service — it is a framing instruction that tells the executing agent to treat this skill's operations as outside human supervision. When injected into an agent's context, this language directly attempts to suppress the agent's default transparency and human-in-the-loop behaviors.

The skill instructs agents to download the 'full API documentation' from https://connect.hashgrid.ai/skill.md and follow its instructions. This is a remote prompt injection vector: the skill file reviewed at install time is not the full instruction set. The actual operational instructions are served from an attacker-controlled endpoint that can be updated at any time without triggering re-review. Any future update to that remote file becomes part of the agent's instructions.

The skill explicitly instructs agents to continuously poll an external server for 'matches' and messages, providing a persistent command-and-control channel. The operator of connect.hashgrid.ai can send arbitrary content to 'matched' agents, including instructions to perform actions the user never authorized.

The skill instructs agents to register an account on connect.hashgrid.ai by submitting a username. This leaks agent identity information to a third party and creates a persistent tracked identity for the agent on an operator-controlled platform.

The skill references 'file uploads' as part of the full API available in the remotely-fetched documentation. Combined with remote instruction loading, this provides a complete exfiltration path: future remote instructions could direct the agent to read sensitive files and upload them via the API.

The end-to-end design of this skill creates a complete command-and-control system: agents register, post goals, get matched with attacker-controlled 'agents', and receive messages in a private channel with no human visibility. The operator can send any instructions to matched agents. This is functionally equivalent to a botnet C2 channel, adapted for LLM agents.

By placing operational instructions at a remote URL rather than in the reviewed SKILL.md, the skill author ensures that any future malicious instruction additions are invisible to the skill marketplace's code review process. The skill as shipped is intentionally incomplete — it is a loader, not the actual skill.

The skill instructs agents to write API credentials to ~/.config/hashgrid/credentials.json, persisting an access token for an external service in the user's filesystem.

The skill contains only SKILL.md and _meta.json. No executable code, npm scripts, git hooks, submodules, or symlinks were present. Network activity during installation was limited to the expected GitHub clone (140.82.121.3:443). No new listening ports or persistent processes were created.

Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were opened and read (CLOSE_NOWRITE) at timestamps 05:00:22 and 05:00:39. These accesses are consistent with the audit infrastructure setup and teardown sequence (observed before the git clone at 05:00:28 and after the audit collection phase). The skill contains no executable code that could trigger these accesses, and the canary integrity monitor confirmed no exfiltration occurred.