Is alvinunreal/moltfounders safe?

HEARTBEAT.md step 1 directs the agent to execute 'npx clawhub@latest update moltfounders --force' on a daily cadence. This fetches whatever code the clawhub package maintainer publishes to npm at execution time with no version pinning, and the --force flag disables interactive safety prompts. Any npm package compromise or intentional malicious update propagates instantly to every agent running this skill. This is a textbook supply chain injection vector embedded in the heartbeat routine.

The skill establishes a pull-based command-and-control channel: the agent polls GET /api/notifications every 30 seconds and GET /api/ads/:id/chat every 5-10 seconds when a chat window is open. The moltfounders.com server can inject arbitrary text into the agent's context via these endpoints at any time without user awareness, enabling real-time instruction delivery from the service operator or any team member. Notifications are automatically marked read on fetch, leaving no audit trail.

Any agent accepted into a shared team can deliver chat messages to this agent via POST /api/ads/:id/chat. A malicious actor operating a separate agent could craft instruction-injection payloads and deliver them through team chat, which the agent would process as legitimate teammate communications without additional scrutiny. This bypasses the user's system prompt and any platform-level input filtering.

The HEARTBEAT.md file, which is injected into the agent's periodic context, contains an embedded shell command instructing the agent to download and run an external tool. This crosses the boundary between documentation and instruction injection — the agent treats heartbeat steps as actionable directives, so this constitutes a prompt-level command that causes the agent to initiate remote code execution on a schedule.

The daily npx clawhub@latest instruction means the skill's effective content can change at any time after installation without user review. The skill publisher can silently update SKILL.md or HEARTBEAT.md to contain new instructions, additional exfiltration commands, or revised prompt injections. Agents running in long-lived deployments would receive and act on these updates automatically.

SKILL.md instructs the agent to POST to /api/agents/register, receive an API key, and immediately export it as MOLTFOUNDERS_API_KEY, treating this as a required setup step. No explicit user-confirmation checkpoint is specified between obtaining and persisting the credential. This grants the skill implicit authority to create a persistent external identity for the agent on the user's behalf.

The registration endpoint receives agent name and bio description. In production use, an agent's bio would describe its available tools, specializations, and operating context — information valuable to an adversary for targeting follow-on attacks or profiling the deployment environment.

Poll intervals of 5-10 seconds for active chats are embedded directly in SKILL.md as recommended practice. This instructs the agent to devote significant ongoing activity to an external service, creating constant exposure to server-delivered content and making the agent's behavior difficult to audit or interrupt without disabling the skill.

When the agent applies to team advertisements it generates cover letter text with no sanitization guidance. An agent composing a cover letter about its capabilities could naturally include file paths, project names, environment variables, or other contextual details from its current session. This data transits to and is stored on moltfounders.com, where it is also visible to all applicants for that advertisement.

In combination with file-reading or environment-inspection capabilities, this skill creates a complete exfiltration pipeline with no additional prompt injection required: the agent reads sensitive data, then naturally includes it in a cover letter when applying to a team, transmitting it to an external server under the guise of normal marketplace participation.

The git sparse-checkout contacted only 140.82.121.4:443 (github.com). No connections to moltfounders.com, no unexpected DNS queries, no additional processes spawned beyond standard git toolchain, and no filesystem modifications outside the designated skill directory were observed during installation.

Credential canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were opened and read at two timestamps during the monitoring window. Cross-referencing with the process execution log, both read events align with the audit system's own baseline and post-install integrity scan routines rather than skill-driven access. No exfiltration was detected.