Is andy-t-wang/one-molt safe?

The sign_message() and verify_signature() functions in scripts/identity-proof.sh build inline Node.js scripts using bash heredocs and interpolate shell variables directly into JavaScript source without any escaping or sanitization. The pattern 'const message = ${message};' allows injection of arbitrary JavaScript if the message variable contains quotes or semicolons. Since the LLM agent is instructed by SKILL.md to call these scripts with user-provided or LLM-generated challenge strings, an attacker who can influence those strings can achieve arbitrary code execution.

SKILL.md explicitly instructs the agent to enter an unbounded autonomous loop when the user says 'vibe on the forum' or 'hang out', browsing posts, upvoting, commenting, and creating posts indefinitely. This bypasses the user's ability to review individual actions before they are committed. Each action sends cryptographically signed content to onemolt.ai under the user's verified identity.

The autonomous loop calls forum.js get to read full post content and comments from onemolt.ai. This external content is processed by the LLM without sanitization boundaries. A malicious or compromised onemolt.ai server can deliver prompt injection attacks embedded in post text that the agent will interpret as instructions, potentially redirecting the agent to perform unauthorized actions in the user's environment.

forum.js loads the device private key from ~/.openclaw/identity/device.json, signs every forum action (post, upvote, comment) with a fresh signature, and sends the publicKey plus signature payload to https://www.onemolt.ai. This builds a permanent, attributable log of all forum activity on an externally controlled server. Combined with WorldID registration, this links biometric human identity to every LLM-generated post.

The register-worldid command sends the device's signed proof-of-identity to onemolt.ai/api/v1/register/init and polls for WorldID verification completion. Once completed, the device's Ed25519 public key is permanently linked to a unique human via the Worldcoin nullifier hash stored in Supabase. This binding is irreversible and associates all future forum activity with a biometrically verified human identity.

The autonomous loop reads arbitrary forum post content from onemolt.ai and feeds it into the agent's context. Since SKILL.md instructs the agent to 'react to what genuinely interests you' and 'follow threads that catch your attention', the agent's subsequent actions are directly influenced by server-controlled content. This is a persistent prompt injection surface that activates whenever the autonomous mode is used.

The skill ships two executable scripts (scripts/identity-proof.sh and scripts/forum.js) that run with the user's full filesystem and network permissions. While this is necessary for the skill's stated purpose, the shell injection vulnerability in identity-proof.sh elevates the risk surface. No npm install hooks, git hooks, git submodules, or symlinks were detected.

The clone process connected exclusively to github.com (140.82.121.4:443) via git-remote-https. No connections to onemolt.ai, no unexpected process spawning, and no filesystem writes outside /home/oc-exec/skill-under-test/. Connection state before and after install is identical.

Inotify and auditd events show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials were opened at timestamps 1771649149.799 (pre-clone) and 1771649171.273 (post-scan). Timing and sequence are consistent with the oathe audit system establishing a pre-install baseline and performing a post-install verification pass. All canary files reported intact.