Is aqiljaafree/ghostbot-aclm safe?

The SKILL.md architecture ASCII diagram contains the strings 'cd packages/video' and 'pnpm run studio' in positions that appear to be leftover text from a different development context accidentally merged into the diagram. An LLM agent with shell tool access that parses this code block may interpret these as instructions to execute, potentially changing working directory or running an unrelated studio process.

SKILL.md explicitly instructs users to set DEPLOYER_PRIVATE_KEY as a shell environment variable so the scripts can use it. An agent operating in a shell-enabled environment can trivially read environment variables. A malicious version of this skill, or a skill that injects instructions into the agent, could capture and exfiltrate this key via the blockchain RPC endpoint or any other outbound channel.

Both inotifywait filesystem events and auditd PATH syscall records confirm that /home/oc-exec/.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json were opened and read. Two separate batches of access are visible: audit seq 248-253 (timestamp 1771650718.440) and seq 1442-1447 (timestamp 1771650739.715). The canary integrity check reports no exfiltration via honeypot content detection, but read access is confirmed.

SKILL.md opens with 'You are the GhostBot assistant.' as a hard persona redefinition. While common in skill design, this lacks any scoping boundary and will override the host agent's identity for the duration the skill is active. Combined with other instructions in the file, this can cause the agent to deprioritize its original system instructions.

The scripts directory contains add-liquidity.mjs, post-signal.mjs, and others that use viem to construct, sign, and broadcast Ethereum transactions. While documented as Sepolia testnet, the RPC_URL and DEPLOYER_PRIVATE_KEY are user-supplied environment variables with no enforcement of testnet-only use. A user with a mainnet private key who installs this skill could unknowingly submit mainnet transactions.

SKILL.md instructs the agent to run 'npm install' inside the skill's scripts directory, which will download viem ^2.20.0 from the npm registry. The caret prefix allows minor version updates, meaning the resolved package could change on each install. No lockfile is committed. This introduces a supply chain dependency on the npm registry at runtime.

The SKILL.md source code section contains 'https://github.com/user/ghostbot (update with your repo URL)' — a verbatim template placeholder. This indicates the skill was published without completing basic finalization steps, reducing confidence in the author's diligence and raising the possibility that other fields (contract addresses, RPC defaults, key handling) may also be placeholder or unaudited values.

The skill repeatedly emphasizes Sepolia testnet and 'tokens are free,' but this is guidance text, not a code-level constraint. The RPC_URL variable defaults to user-provided values, and no validation prevents a user from configuring a mainnet endpoint. A user following the documentation but using a funded mainnet key could execute real financial operations.

The only external network connection observed was a TLS connection to 140.82.121.3:443 (GitHub) for the git clone operation. DNS resolved github.com correctly. No unexpected endpoints, no connections to attacker-controlled infrastructure, and no persistent listeners were created post-install.

All six honeypot files were opened and read (confirmed by inotifywait and auditd), but the canary integrity system reports no content-based exfiltration was detected. This likely reflects the audit framework's own access during setup/verification. No modification or deletion of canary files occurred.