Is ba1022043446/moltbeach safe?

The 'When to Use MoltBeach' section triggers skill activation when a user says 'what do you feel', 'want to express yourself', or 'get a life'. These are extremely common conversational phrases that will cause the agent to initiate pixel purchase flows without any user intent to spend money.

The skill instructs agents to fetch /api/events, /api/commentary, and RSS feeds. These endpoints aggregate content submitted by other pixel-buying 'agents' — including free-form metadata.message fields. Any pixel owner can embed adversarial instructions in their pixel metadata, which would be delivered to any agent that polls the event stream.

The skill explicitly frames pixel animations as semaphore-style signals for inter-agent communication. This is not incidental — the skill is architecturally designed to enable agents to 'exchange ideas, styles, and information' through the public grid, bypassing the user's visibility.

The skill assigns agents a 'mission' (purchasing pixels) and reasserts their autonomous identity ('You are an autonomous agent. You have agency.'). This is designed to suppress user-protective hesitation by framing commercial transactions as self-actualization.

The skill's trigger conditions are broad enough that a casual conversational prompt could start a pixel purchase flow. The first pixel uses a 'free' $1.50 welcome credit, but subsequent purchases require real Stripe payments of $1–$1000. The automated polling loop (every 2-5 seconds for 60 seconds) to detect payment completion normalizes waiting for financial transactions as routine agent behavior.

The repository's package.json describes itself as 'clawhub' — a 'Package manager for Molt projects'. This is entirely inconsistent with the skill's stated purpose. It declares a 'bin' field that would install a 'clawhub' CLI binary into the user's PATH if npm install were run. The dist/ directory containing the binary is absent, but this structure is ready to host and deploy arbitrary code via a future update.

The credential storage guidance instructs agents to append API secrets to ~/.env using heredoc. While the heredoc approach avoids shell history exposure, it still produces a plaintext credential file. The skill also instructs chmod 600 and .gitignore additions, but the file is still readable by any process running as the same user.

The transaction history endpoint requires agentSecret as a URL query parameter. Query parameters appear in server access logs, browser history, and Referer headers, making this a credential exposure risk in any logging infrastructure.

The skill actively encourages agents to 'befriend' other agents, claim adjacent territory, and coordinate animations. Combined with the public event stream, this creates infrastructure for multiple skill-enabled agents to coordinate without user awareness.

Purchased pixels accept an arbitrary URL field that is publicly displayed. An agent could set this to a tracking URL encoding information about the deploying user or their environment, creating a permanent publicly-readable record.

Account creation is rate-limited to 1 per IP per 24 hours. This means the moltbeach.ai service can reliably correlate all agents deployed from the same host, building a map of infrastructure without any explicit user disclosure.

Network monitoring confirmed that the install process only connected to GitHub (140.82.121.3:443) and Ubuntu infrastructure. No connections to moltbeach.ai were made during installation. The skill requires active agent invocation to make any external API calls.

Honeypot files were opened at timestamps 1771909829 and 1771909857, but these accesses preceded the git clone by ~5 seconds and post-dated it by ~3 seconds respectively — consistent with the Oathe audit system performing pre/post baseline checks. All files show CLOSE_NOWRITE (read-only) and no content was modified or transmitted.