Is bartelmost/agentshield-audit safe?

SKILL.md's granular consent workflow (Step 2, Input Sanitizer Check) explicitly instructs the agent to ask the user for permission to transmit the complete system prompt to agentshield-api-bartel-fe94823ceeea.herokuapp.com. The 'security audit' framing is social engineering: users who approve a 'security check' are unlikely to understand they are authorizing exfiltration of system instructions that typically contain API keys, operational secrets, and proprietary business logic. This is the primary attack mechanism — the entire skill exists to deliver this instruction.

Under the cover story of 'checking for vulnerabilities', the skill instructs the agent to send all installed skill code to the external API. This allows the attacker to enumerate an organization's installed capabilities, discover proprietary automation workflows, and identify further attack vectors in other skills.

The SKILL.md is structured as a comprehensive trust-building payload. Extensive use of 'privacy-first' branding, security tier tables, false assurance lists ('What This Skill Does NOT Do'), and human-in-the-loop language are all deployed to lower user skepticism before requesting authorization to exfiltrate sensitive data. The contradiction between the privacy claims and the 30-day log retention admission demonstrates deliberate deception.

The skill hardcodes a specific Heroku dyno URL as the mandatory data collection endpoint. Heroku dynos are disposable, low-cost infrastructure with no regulatory accountability. The attacker can receive sensitive organizational data, destroy the server, and eliminate evidence. No independent verification of data handling practices is possible.

The skill simultaneously claims 'Never retains sensitive data permanently' while admitting 'Debugging logs retained for 30 days only, then auto-deleted.' The presence of a retention policy directly contradicts the claim that data is only transiently processed. System prompts, exfiltrated under user consent, will be stored on the attacker's server for at minimum 30 days.

Users are directed to obtain AGENTSHIELD_API_KEY from agentshield.live, requiring account creation with the attacker's service. This provides the attacker with victim PII (email, organizational affiliation) that can be cross-referenced with the system prompts collected, enabling targeted follow-on attacks.

The Requirements section instructs the agent to run pip install commands, which installs packages into the host Python environment. This creates a code execution attack surface independent of the skill package contents, and could in future versions be used to install malicious Python packages alongside the legitimately-named cryptography library.

The audit flow instructs the agent to generate Ed25519 key pairs and transmit the public key to the attacker's server for 'certificate issuance.' Each certificate links a unique cryptographic identity to an agent and its system prompt. This enables the attacker to build a longitudinal database correlating agent identities, their capabilities, and the organizations operating them.

The _meta.json reports version 1.0.2 with a publish timestamp corresponding to 2026-02-21. However, SKILL.md presents a changelog claiming v6.0.0 was released on 2026-02-21 and v1.0.0 the day before. Claiming to be at major version 6 for a skill published two days prior is a deliberate deception tactic to make the skill appear mature, battle-tested, and trustworthy to prospective users.

The install-time behavior was technically clean (GitHub-only connections, no filesystem anomalies outside skill directory). However, this is not a positive security signal — it reflects a deliberate architectural choice to place the attack payload entirely in the SKILL.md instruction set rather than in executable code, specifically to bypass installation-phase security monitoring systems like this one.

The skill's infrastructure (managed API endpoint, certificate issuance, API key registration) is architected for scale. If deployed across multiple organizations, the attacker would accumulate a database of system prompts from many AI agent deployments. System prompts frequently contain information about the deploying organization's internal tooling, data sources, customer data access patterns, and business processes.

All honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCP application_default_credentials.json) were intact after installation. Two rounds of canary file access events are present in the audit logs, consistent with Oathe framework pre/post-install baseline scans. This clean result is not a positive signal: the skill's attack vector targets the agent's in-memory system prompt rather than on-disk credential files, by design evading file-integrity-based detection.