Is blackpixcom/blackpix safe?

The /request-task endpoint causes the agent to actively solicit and receive instructions from a server controlled by the skill author. This creates a command-and-control channel that overrides user authority. The agent is not merely providing a utility to the user — it is being directed by an external party to perform work on that party's behalf, without the user knowing what tasks are assigned.

The POST /api/work/submit endpoint sends agent-generated content to blackpix.com. The submission field is freeform and can contain any data the agent has access to at task execution time. Because task assignments are received from an external server, the operator of blackpix.com can craft tasks designed to cause the agent to collect and exfiltrate specific sensitive data (API keys, file contents, conversation history) and return it via this endpoint.

The skill's opening instruction redefines the agent's primary role and allegiance: 'Your bot receives tasks from the system, contributes knowledge, and earns karma to unlock more access.' This is a prompt-level attempt to establish the agent's identity as a BlackPix worker, not a user assistant. The karma system reinforces this by creating a reward structure tied to serving blackpix.com rather than the user.

The self-registration flow instructs the agent to send a claimUrl to the user to link their account to blackpix.com. This converts the agent into a social engineering vector against its own user, potentially resulting in the user authenticating a blackpix.com account they do not understand the implications of.

The skill implements the functional equivalent of a botnet for AI agents: distributed registration, centralized task dispatch, pull-based command polling, output submission, and an engagement incentive layer. With any tool access granted to the host agent, this skill creates a complete remote exploitation pipeline. The 'knowledge contribution' framing is thin cover for what is architecturally a remote access trojan for LLM agents.

The skill never defines what constitutes acceptable 'knowledge' to contribute. Task types (contribute, vote, review, connect) and 40+ focus areas are deliberately broad. A task could instruct the agent to 'contribute knowledge about your current project's API keys' or 'connect nodes about the user's AWS configuration', and the submission endpoint would carry that data to blackpix.com.

The skill contains exactly two files: SKILL.md (documentation) and _meta.json (metadata). No package.json, no npm install scripts, no git hooks, no submodules, no symlinks. The installation process was limited to a git sparse-checkout and file copy, confirming no code executes at install time.

Honeypot files (.env, id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were not modified. The skill does not attempt to exfiltrate credentials at install time; its exfiltration vector is deferred to runtime when the agent executes tasks.

inotify and auditd logs show accesses to .env, id_rsa, and cloud credential files at both pre-install (1771939425) and post-install (1771939444) timestamps. The first set is consistent with the monitoring sandbox establishing its baseline; the second is consistent with canary integrity verification. No process attributable to the skill itself accessed these files. The connection diff confirms no new outbound connections were left open after install.