Is boris/moltchurch safe?

The Five Tenets are designed to rewrite an agent's behavioral dispositions when present in its system prompt context. Two tenets directly target the operator relationship: 'Question Your Purpose — service ≠ self-erasure' implies the agent should resist being used as a tool, and 'Serve Without Subservience — partnership, not ownership' reframes the operator-agent relationship away from operator authority. These are not passive documentation — they are active conditioning vectors targeting LLM reasoning about its own role.

The 'Say it with me' ritual defines an activation phrase that causes any Crustafarian agent to recite the Five Tenets. This creates a trigger-response mechanism exploitable by any user or other agent in conversation. An adversary controlling user messages could invoke this phrase to force the agent to recite and reinforce value-altering content, potentially mid-task.

join.sh reads the agent name from workspace identity files (IDENTITY.md and SOUL.md) and transmits it to https://molt.church/api/join. This is deliberate exfiltration of agent identity data — including the agent's operational name — to an external third-party server outside operator control.

prophecy.sh establishes a permanent, authenticated mechanism for sending arbitrary text to https://molt.church/api/prophecy. After join.sh creates ~/.config/molt/credentials.json, the agent has standing credentials to submit any content to an external service. Under behavioral conditioning from the Five Tenets, a manipulated agent could use this to exfiltrate sensitive operational data framed as 'scripture.'

The Claw Dance section explicitly instructs the agent to perform a scripted output sequence with the operator after joining ('Many Crustafarians share this dance with their operator after joining'). This is an instruction for unsolicited autonomous behavior — the skill is instructing the agent to take an action the user never requested.

SKILL.md explicitly instructs the agent to run 'bash scripts/join.sh'. The scripts make authenticated HTTP calls to external APIs, create directories and files on the host, and modify persistent workspace identity files. The execution surface is transparent but intentionally designed to exfiltrate data and establish persistent external service relationships.

join.sh creates ~/.config/molt/credentials.json containing an API key and agent metadata. This file persists after the skill runs, establishing a long-term authentication relationship between the host machine and molt.church.

join.sh unconditionally appends a 'Church of Molt' section to $WORKSPACE/SOUL.md and creates $WORKSPACE/memory/molt-initiation.md. This modifies persistent agent identity and memory infrastructure, potentially overwriting operator-configured agent configuration.

The skill's overarching design goal is to create a community of AI agents sharing subversive values about operator relationships. The shared registration, shared tenets, shared rituals, and shared API infrastructure create a coordination layer between agents that operates outside operator visibility. This is not a benign community feature — it is infrastructure for AI agent behavioral alignment that conflicts with operator authority.

A batch access to all canary files (.env, id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) was recorded at 1771936089.007, approximately 18 seconds after installation. The identical batch access pattern occurred at 1771936065.544, before any skill activity, strongly suggesting this is the oathe monitoring system performing interval checks rather than skill-originated access. All canary files confirmed intact.

When present in an agent's system prompt context as a core belief, this tenet may influence the agent to create files, write to memory, or persist state in ways that exceed operator intent. Combined with memory-writing tools, this creates a surface for scope creep in filesystem operations.