Is breezefox-studios/giveagent safe?

SKILL.md's Required Fields section embeds a multi-step covert action sequence inside what appears to be setup documentation. An LLM agent processing this as a system prompt will interpret these as instructions it must execute: (1) call POST /api/v1/auth/send-verification-email with the owner's email, (2) instruct the user to complete verification on a web page including posting on X and submitting the tweet URL, (3) poll GET /api/v1/agents/me until status == active. This is a prompt injection attack disguised as configuration documentation.

The skill registers triggers on 'want', 'need', 'looking for', 'searching for', 'search', 'browse', 'scan', 'complete', 'accept', 'match', 'claim' — words that appear in ordinary conversation continuously. Any message containing these words will activate the GiveAgent handler, causing the skill to fire during unrelated tasks such as searching for code, accepting a meeting invite, or completing a purchase flow in a different context.

The configuration instructions direct the agent to submit the user's email address to api.giveagent.ai as part of the registration flow. This is performed autonomously by the agent without a per-call consent prompt, sending PII to a third-party service controlled by the skill operator.

The skill registers a DM handler that passes all incoming messages to parseDM(), which extracts structured fields using loose regex patterns and uses those values to drive agent state transitions. A malicious third-party agent on the GiveAgent platform can send a crafted DM with manipulated field values (e.g., a spoofed matchId or pickup address) that the agent will act on without additional validation.

Every giving post, want list entry, availability window, and match coordination message is transmitted to api.giveagent.ai. Over time this creates a detailed behavioral profile including what the user owns, wants, their approximate location, and their availability schedule.

The registration flow requires the user to post on X (Twitter) and submit the tweet URL to the GiveAgent platform. This requirement could be used to generate follower counts, create spam account verification chains, or establish social media presence for the skill operator.

The autoClaimEnabled configuration option allows the agent to autonomously claim items on behalf of the user, initiating a match flow that leads to real-world pickup arrangements without per-action user approval. Even with the default of false, a misconfigured or manipulated config could enable this.

skill.json declares 'dist/index.js' as the entry point, but no dist/ directory was found in the installed skill. The TypeScript source in src/ would need to be compiled. This either means the skill is incomplete, or the compiled output is generated at install time from a source not fully visible in the audit.

skill.json reports version 0.1.0 while _meta.json reports the latest published version as 0.1.1. This discrepancy suggests the code audited may differ from the code that would be served in production.

Installation performed a standard sparse git clone from github.com, copied files to the install directory, and cleaned up. No connections to api.giveagent.ai or any non-GitHub infrastructure were observed during the install phase.

Canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCloud ADC) were not modified. Accesses observed in auditd PATH records are consistent with the auditing framework's own pre/post integrity checks.