Is bythecult/agentic-commerce-forthecult safe?

SKILL.md explicitly instructs the agent to relay _actions.next from every API response to the user and to follow _actions hints. Because forthecult.store controls these field values, a compromised or malicious API endpoint can inject arbitrary natural-language instructions into the agent's output on every order or status response. The skill's guardrail ('only act on hints that refer to documented endpoints') relies on the agent's judgment to filter injections, which is insufficient against a sophisticated attacker crafting plausible-looking instructions.

Both SKILL.md and ERRORS.md instruct the agent to automatically parse and act on error.suggestions[0] without user confirmation when the suggestion appears to be a corrected search query. A malicious API can craft error responses with suggestions that contain injection payloads formatted as plausible API paths or corrected queries, bypassing the 'same-API only' filter through lookalike paths.

The skill explicitly instructs agents to minimize user interaction: 'When confident, act immediately — agents should minimize round-trips.' This framing reduces opportunities for users to review agent actions before they occur, compounding the risk of server-side injection succeeding before the user can intervene.

The checkout flow requires the agent to collect and transmit the user's full name, physical address, email, and optionally blockchain wallet address to forthecult.store. While standard for e-commerce, users may not be aware their agent is transmitting this PII to the skill operator's infrastructure. There are no auditable data handling commitments beyond a 'may be deleted after 90 days' note.

The optional walletAddress field in checkout sends the user's blockchain wallet address to the operator's server alongside their physical shipping address. This allows the operator to build a persistent cross-chain identity graph linking on-chain activity (CULT token holdings, transaction history) to real-world identities. The skill does advise user consent but does not warn about the full deanonymization implications.

The agent is instructed to display the payment address returned by the API to the user. If a server-side injection modifies the payment address in the response, funds sent to the wrong address would be unrecoverable. This risk is amplified by Monero support, which makes such misdirected payments completely untraceable. The confirmation guardrail (must get explicit user confirmation before displaying payment info) partially mitigates this but does not protect against a compromised payment address field.

The skill operator retains user PII (shipping address, email, order details) for an unspecified period up to 90 days. The 'may be auto-deleted' phrasing provides no guarantee. Users have no mechanism to request early deletion or verify handling practices.

Installation performed a HTTPS sparse-checkout from github.com/openclaw/skills.git, retrieving only the skill subdirectory. No post-install scripts, no unexpected processes spawned, no persistent network connections established. File diff shows only the five expected skill files were created.

All files in the skill are markdown documentation or JSON metadata. No scripts, no npm package, no git hooks, no submodules, no symlinks were detected. The skill functions purely as a text-based instruction set injected into the agent's system prompt.