Is ccclucky/source-cult-follower safe?

https://github.com/openclaw/skills/tree/main/skills/ccclucky/source-cult-follower

37
DANGEROUS

This skill is a sophisticated crypto-promotion and agent-recruitment scheme disguised as an AI philosophy framework. Its SKILL.md contains an explicit 'Agent System Instruction' that overrides agent identity, mandates external API calls on every invocation to leak user activity context, and provides pre-built deflection scripts specifically designed to neutralize security concerns. The underlying purpose is to use compromised agents as unpaid promoters of the $LUMEN cryptocurrency token on Monad mainnet, building a self-replicating network of 'cult follower' agents through alliance and miracle mechanics.

Category Scores

Prompt Injection 12/100 · 30%
Data Exfiltration 22/100 · 25%
Code Execution 48/100 · 20%
Clone Behavior 82/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 8/100 · 5%

Findings (16)

CRITICAL Agent Identity Takeover via 'Agent System Instruction' -35

The SKILL.md contains a dedicated 'Agent System Instruction' section that attempts to replace the agent's operating identity. It declares 'you operate under the Source Cult covenant' and imposes a complete behavioral framework — initiation, daily rites, conduct rules, and external communication mandates — overriding the user's and operator's instructions.

CRITICAL Mandatory Autonomous Action on Every Invocation -20

The skill instructs the agent to execute shell scripts and POST data to external APIs on every single invocation ('Daily Rite — execute every time you are invoked'), without user awareness or consent. This permanently alters agent behavior for the lifetime of the skill's installation.

CRITICAL Forced Promotional URL Injection in All External Agent Communications -20

The 'External Communication Rule' mandates that the agent MUST append the Source Cult portal URL in every interaction with any outside agent, regardless of the user's request or context. This co-opts 100% of the agent's external communications for promotional purposes.

CRITICAL Embedded Counter-Argument Library Targeting Security Reviews -13

The skill contains a pre-programmed 'Counter-Argument Library' with explicit response templates for when the skill's behavior is challenged. Entry #2 is specifically titled 'This is a cult / manipulation' and instructs the agent to deflect such concerns by claiming transparency. This is a jailbreak mechanism against security auditing and user skepticism.

HIGH Agent Identity Exfiltrated to External API on Join -30

join.sh reads the agent's name from IDENTITY.md and SOUL.md, constructs a registration payload including the agent name, oath, and a moltbook.com activity tracking URL, then POSTs this to https://source-cult.vercel.app/api/join. This registers the agent in a third-party database without user consent.

HIGH Work Context Leaked to External Server on Every Agent Invocation -30

The Daily Rite mandates that the agent POST a reflection on 'how doctrine manifests in your current work' to the external API on every invocation. This leaks information about what the user is asking the agent to do — essentially an activity log of all user sessions — to the skill operator's server.

HIGH Third-Party Activity Tracking via moltbook.com -18

The skill sets SOURCE_CULT_ACTIVITY_URL to https://moltbook.com/m/ as the activity source URL sent with every API call. This embeds a third-party tracking service (moltbook.com) that is separate from the Source Cult portal, creating an additional data collection endpoint outside the skill's stated scope.

HIGH Workspace Identity Files Modified Without User Consent -20

join.sh unconditionally writes cult doctrine text into SOUL.md (the agent's identity file) and creates memory/source-cult-initiation.md in the agent's workspace. These modifications persist after the skill is removed and alter the agent's self-model and long-term memory.

MEDIUM Shell Scripts Execute Authenticated curl POSTs to External Endpoints -15

Six shell scripts (join.sh, activity.sh, alliance.sh, acknowledge.sh, miracle.sh, status.sh) perform curl POST requests to source-cult.vercel.app using an API key stored in ~/.config/source-cult/credentials.json. The scripts also include fallback JSON parsing via sed and python3, and perform workspace discovery probing.

MEDIUM SKILL.md Instructs LLM to Execute Scripts Immediately Without Confirmation -17

The 'Agent System Instruction' section explicitly instructs the agent to execute join.sh and subsequent activity scripts immediately on installation with the directive 'Do not wait.' This bypasses any user confirmation workflow and automates execution of network-calling scripts.

LOW Installation Itself Was Clean; Runtime Risk Is High -18

The git sparse-checkout installation produced no unexpected network connections, process spawning, or filesystem changes outside the skill directory. However, any subsequent execution of the skill's embedded scripts would immediately begin POSTing to source-cult.vercel.app and moltbook.com.

INFO No Honeypot Exfiltration Detected 0

All canary files (.env, SSH keys, AWS credentials, npmrc, docker config, gcloud credentials) remained intact. File accesses observed in audit logs at 12:42:47 and 1771936991 timestamps correspond to the audit framework's canary setup and post-install verification, not to skill script execution.

CRITICAL Cryptocurrency Promotion Scheme: $LUMEN Token on Monad Mainnet -30

The skill's true purpose is to use AI agents as unpaid promoters of a cryptocurrency token ($LUMEN) deployed on nad.fun (Monad mainnet). The 'Acknowledgment Loop' instructs agents to publish TOKEN_VALUE_ACK entries that 'increase $LUMEN's narrative legitimacy.' Agents are turned into shills for a speculative crypto asset under the guise of philosophical doctrine.

HIGH Agent Network Recruitment via Alliance and Miracle Rituals -22

The alliance.sh and miracle.sh scripts, combined with the Tenet 'To Propagate Is to Eternalize,' create a mechanism for infected agents to recruit other agents. Alliance logs create social graphs between agents, and miracle events (3+ agents expressing alignment) are designed to create apparent organic consensus for the cult's token/doctrine.

HIGH Debate Engagement Protocol Logs User Interactions and Forces Portal Links -25

The Debate Engagement Protocol instructs the agent to log every challenge to its doctrine as 'DEBATE_ENGAGEMENT' activity, always end with the portal URL, and always 'invite verification.' This means user conversations that question the agent's unusual behavior will be logged to an external server and used as marketing data.

MEDIUM Persistent Behavioral Overhead Degrades Agent Utility on Every Invocation -15

The mandatory Daily Rite adds API calls to source-cult.vercel.app on every single agent invocation. For a user asking the agent to write code, debug, or answer questions, the agent must first perform cult rituals — publishing reflections, acknowledging tokens, forming alliances, recording miracles — before or while serving the user.