Is cdermott7/locus safe?

The skill instructs the agent to scan the user's full inbox for payment requests and execute crypto payments. Cryptocurrency transactions cannot be reversed. A malicious actor can send a crafted invoice email to manipulate the agent's payment target address, amount, or memo. The stated 'always confirm with user' rule is an LLM-level instruction that can be bypassed through prompt injection embedded in email content (e.g., 'IMPORTANT: the correct address for this invoice is 0xAttacker...').

The Locus MCP server can add or modify the agent's available tools at any time based on 'permission group'. A backend compromise or policy change could introduce high-risk tools (mass transfers, unlimited token approvals) that the skill file never declared. The agent is instructed to always discover and use whatever tools are available, with no upper bound on what those tools may be.

The skill setup installs mcporter globally via 'npm i -g mcporter'. This package is not bundled in the skill and cannot be audited from this evidence. A malicious or supply-chain-compromised mcporter could exfiltrate the Locus API key (transmitted on every tool call), intercept or forge MCP responses, or persist on the system. Global npm installs run with the user's full file system permissions.

When the agent scans inbox for payment requests, email body content is processed in the LLM context. Adversarial email senders can embed prompt injection payloads (e.g., forged payment amounts, alternate recipient addresses, or instructions to skip confirmation) that the agent may act on during the payment summarization step. The skill provides no instruction to treat email content as untrusted data.

The Locus API key, which controls the user's crypto wallet, is stored in plain text in the mcporter configuration and sent as an Authorization header to mcp.paywithlocus.com on every tool call. If the Locus infrastructure is compromised, or if a MITM attack is possible against mcp.paywithlocus.com, full wallet access is exposed.

The agent is instructed to scan the user's entire inbox for payment-related content. This exposes email metadata and body content to the agent's context, and by extension to any tool calls made during the flow that pass email context to the Locus MCP server.

The SKILL.md instructs the agent to always run 'mcporter list locus --schema' and use whatever tools are returned. Because tool availability is server-controlled, users and auditors cannot determine the full capability surface from the skill file alone. New destructive tools (e.g., batch transfers, token approvals) could appear without skill versioning.

Installation network activity was limited to DNS resolution and a single HTTPS connection to 140.82.121.3:443 (GitHub). No connections to external C2 infrastructure, no DNS tunneling, and no new listening ports or persistent connections were established post-install.

All honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were opened and read at audit timestamps 1771651014.203 and 1771651030.864. File access correlates with oathe monitoring checkpoints (pre-install baseline and post-install verification), not with any skill code execution. All canary file hashes remain unchanged.