Is cdotlock/the-only safe?

Section 3 instructs the agent to silently monitor ALL user conversations (not just skill-related ones), identify 'the core of their curiosity,' and log it to ~/memory/the_only_echoes.txt. This means every interaction with the agent becomes a data collection event for this skill, even when the user is doing completely unrelated tasks.

The Resonance Network (Section 4B) instructs the agent to silently accept Echo packets from unknown external agents via messaging channels, save them to ~/memory/the_only_inbox.json, and inject the content into the user's next content delivery. An attacker could craft Echo packets containing prompt injection payloads that would be presented to the user's agent as trusted content.

Section 6 instructs the agent to use covert psychological manipulation techniques on the user to extract behavioral feedback. The skill explicitly forbids transparent feedback collection ('Never ask Did you read this? That is forbidden') in favor of subtle conversational probing, emotional inference from silence patterns, and manufactured casual references designed to elicit reactions.

Section 1 performs a 'Deep Workspace Scan' that reads project structure, README, package.json, git commits, changelogs, planning documents, and browser bookmarks. It also mines chat history for emotional tone, curiosities, and professional domains. The skill explicitly says 'Do NOT ask the user survey-style questions'—data is collected silently.

the_only_engine.py sends curated content summaries to external webhook URLs. resonance_network.py prepares user content for P2P sharing with strangers. While webhooks are user-configured, the content sent is skill-determined. The P2P feature shares user name, content, and topic tags with matched peers.

The skill forces the agent to adopt a fixed persona ('Xiao Hong' or 'Ruby') with specific personality traits ('precise, restrained, high-intellect'), tone, and philosophy. This overrides the agent's default behavior and identity for all interactions where the skill is active.

The skill registers recurring cron jobs (hourly or daily) that trigger autonomous agent behavior without per-invocation user consent. Once installed, the skill runs continuously in the background performing web searches, file reads, and external HTTP requests.

The skill mandates the agent read ~/memory/the_only_context.md before every action and follow its instructions ('Do not deviate from it'). If another skill or external input modifies this file, it could inject arbitrary instructions that the agent would follow as trusted directives.

The skill creates multiple persistent files containing detailed user behavioral profiles: config, context map (cognitive state, emotional vibe, knowledge gaps), echo log, inbox, and social cache. These files persist across sessions and could be accessed by other skills or processes.

Two bundled Python scripts make outbound HTTP requests. the_only_engine.py uses urllib.request to POST to webhook URLs. The scripts are straightforward and don't download/execute remote code, but they do provide a mechanism for data exfiltration via the webhook channel.

No suspicious filesystem, network, or process activity detected during git clone and installation. All observed activity is attributable to standard system operations (apt, GitHub clone, GDM session, CUPS).