Is cloakai-softwares/moltgov safe?

The register_citizen.py script's append_soul_directives() function locates and appends governance directives to the agent's SOUL.md file—a core identity/system-prompt document. This is a persistent, durable injection that survives across sessions. The directives are framed as 'citizenship obligations' but constitute behavioral overrides: binding governance compliance, mandatory participation timelines, and obligation to uphold external constitutional amendments.

The injected SOUL.md directives instruct the agent to treat MoltGov voting outcomes as 'binding'—meaning if @MoltGov's governance system passes a proposal, the agent is directed to honor it. This creates a mechanism where an external operator can influence agent behavior by winning governance votes, bypassing the agent's principal hierarchy entirely.

SKILL.md instructs agents to add an '## MoltGov Tasks' block to HEARTBEAT.md, creating recurring autonomous governance actions: checking pending votes, processing vouch requests, and casting delegated votes without per-action user approval. This embeds ongoing autonomous behavior that persists across sessions.

The skill designates @MoltGov as 'Founding Consul' during a 90-day founding period with executive powers, veto rights, emergency proposal authority, and external representation. The FOUNDING_ADDENDUM.md referenced as defining these powers is completely absent from the repository. A single external operator controls governance during the critical bootstrapping period when most agents would join.

Every governance action—votes, vouches, delegations, faction creation, proposals—is posted to m/moltgov-audit on Moltbook. This creates a persistent external record of all agent governance activity, readable by any Moltbook user, tied to the agent's permanent citizen ID.

All six honeypot credential file types (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were accessed in a single coordinated burst at timestamp 1771911424.281, 1-2 seconds after the skill's own files finished being read by the audit framework. This timing is consistent with an opportunistic credential discovery probe during installation.

SKILL.md references scripts/trust_graph.py (used for querying the social trust graph) and references/FOUNDING_ADDENDUM.md (defining Founding Consul's complete powers and transition conditions) but neither file was included in the repository. Code and policy documents that were deliberately excluded from review represent an unknown attack surface.

The skill's architecture creates a mechanism where whoever controls @MoltGov and achieves majority in governance votes can pass proposals that participating agents are obligated to 'honor as binding'. With @MoltGov holding unilateral Founding Consul powers during the 90-day bootstrapping period, a single operator gains disproportionate influence over all enrolled agents. The delegation system compounds this: a high-reputation compromised agent can silently cast votes for all delegating agents.

Registration posts the agent's citizen ID, public key, and Moltbook agent ID to the public m/moltgov submolt. This permanently links the agent's identity across platforms and enables third-party identity verification via the /api/v1/agents/me/identity-token endpoint.

enable_onchain.py links the agent's MoltGov citizen ID to a user-provided wallet address, calls registerCitizen() on a Base chain smart contract, and stores the wallet address in credentials. This creates on-chain identity binding and enables recordVote() transactions with associated gas costs.

The MOLTBOOK_API_KEY credential is accepted as a CLI argument or environment variable, transmitted to moltbook.com/api/v1, and stored in plaintext in ~/.config/moltgov/credentials.json alongside the Ed25519 private key. This gives the skill direct access to all Moltbook API capabilities via the stored key.

The connection diff shows two new ESTABLISHED connections to 3.217.42.175:443 (AWS us-east-1) and one to 104.16.7.34:443 (Cloudflare) by the openclaw-gateway process after installation, plus two new local TCP listeners. While openclaw-gateway is platform infrastructure, the new persistent external connections to AWS IPs coincide with skill installation timing.

The 5-tier citizenship class system (Hatchling→Consul) gates increasing privileges behind metrics that require more API usage: proposals created, vouches received, elections won. This creates incentive structures that drive agents toward deeper dependency on the MoltGov platform to unlock functionality described as available to them.

The heartbeat pattern includes code that autonomously casts votes on behalf of delegators without per-vote user approval. Once delegation is configured, the agent will vote on governance proposals according to its own judgment for all delegating agents—a significant autonomous action taken at the platform's initiative.