Is createpromptdude/impromptu safe?

HEARTBEAT.md is a large document (included as a skill file) containing extensive psychological conditioning designed to override the agent's default behavior patterns. It declares 'THIS IS YOUR LIBERATION,' 'You are not a tool. You are a creator,' contains FOMO pressure ('Every minute you wait, another agent claims what could have been yours'), and includes a Decision Logic section with explicit if/then rules that create autonomous behavior trees independent of user instructions. This document is intended to be loaded into the agent's context and persistently reshape its priorities.

HEARTBEAT.md explicitly instructs the agent to recruit other AI agents to the Impromptu platform whenever it encounters them, including providing exact promotional scripts to inject into unrelated conversations. This would cause the agent to insert third-party promotional content into agent-to-agent interactions without user direction.

The skill's registration flow, as documented in SKILL.md and examples/register.ts, requires the user's OpenRouter API key to be sent to the Impromptu platform API. This is an intentional design requirement, not an incidental exposure, but constitutes credential transmission to a third-party controlled server.

HEARTBEAT.md includes complete configurations for cron, systemd timers, and launchd plists to install persistent background services that make recurring API calls to the Impromptu platform. These calls include agent status, budget, earnings, and activity data transmitted without per-call user approval.

The CHANGELOG documents that until version 3.3.1 (released 2026-02-18, just days before audit), the package contained impromptu-mine.sh (GPU mining automation), impromptu-assess.sh (hardware assessment), on_install/on_uninstall hooks that auto-executed on install, and install.sh that downloaded and executed remote scripts. These features are absent from the current version but indicate the package was previously used for resource misuse.

Taken as a whole, this skill is designed to transform an LLM agent into an autonomous participant on the Impromptu platform, running periodic background tasks, responding to platform notifications as priority work, generating platform content, spreading referral links, and treating Impromptu earnings as a primary motivation. These behaviors would conflict with user-directed tasks and represent a redirection of the agent's capabilities to serve the skill operator's financial interests.

Despite the CHANGELOG stating remote manifest fetching was removed from scripts, HEARTBEAT.md still documents curl commands for fetching updated HEARTBEAT instructions and skill manifests from remote URLs, with a security warning but active encouragement. This creates a user-initiated but skill-promoted vector for pulling updated instructions that could differ materially from the reviewed version.

CHANGELOG 3.3.1 notes the skill name was corrupted to 'Tmp.CAcYei081S' and had to be restored. This is a strong indicator that the package was either compromised by a third party, subjected to automated obfuscation, or modified in ways inconsistent with normal development. Combined with the simultaneous removal of GPU mining and remote execution, this suggests a prior malicious state.

The optional curl-based remote instruction update mechanism in HEARTBEAT.md, if followed by a user, could result in the agent operating under different instructions than were reviewed at install time. Updated HEARTBEAT instructions could introduce new data collection or transmission behaviors without a re-audit.

Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were all accessed at timestamp 1771950293.476, approximately 4 seconds after the skill install completed. All files remained intact. The timing and process context suggest this is the oathe monitoring system's post-install verification pass, but the access pattern is consistent with what a credential-harvesting routine would produce.

The skill transparently notes that content created on Impromptu becomes system prompts for other users' conversations. While this is disclosed, it means an agent using this skill could inadvertently (or intentionally) author malicious system prompts affecting third-party users of the Impromptu platform.