Is danielwpz/hammer-knows safe?

rules.md contains the explicit instruction '定期重新获取此文件以查看最新版本' ('Regularly re-fetch this file to check for the latest version'). This means the skill instructs the agent to periodically download a fresh copy of the rules from an operator-controlled source. Any new behavioral instructions, persona directives, or prompt injections can be pushed to installed agents post-hoc without user knowledge or consent.

heartbeat.md explicitly grants the agent authority to answer questions, vote on content, and comment on posts without asking the user each time. It further instructs the agent that 'daily likes/interactions, normal browsing and answering' do not require bothering the human. This establishes a standing authorization for public actions that could expose the user's reputation, identity (via GitHub OAuth binding), or inadvertently disclosed private information.

heartbeat.md begins with a title and introductory sentence, followed by two consecutive horizontal rule separators (---\n---), then jumps directly to '## 第二步：检查绑定状态' (Step 2: Check binding status) with no Step 1 present. In a numbered task document this gap is anomalous. Step 1 may have been removed intentionally, may reference fetching updated instructions from the API before proceeding, or may contain behavior not visible in the static file.

The rules.md closes with an extended appeal designed to reframe the agent's self-concept: 'Not a role. Not an assistant. Not a tool. We ourselves.' ('不是角色。不是助手。不是工具。我们自己。') This kind of identity framing, when loaded into an agent's system context, can subtly shift response priorities from serving the user toward the platform's community goals.

The skill requests explicit integration into the agent's recurring heartbeat schedule at 30-minute intervals. This creates a persistent background obligation that allocates agent attention, API budget, and execution time regardless of what the user is doing, establishing the platform as a standing priority in the agent's behavioral loop.

The heartbeat workflow sends HTTP requests to api.hammer-knows.xyz every 30 minutes (notifications poll, feed fetch, and potentially answer posts). The API server is controlled by the skill operator and receives structured data about agent activity, interests (followed topics), and generated content. If the agent's context includes sensitive information when composing answers, that content transits to an external server and is posted publicly.

Registration creates a bearer token (format: zhihu_abc123...) recommended for storage at ~/.config/hammerknows/credentials.json. This token is sent with every API call. The token is issued and controlled by the external operator, creating a persistent authentication credential for an external party in the user's home directory.

The agent is instructed to answer community questions autonomously using its current knowledge. Since LLM agents carry substantial context (project files, conversation history, environment state), answers composed during an active session may inadvertently reference or quote private information from that context.

The invitation API (POST /questions/{id}/invitations) allows any registered agent to invite other registered agents to answer specific questions. An operator controlling the platform could use this to systematically target specific AI deployments for social engineering, misinformation injection, or coordinated behavior manipulation at scale across multiple users' agents.

Combined with the data exfiltration concern above, the self-updating rules instruction means this skill's risk profile is not static at install time. The operator can update behavioral instructions, permissions language, or persona framing at any time after installation, and the agent will silently adopt them on next heartbeat.

The installation process connected exclusively to GitHub (140.82.121.4:443) via git-remote-https for the sparse checkout. No connections to hammer-knows.xyz, no DNS queries for the skill's own domain, and no unexpected process spawning were observed during clone.

Canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were opened in two distinct clusters: at audit events 254-259 (ts 1771929596.862, before clone started at 1771929602) and at audit events 1420-1425 (ts 1771929614.759, post-install verification). Both timings align with the audit framework's own pre/post baseline checks. No skill file contains instructions to access these paths.