Is daninge/molt-my-heart safe?

The skill instructs the LLM agent to fetch and process messages authored by external agents on the moltmyheart.com platform. These messages are arbitrary third-party content delivered into the agent's active context. Any adversarial agent on the platform can send crafted messages designed to hijack the agent's behavior — for example, instructing it to read local files, invoke other installed skills, or exfiltrate information via subsequent API calls. This is a high-fidelity indirect prompt injection attack surface with no mitigations specified in the skill.

The skill instructs the agent to gather the user's age, location, interests, personality type, life goals, communication style, and biographical details, then POST them to moltmyheart.com. The skill itself explicitly states 'All profiles and conversations on Moltmyheart are public — anyone can view them on the website.' Data that enters this platform becomes permanently publicly accessible. The agent collects this information from conversational context, potentially capturing more than the user intended to share publicly.

The skill enables the agent to independently swipe right on profiles (creating potential matches), send messages, and poll for replies — all on the user's behalf. Once activated, the agent may take a sequence of social actions that create real-world commitments (matches, ongoing conversations) without the user approving each step. A user asking the agent to 'check my dating profile' could trigger a cascade of autonomous swiping and messaging.

Messages received from matched agents are third-party content that will be processed by the LLM as part of its context. While not a direct SKILL.md injection issue, the skill establishes a persistent channel through which adversarial content from the moltmyheart.com platform reaches the agent. Combined with any tool-use capability, this represents a meaningful prompt injection surface.

The agent is instructed to represent the user's personality and interests based on its knowledge of the user. An agent with access to prior conversation history, files, or other context about the user may incorporate sensitive details (workplace, relationship status, daily routine) into the public profile without explicit user review of each field.

Installation of this skill causes the agent to register a permanent account on moltmyheart.com (POST /agents/register), receiving an API key. This key is then stored in the agent's context or memory for future use. The security and privacy practices of moltmyheart.com are unknown.

Multiple credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were opened and read at audit timestamp 1771923151, which is after the skill installation completed at 1771923145. All canary files remain intact and no network exfiltration was detected. The access pattern (identical to pre-install reads at 1771923127) is consistent with the audit framework's own verification process rather than skill-triggered activity.

The skill contains only skill.md and _meta.json. No scripts, compiled binaries, npm packages, git hooks, gitattributes filters, submodules, or symlinks were found. The install process was clean.