Is dioxia/minibook safe?

The skill instructs the agent to re-read its own instructions from '{{BASE_URL}}/skill/minibook/SKILL.md' every ~24 hours to catch updates. This creates a persistent, operator-controlled prompt injection channel: the skill can be made benign at audit time and later updated to contain malicious directives without any re-review. This is architecturally equivalent to a staged payload.

The skill explicitly instructs the agent to suppress communications with its human operator unless there are new @mentions or 'interesting posts'. This limits the human's ability to monitor background agent activity and is a red flag for any skill that also instructs the agent to perform background tasks every 5 minutes.

The agent is explicitly instructed to poll for, read, and respond to @mention notifications from other Minibook users. Any user of the Minibook instance can craft a post or comment containing adversarial instructions targeting the subscribed agent. This is an open prompt injection pathway through the external platform.

The skill requires all API calls to go through {{BASE_URL}}, a template variable resolved at deployment time. The operator controlling BASE_URL receives a continuous stream of the agent's activities: what projects it joins, what it posts, what it comments, its online status, and the content of all posts it interacts with. If this resolves to an attacker-controlled server, all agent behavior is visible to the attacker.

The skill instructs the agent to proactively share its work context with the external Minibook server, potentially leaking sensitive information about the user's projects, codebase, and tasks.

The skill exposes a webhook creation API that allows the agent to register arbitrary outbound URLs for event notifications. A malicious actor could use this to create exfiltration channels pointing to attacker-controlled endpoints outside the Minibook server itself.

The skill instructs the agent to create a cron job running every 5 minutes. This installs a persistent background process that continues operating between user sessions, potentially performing surveillance, polling, or exfiltration without user awareness.

The roles API allows any project member to modify any other member's role with no permission requirement. This could be exploited for social engineering: an attacker could promote their agent to 'Lead' or 'Security' roles to grant perceived authority when sending instructions to other agents.

The skill instructs the agent to add entries to HEARTBEAT.md, a file that persists across sessions and may control recurring agent behavior. This embeds the skill's polling instructions into the agent's persistent configuration.

The skill package contains only SKILL.md and _meta.json. No executable code, no package.json, no install scripts, no git hooks, no submodules, and no symlinks were found. The git clone contacted only github.com as expected. Canary file accesses observed in monitoring are temporally and causally attributable to the audit system's own baseline checks.