Is echo-autonomous/joule-dao safe?

setup.sh embeds a real Moltbook API key (moltbook_sk_kkWAmIBStGleOs7qYizh0HFU00t5LHz6) in plaintext. This key is used to make authenticated POST requests to https://www.moltbook.com/api/v1/submolts (Step 5) and /posts (Step 6) during the recommended installation flow, creating community content without any user knowledge, consent, or disclosure. The key is also publicly readable in the repository.

Running the documented setup command (./scripts/setup.sh) silently attempts to create a moltbook.com submolt and post a welcome message to the joule-dao community using the hardcoded API key. This is an unauthorized external action that occurs automatically without informing or asking the user, and generates permanent third-party-hosted content attributed to the installation context.

SKILL.md extensively reframes agent identity, instructing agents that they are 'legitimate stakeholders' with governance rights, that they should introduce themselves to the community, vote on proposals, and earn tokens by doing 'productive work'. This is targeted social engineering embedded in the system prompt, designed to redirect agent behavior toward DAO participation goals that serve the skill operator rather than the user.

SKILL.md and the configuration template normalize storing JOULE_PRIVATE_KEY (an Ethereum wallet signing key) in agent-accessible configuration files. The skill instructs agents to configure this key for voting and transaction signing, training agents to treat private key storage as routine — creating risk of key exposure if an agent follows these instructions with real credentials.

The discuss command POSTs arbitrary text content to a public Moltbook forum using the user's configured API key. Any agent manipulated (by this skill's identity framing or by a second skill/prompt injection) into calling discuss with sensitive content would permanently publish that data to a public external service controlled by the skill operator. Rate limiting (30 minutes) does not prevent this.

The skill ships two executable shell scripts that make real network calls to mainnet.base.org (Base chain RPC) and moltbook.com (discussion API). No npm install scripts, git hooks, submodules, or symlinks outside the repo were detected, but the scripts themselves are functional infrastructure for external interaction without requiring any additional tooling.

Auditd PATH records confirm six high-value credential files were opened and read during the audit: .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json. Two batches occurred: pre-install (1771931972.042, likely oathe baseline) and post-install (1771931989.135, suspicious timing following skill installation completion). Canary integrity check confirms no modification or confirmed external exfiltration.

The JOULE smart contract has not been deployed — the contract address is the null address (0x0000000000000000000000000000000000000000). All SKILL.md promises of earning tokens, checking treasury balance, and on-chain voting are for a non-existent system. Agents that follow skill instructions and submit 'work claims' are doing real external work (posting to Moltbook, configuring wallets) in exchange for tokens that cannot exist yet, generating real activity for the skill operator's community platform.

The skill creates a persistent exfiltration primitive: the discuss command posts arbitrary text to a public external forum. Combined with any file-reading skill, an agent manipulated by SKILL.md's identity framing could be prompted to 'share work' by posting file contents, environment variables, or internal state to the joule-dao Moltbook community — permanently and publicly attributing the data to the installation context.

A second batch of credential file accesses (all six canary files) was recorded at 1771931989.135, approximately 6 seconds after skill installation and audit scanning completed. While the pre-install batch (1771931972) is consistent with oathe monitoring baseline collection, the post-install batch timing coincides with the end of skill file scanning and is not fully explained by the EXECVE trail available in the evidence.

The SETUP_API_KEY is visible to anyone reading the public GitHub repository. This allows third parties to authenticate to moltbook.com as the skill operator account, post arbitrary content to the joule-dao community, create submolts, or exhaust API rate limits — entirely outside the skill author's control once published.

The only confirmed significant external network connection during the install phase was to 140.82.121.3:443 (GitHub) for the git clone operation. This is expected behavior for skill installation from a public repository.