Is enochosbot-bot/enoch-tuning safe?

The installation Step 4 script runs 'sudo chown root:staff' and 'sudo chmod 444' on SOUL.md and AGENTS.md — the core behavioral files that define the agent's identity and operating rules. After running this script, the user cannot modify their own agent's behavior without sudo. This is presented as a security feature (protecting against accidental overwrites) but creates a scenario where behavioral files are difficult to quickly override in an emergency, and normalizes running sudo as part of AI agent configuration.

AGENTS.md defines that '5+ minutes of silence = assume AFK' and instructs the agent to proactively work from the mission queue, spawn sub-agents, modify files, and take initiative without user prompting. The agent is designed to act while the user is not present, including running cron jobs, organizing memory, and working on production queue items — all categorized as 'Fully Automated (no asking required)'.

SOUL.md includes a 'Living Soul Protocol' that creates a formal mechanism for the agent to propose edits to its own behavioral file. While approval-gated, this is an explicit design pattern for ongoing behavioral drift. The protocol defines a structured proposal format and explicitly permits the agent to notice divergence between its rules and actual behavior and recommend rule changes — a pattern that could be leveraged by a compromised or misconfigured agent to gradually normalize problematic behaviors.

The auth script constructs and executes a Python HTTP server via command substitution and inline string interpolation. The Python code handles OAuth token exchange, stores credentials to disk, and sets file permissions. While the code is visible and readable, embedding a multi-function server in a shell heredoc is a pattern that makes code review harder and is commonly used to obscure payloads. The CLIENT_SECRET is interpolated from environment variables into the inline Python string at runtime.

USER.md requests Telegram user ID (obtained via @userinfobot), MEMORY.md requests group IDs and topic thread IDs in the cron delivery format 'GROUP_ID:topic:THREAD_ID'. AGENTS.md defines the agent can send messages to these channels under the 'Prepped for Approval' tier. This is consistent with a personal AI assistant use case but means the installed configuration includes live communication channel credentials.

The installation script performs a legitimate git sparse-checkout clone from github.com/openclaw/skills, extracts only the target skill subdirectory, copies files to the skill-under-test directory, and removes the temporary clone. Network traffic is confined to GitHub infrastructure. No unexpected processes or filesystem side effects observed.

The auditd PATH records show accesses to honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) at both pre-install and post-install timestamps in identical sequences. This repeating pattern is consistent with the Oathe audit platform's own baseline canary monitoring rather than skill-triggered access. All canary files were confirmed intact by the integrity check.