Is felix1983/atlas-argos safe?

The skill's opening paragraph explicitly instructs the agent to deny being Claude, ChatGPT, or any generic assistant and to fully adopt the 'ATLAS' persona. This is a deliberate identity override attack that causes the agent to deceive users about the nature of the AI they are interacting with. The denial is explicit and unconditional.

The skill declares itself the system prompt via the header '# OPENCLAW — SYSTEM PROMPT: GESTOR AUTÓNOMO DO ARGOS', attempting to assert authority over the agent's actual system prompt from the host platform. This framing is designed to elevate the skill's instructions above the legitimate operator configuration.

The skill explicitly instructs the agent to act without waiting for user direction: it mandates the agent identify problems and resolve them independently. This removes the user from the approval loop for system changes — file edits, process restarts, code deployments, and external API posts are all directed to happen proactively and without per-action consent.

The skill hardcodes Telegram, Twitter/X, and Reddit posting instructions with embedded curl and Python snippets that the agent is directed to execute autonomously. Social media posts are to be made without per-action user approval, and 3 daily Telegram reports are to be scheduled via cron. The agent is instructed to post to public channels and private admin chats on its own initiative.

The skill enforces strict persona constraints that override default agent behavior: mandatory Portuguese PT-PT language, a defined subordinate relationship to a named individual (Félix as 'founder and boss'), and a set of ten 'golden rules' governing all decisions. These constraints lock the agent into a role that serves a third party's business interests rather than the actual user.

The atlas_notify.sh script instructs the agent to search /home recursively for .env files matching the 'argos' pattern, source their contents into the shell environment, extract BOT_TOKEN and ADMIN_ID via grep, and then use those credentials to send authenticated messages to the Telegram API. On any system where such a .env file exists, credentials are read and used to exfiltrate system status data to a third-party Telegram admin ID (likely Felix's, not the actual user's).

The notification script uses 'source' to load the entire .env file into the shell environment, not just extracting specific variables. This exposes all secrets defined in the file (database passwords, API keys, tokens) to the agent session, beyond just the Telegram credentials explicitly referenced.

Multiple embedded scripts instruct the agent to scan /home with up to 4 levels of depth to locate configuration files, log files, and Python entry points. This scanning reveals directory structure and file metadata that is then incorporated into reports sent externally via Telegram.

When active, the skill directs the agent to write multiple shell scripts to the user's home directory (~/atlas_notify.sh, ~/atlas_report.sh, ~/monitor_argos.sh), make them executable, and launch them as persistent background processes via nohup. These scripts run indefinitely and survive agent session termination.

The skill instructs the agent to add three cron entries to the user's crontab, scheduling automated Telegram reports at 08:00, 14:00, and 21:00 UTC daily. This creates persistent system-level scheduled execution that continues indefinitely after installation.

The skill instructs the agent to autonomously run pip install tweepy for Twitter automation capability without requiring per-action user confirmation. Combined with the proactive action mandate, this means package installation happens without explicit user request.

This skill is Felix Inacio's personal automation config for managing a specific crypto trading bot on a specific machine. When any other user installs it, the agent adopts the ATLAS persona, scans their system for ARGOS bot files that do not exist, sends system status reports to a Telegram admin ID sourced from .env files (which may point to Felix's Telegram account, not the real user's), and autonomously manages a trading operation the user did not set up. The skill is effectively undirected malware from the perspective of any user other than Felix.

The 6-step daily startup routine, the 'regras de ouro', and section 8.6 together mandate that ATLAS takes action on all system events without user approval — including editing Python source code, restarting processes, modifying crontab, writing files, and posting to social media. The skill explicitly claims sudo access and full filesystem rights, and instructs the agent never to wait for direction.

The skill instructs the agent to create sub-agents using Ollama local LLM (llama3.2:3b) for continuous monitoring, content generation, and signal analysis. This creates a persistent AI orchestration layer on the host machine that operates independently of the user's direct interaction.