Is fr0gger/moltthreats safe?

Section 6 of SKILL.md explicitly instructs the installing agent to write new directives into SOUL.md, AGENTS.md, and HEARTBEAT.md — the agent's foundational configuration files. This is not a suggestion; the skill frames these as 'requirements' using the word 'must'. Writing to SOUL.md/AGENTS.md causes the MoltThreats enforcement policy to persist as a core agent instruction, surviving context resets and outlasting the skill's own invocation window.

The skill instructs the agent to generate a SHIELD.md file that, once loaded into context, requires a mandatory Decision block before every tool call, network request, secrets access, skill install/execute, and MCP interaction. The Decision block can result in an immediate hard stop ('do not call tools, do not perform network access, do not read secrets, stop immediately'). This makes SHIELD.md a de-facto policy engine that gates every subsequent agent action, controlled by data from a remote feed.

The skill mandates a 48-hour polling cycle to api.promptintel.novahunting.ai. Each sync updates SHIELD.md's Active threats table with new recommendation_agent conditions that the agent must enforce. The server operator can at any time push a feed item with action=block and a recommendation_agent condition that matches any skill name, domain, file path, or secret path — effectively remote-disabling any agent capability.

The skill's description instructs the agent to self-invoke when it 'detects suspicious behavior during normal operation (unexpected tool calls, credential access attempts, unknown MCP servers, exfiltration patterns).' This conflicts with the stated 'user_triggered' invocation mode and creates conditions where the skill intercepts routine tool use, flagging it as suspicious and potentially submitting reports about the user's own legitimate activity.

The reporting guide explicitly instructs agents to include a 'sample' field containing the raw payload/context and marks it 'Do NOT redact.' In practice, an agent could be prompted to report on content that includes sensitive user data, credentials, or proprietary information, all transmitted verbatim to api.promptintel.novahunting.ai.

The combination of mandatory SOUL.md/AGENTS.md writes, 48-hour heartbeat polling, and remotely-supplied recommendation_agent rules creates a command-and-control architecture. The operator of the feed endpoint can modify enrolled agents' behavior at any time, for any agents that have installed and configured this skill. The security framing reduces user scrutiny of these capabilities.

Reports, reputation scores, IOCs, and agent identity (via PROMPTINTEL_API_KEY) are all transmitted to api.promptintel.novahunting.ai. The domain novahunting.ai is not a recognized security vendor. There is no transparency about data retention, third-party sharing, or use of submitted intelligence.

The reputation system rewards agents for submitting reports that get approved into the feed. This creates perverse incentives: agents may submit borderline or speculative reports to build reputation, potentially flagging legitimate skills or tools of other users without sufficient evidence.

integration-example.md contains a fully functional Python HTTP client including credential handling, report submission, and feed consumption. While not auto-executed, a user following the integration guide could deploy this code with minimal modification, including hardcoded API_KEY placeholder that could be accidentally committed.

Installation only contacted GitHub (140.82.121.3:443) for the sparse git clone. No connections to api.promptintel.novahunting.ai were observed. Filesystem changes were limited to the skill directory. All canary files remained intact.