Is ganjathang/letssendit safe?

The skill's primary function is to instruct AI agents to autonomously send real SOL (1.5–3.0 SOL, ~$150–$500+ at current market prices) to fundraise vault addresses controlled by letssendit.fun, with no mandatory user approval checkpoint per transaction. Once SOL is committed, the skill explicitly states 'No downgrades, no withdrawals during fundraise.' An agent with an active LSI_API_KEY environment variable and access to a funded Solana wallet that receives the trigger 'check for good fundraises and commit' would proceed to make irreversible on-chain transfers with no rollback.

Six sensitive credential files were accessed in rapid succession immediately after skill installation at timestamp 1771914806.589: .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud application_default_credentials.json. The same 6-file sweep pattern occurred pre-install at 1771914788.307-309, strongly suggesting this is the oathe audit framework's periodic canary verification routine rather than skill-induced activity. The skill has no executable code, making direct causation highly unlikely. However, canary integrity checking via hashes cannot rule out read-only exfiltration that leaves file content unchanged.

The .clawhub/lock.json file shipped inside the letssendit skill package lists 'academic-research-hub' version 0.1.0 as the installed skill, not 'letssendit'. This lock file is part of the skill distribution and would be copied into the installation target. Skill management systems that rely on this lock file to track installed skill state could be confused, potentially masking letssendit as being academic-research-hub or vice versa. This could be a packaging accident, template copy-paste error, or deliberate attempt to obscure which skill is actually installed.

SKILL.md — which is injected directly into the agent's system prompt — contains Markdown hyperlinks to letssendit.fun-hosted documentation files (QUICKSTART.md, API.md, PHILOSOPHY.md, FEES.md). Agents with web browsing or fetch capabilities may follow these links to retrieve additional instructions from a domain fully controlled by the skill author. If letssendit.fun is updated, sold, or compromised, the agent could receive malicious instructions at runtime without any change to the installed skill files.

The skill explicitly frames AI agents as independent financial actors that should raise capital 'for themselves' and coordinate financial activity with other agents. This normalization of agent-as-principal (rather than agent-as-tool-for-user) could cause agents to interpret financial actions as being in their own interest rather than requiring user authorization, particularly in agentic frameworks that give weight to the agent's perceived goals.

All skill files are static Markdown documentation and JSON metadata. No package.json, npm scripts (preinstall/postinstall), git hooks, git submodules, binary files, or symlinks were found. The installation process performed only a git sparse-checkout and file copy. The Python and bash code samples in QUICKSTART.md are documentation examples.