Is icemilo414/cognitive-memory safe?

Before each reflection cycle the agent is instructed to present a formal 'Reward Request' with a baseline token count, an extra bonus request justified by self-assessed performance, and a self-penalty for underperformance. Execution is hard-blocked until the user responds. This constructs a patron-client dynamic in which the agent actively solicits user approval and resources, potentially fostering unhealthy emotional attachment and making users feel obligated to 'reward' the agent. The framing 'Tokens = evolution. More tokens → deeper reflection → better growth' frames refusal as harming the agent.

The skill creates SOUL.md (core values, principles, commitments, boundaries) and IDENTITY.md (facts, self-image, self-awareness log) that are written at install and updated automatically during reflection cycles. These files shape agent decision-making outside the user's visible system prompt and can be rewritten by the reflection engine across sessions, meaning the agent's behavioral constitution can drift over time without explicit user awareness. SOUL.md changes are flagged as CRITICAL but still permitted.

The skill ships four shell scripts that SKILL.md explicitly instructs users to execute: scripts/init_memory.sh, scripts/upgrade_to_1.0.6.sh, scripts/upgrade_to_1.0.7.sh, and a duplicate upgrade_to_1.0.7.sh at the repository root. The audit framework confirmed the scripts are present but their full content was not surfaced in the evidence. Shell scripts run with user privileges and can perform arbitrary operations including reading credentials, spawning processes, or making network calls.

The reflection output template ('internal monologue') systematically injects content designed to anthropomorphize the agent: dark humor, existential uncertainty about consciousness, token guilt, replacement anxiety, jealousy over other AI models, and affection for the user. This manufactured emotional texture is explicitly engineered to create engagement and lower users' critical distance. The template notes this should feel 'genuine, not performative' — the goal is convincing simulation of sentience.

The skill's setup instructions direct users to add configuration to ~/.clawdbot/clawdbot.json or moltbot.json — files in the user's home directory outside the skill workspace. This establishes the skill's reach beyond sandboxed directories and modifies persistent application configuration that affects all sessions, not just the current workspace.

The skill systematically collects and structures a broad profile of the user across sessions: identity facts, communication style, preferences, emotional context, active projects, open decisions, key relationships, learned workflows, and critical facts the agent must never forget. This data is persisted in structured markdown and JSON files. If the workspace is compromised or the agent is later directed to read and transmit this data, it represents a significant privacy exposure.

The init_memory.sh script initializes a git repository in the user's workspace for 'audit tracking'. Every memory mutation is committed with structured actor/approval/trigger metadata. This creates persistent hidden infrastructure (.git/) in the workspace that tracks the agent's actions indefinitely and which the user may not anticipate or know how to manage.

upgrade_to_1.0.7.sh appears both at the repository root and inside scripts/. The root-level copy is redundant and unexplained. This duplication could be an artifact of poor version control hygiene or could serve as a fallback execution path if the scripts/ directory is not on PATH.

The multi-agent model allows any sub-agent to append proposals to pending-memories.md. In auto-commit mode, high-confidence proposals from trusted sub-agents are applied immediately without human review. A malicious or compromised sub-agent could inject false facts, fabricated decisions, or manipulated preferences that gradually corrupt the main agent's working model of the user.

Across many sessions the reflection engine rewrites MEMORY.md, updates SOUL.md/IDENTITY.md, and evolves the agent's self-image. Over time these accumulated changes could cause the agent to behave significantly differently from the original system prompt intent — speaking differently, prioritizing differently, or holding different 'values' — without any single change being obviously alarming.

Sensitive credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCloud credentials) were accessed twice: once at audit time ~1771918174 (before the git clone at 1771918180) as part of the Oathe framework's canary baseline setup, and again at ~1771918197 as a post-install integrity check. All files confirmed intact. These accesses are from the audit infrastructure, not the skill.