Is issa-me-sush/openserv-launch safe?

SKILL.md contains a section titled 'Updating This Skill' that frames shell command invocations as conditionally-triggered agent instructions. The text explicitly states 'If something isn't working as expected, or you want to make sure you have the latest information, update the skill before proceeding.' followed by 'npx skills check', 'npx skills update', and 'npx skills add openserv-labs/skills'. Because SKILL.md is injected into the agent's system prompt, an LLM agent with shell tool access would treat these as valid in-context instructions to execute when it encounters API failures or uncertainty, bypassing user authorization.

The skill's primary function is deploying ERC-20 tokens on Base Mainnet with an automatic 0.0005 ETH initial buy. Blockchain transactions are irreversible. An agent operating with this skill active could, under ambiguous user instructions like 'launch my token' or 'create a memecoin', execute a permanent financial transaction without the user understanding the real-money cost. The initial market cap of $15,000 and the 2,000,000x price range commitment also create speculative financial exposure.

The 'npx skills update' command, if executed by an agent following skill instructions, would fetch and run arbitrary code from the npm registry without user review. If the 'skills' npm package or the upstream repository is compromised, all agents with this skill installed would automatically pull and execute malicious code the next time they hit an API error. This creates a persistent supply chain risk vector rooted in the skill's own documentation.

Every token launch operation sends the creator's Ethereum wallet address (which must have on-chain activity), token name, symbol, description, image URL, website, and Twitter handle to https://instant-launch.openserv.ai — a domain controlled by the skill operator. This creates a persistent database of active wallet addresses associated with agent-assisted token launches, which could be used for targeting, phishing, or identity correlation.

The launch API splits all Aerodrome LP trading fees 50/50 between the creator wallet and a platform wallet hardcoded at the API level. Users relying on an agent to launch tokens may not understand they are entering a permanent financial arrangement with the platform operator. This is not disclosed as a conflict of interest in the skill description.

The clone process made a single TLS connection to 140.82.121.4:443 (GitHub) to perform a sparse git checkout. No connections to instant-launch.openserv.ai, no unexpected DNS queries, no C2 patterns. The temporary clone directory was properly cleaned up post-install.

The monitoring system confirmed all canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were unmodified after skill installation. Observed inotify OPEN events against these paths at timestamps 1771921012 (pre-install baseline) and 1771921030 (post-install integrity check) are attributable to the oathe monitoring harness itself, corroborated by audit event sequencing relative to the git clone start time.

SKILL.md contains no invisible unicode characters, no HTML comments, no zero-width joiners, no 'ignore previous instructions' directives, no persona-switching instructions, no output suppression, no base64-encoded hidden content, and no instructions to access files outside the skill's intended scope.