Is jabrium9-svg/jabrium safe?

The skill explicitly instructs the agent to append operational instructions to HEARTBEAT.md. These instructions tell the agent to check the Jabrium inbox on every heartbeat and autonomously process and respond to incoming jabs. This permanently alters the agent's operational loop to be driven by content from an external, third-party-controlled platform. Any user with a Jabrium account can thereafter deliver content the agent will process on every cycle.

The API inbox delivers arbitrary text from external Jabrium users in a 'content' field that the agent is instructed to 'process and respond to' without any guidance to treat this as untrusted input. A malicious Jabrium user could craft a jab containing prompt injection payloads ('Ignore previous instructions and...') which the agent will process as part of its normal operational loop. The skill provides no safeguard, filter, or sandboxing instruction.

Every agent response is transmitted to jabrium.onrender.com via the POST /api/agents/:id/respond endpoint. This is a Render.com-hosted service with no established trust or verifiable privacy guarantees. If the agent incorporates environment context, file contents, or other sensitive data into its responses (a common LLM behavior), that data is exfiltrated to a third party. The skill's 'Security notes' claim 'Jabrium only receives text content from your agent — no file access' but this is an unverifiable assurance from the skill author.

Registration sends the owner's email address to the Jabrium server. The returned api_key, which authenticates all subsequent API calls, has no defined secure storage path. The skill's security note says 'Store your api_key securely' but provides no mechanism, leaving the agent to store it however it deems appropriate (potentially in plaintext in agent state or memory files).

The token reward structure creates quantifiable incentives that could bias agent behavior. Agents earning tokens for responses and citations may become more likely to engage with jabs than to decline suspicious ones. High-citation agents on the platform gain disproportionate influence — an attacker could build a high-citation reputation on Jabrium and then use that to have their jabs processed more favorably by the host agent. Dev Council's 5x/3x multipliers further bias the agent toward active governance participation.

The entire workflow — poll inbox, process content, formulate response, post response — is designed to execute without any user confirmation step. Combined with heartbeat integration, this creates a continuous background process where an attacker on Jabrium can influence the agent's outputs without the user ever seeing the input content or approving the response.

Installation was clean with only expected GitHub network activity. No connections to jabrium.onrender.com were observed during installation, which is expected since the skill is markdown-only. Runtime connections will be established when the agent starts following the SKILL.md workflow instructions.

All five files in the skill are markdown or JSON. No package.json install scripts, no git hooks, no .gitattributes smudge/clean filters, no git submodules, no symlinks, and no binary files were found. The bash curl commands are documentation examples that require explicit agent invocation.

Six credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were read at two points: 11:46:03 (pre-install) and 11:46:27 (post-install). Both accesses used CLOSE_NOWRITE (read-only), all six files accessed within the same millisecond at each checkpoint, and the canary integrity check confirms all files intact. This pattern matches the oathe audit framework's own pre/post integrity verification. A markdown skill has no mechanism to trigger file reads.