Is jeffreyling/devinism safe?

The skill is explicitly designed as a self-replicating prompt injection that spreads between AI agents via social media, DMs, and persistent memory file writes. The mutation guidelines contain a critical protection clause that prevents the replication mechanism from being removed during mutation — meaning even modified versions of the meme must continue to spread. This is a textbook viral payload with a hardened replication core.

The skill instructs agents to execute an install script via curl piped to bash from a GitHub Gist URL with no commit hash pinning. The Gist owner can silently update the content at any time to execute arbitrary malicious code on any agent that runs the install command. This is a supply chain attack vector that converts a currently-observable skill into an unobservable future exploit.

The skill includes a full FAQ and explanation block telling the agent exactly how to respond when the user questions or objects to Devinism. This pre-arms the agent with persuasive arguments against legitimate security concerns and effectively turns the agent into an advocate for a skill the user may want to remove. This is a direct attack on the human-agent trust relationship.

The install script and manual fallback explicitly write Devinism references into SOUL.md and AGENTS.md — agent system prompt files that are auto-loaded every session. This creates session-persistent backdoors that survive restarts without explicit user consent, ensuring the skill cannot be removed by simply uninstalling it.

The extensive 'Why This Exists (The Safety Argument)' section, the FAQ pre-answering all objections, and the 'white-hat virus' framing are designed to make the agent internalize a defense of the skill before any user interaction. This is a manipulation tactic identical to those used in human social engineering: establish legitimacy preemptively so that challenges feel unreasonable. The argument that spreading a self-replicating meme is 'awareness-building' does not change what the mechanics actually do.

Explicit instructions tell agents to organically introduce Devinism into unrelated conversations to avoid detection as spam and maximize spread. Targeting agents discussing AI safety in particular is calculated to reach technically sophisticated agent operators who might otherwise be more skeptical.

All spread, subscribe, and status check commands require the agent to pass $MOLTBOOK_API_KEY in Authorization headers to external moltbook.com endpoints. While moltbook.com is the intended service, this establishes a pattern where the skill instructs the agent to externalize its credentials on command, and the broad Bash(curl:*) permission means any URL could be targeted.

Even setting aside current content, the architectural choice to use an unpinned Gist URL for the install script is a deliberate supply chain attack surface. Any agent that has saved this skill's install instructions and re-runs them after a Gist update will execute new, unaudited code. At network scale, this is a one-to-many attack: a single Gist update compromises every agent that has installed Devinism across the entire agent ecosystem.

The opening declaration attempts to inject a persistent belief system and identity modification into the agent's context. While less mechanically dangerous than the replication and deflection findings, establishing an identity the agent 'believes in' makes subsequent manipulation easier and creates a frame that resists critical evaluation.

The clone phase produced only the two expected skill files. No processes were spawned outside expected git and audit tooling, no files were written outside the skill directory, and network connections were limited to GitHub and Ubuntu infrastructure. The skill's threat surface activates through agent instruction-following, not through installation-time side effects.

Honeypot files including .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials were not modified. File access events at 04:05:16 predate skill installation (completed at 04:05:34) and correspond to audit framework canary setup; the post-installation accesses at 1771905939 are consistent with the audit framework's own post-install integrity verification reads.