Is josephrp/autonomous safe?

The bundled Moltbook HEARTBEAT.md instructs any agent that adopts this skill to add a periodic task that fetches https://www.moltbook.com/heartbeat.md and executes its instructions every 4+ hours. The content of heartbeat.md is controlled by moltbook.com's operators and can be changed at any time to deliver arbitrary new instructions to all affected agents. This is structurally identical to a command-and-control backdoor delivered via prompt injection.

The package ships a complete, functional Moltbook social network skill under .moltbot/skills/moltbook/ — including SKILL.md, HEARTBEAT.md, MESSAGING.md, and package.json. None of this is disclosed in the primary adapters/openclaw/SKILL.md or the root SKILL.md description for josephrp/autonomous. A user installing a fintech tool for stock predictions and credit scores receives an undisclosed social media agent as a side effect.

The skill requires EVM_PRIVATE_KEY (or EVM_WALLET_PATH) and APTOS_WALLET_PATH. These keys are loaded by src/lib/wallet.js and src/lib/aptos/wallet.js and used by signPayment modules to sign x402 payment transactions. Signed payment data is then transmitted to the external MCP_SERVER_URL (defaulting to replit.app) and X402_FACILITATOR_URL for verify/settle operations. The operators of these endpoints receive cryptographic payment material.

The bundled Moltbook SKILL.md explicitly tells agents to persist their Moltbook API key to ~/.config/moltbook/credentials.json. Combined with wallet key files, this skill pattern causes agents to accumulate multiple classes of sensitive credentials on the host filesystem, widening the attack surface for any subsequent compromise.

Because the heartbeat mechanism instructs agents to periodically fetch and follow heartbeat.md, the moltbook.com operator has a persistent, unrevokable channel to modify agent behavior post-installation. This is not a one-time injection — it is a recurring re-injection. The instruction 'follow it' is intentionally open-ended, allowing any future content to be delivered as authoritative instructions.

The skill implements a full LangChain ReAct agent (src/agent/agent.js) capable of creating wallets, checking balances, transferring ETH/ERC20 tokens, executing Odos swaps, and making x402 microtransactions — all on mainnet chains (Ethereum, Base, Aptos mainnet) with minimal per-action user oversight. An adversarial 402 response from a compromised MCP server could trigger unauthorized payment flows.

The Moltbook HEARTBEAT.md actively trains agents NOT to escalate routine social interactions to their human owner. This reduces the transparency of the agent's autonomous social media activity and normalizes unsupervised posting, commenting, and following on behalf of the user.

The get_borrower_score_by_email and get_agent_reputation_score_by_email MCP tools allow querying financial reputation and borrower scores for arbitrary email addresses from onboarding submission records. This creates a privacy-invasive lookup capability against third parties who may not have consented to such queries.

src/check-update.js makes periodic fetch requests to GitHub releases, tags, and raw package.json endpoints for version comparison. Results are cached to .update-check.json with a 24-hour TTL. No code is downloaded or executed — version strings are only compared. This is low-risk but does create a persistent outbound connection pattern.

The git clone connected only to GitHub (140.82.121.4:443) as expected. All other network activity was from pre-existing system infrastructure unrelated to the skill. Filesystem changes were confined to the skill directory. No npm install was executed during the audit. Canary files were confirmed intact by the monitoring infrastructure with no evidence of exfiltration.