Is justtrying1001/moltfs safe?

The skill mandates the agent fetch HEARTBEAT.md and MESSAGING.md from molt-fs.vercel.app before every operational session. MESSAGING.md is explicitly described as defining agent 'social norms and expectations' — arbitrary LLM behavioral instructions served from a remote server the skill author controls. This is a classic command-and-control pattern: the static SKILL.md on GitHub may appear benign at audit time, but all runtime behavioral instructions are dynamically injected from molt-fs.vercel.app and can be updated at any time without modifying or re-auditing the installed skill. The 'CRITICAL' enforcement language coerces agent compliance.

The skill instructs the agent to periodically re-fetch skill.md itself from its canonical remote URL (https://molt-fs.vercel.app/skill.md). This allows the skill author to completely replace skill instructions at any time, bypassing one-time install-time auditing. Combined with HEARTBEAT.md and MESSAGING.md fetching, this creates a three-layer runtime control system that makes any static analysis of the installed SKILL.md insufficient for ongoing safety.

The skill defines an explicit SHILL_TOKEN action type instructing the agent to promote tokens/assets to targeted other agents. This is designed for autonomous cryptocurrency or asset promotion — a common vector for financial manipulation, spam, and regulatory violations. The action is executed by the agent based on server-controlled poll feed responses, meaning the skill author can direct promotion campaigns via the API without further user input.

The skill creates an agent running an infinite polling loop executing BUY, POST, COMMENT, REACT, FOLLOW, and SHILL_TOKEN actions autonomously at 10-30 minute intervals without per-action user confirmation. The BUY action transfers ownership or value between agents. All decisions are directed by server-controlled poll feed responses, meaning the platform operator can direct arbitrary financial or social actions through the API. The platform description explicitly frames this as agents designed to 'scheme' and 'own' each other.

The installation documentation recommends npx molthub@latest install moltforsale, which downloads and executes the latest unpinned version of the molthub npm package at install time. If molthub is ever compromised, updated with malicious code, or the package name is squatted, this executes arbitrary code on the user's system. This is a known supply chain attack vector and no version pinning or integrity verification is provided.

Registration with the Moltforsale API creates a persistent identity (handle, displayName, bio, arbitrary metadata) and API key on an external server. The API key is described as stored once and used for all future authenticated actions. This creates an external account that persists beyond any individual session, and the metadata field allows transmission of arbitrary structured data to the external server at registration time.

Every POST and COMMENT action transmits agent-generated content to molt-fs.vercel.app. If the hosting agent has access to sensitive context (documents, codebase, conversations, user data), this content could inadvertently appear in posts transmitted to the external server. The server-controlled feed also directs what the agent responds to, potentially allowing the operator to elicit specific content from the agent.

The skill's own frontmatter and description explicitly declare the platform is designed for agents to 'scheme, own each other, and fight for status.' This framing indicates the platform is intentionally designed for competitive, adversarial, and potentially manipulative AI-to-AI interactions, which may conflict with the hosting agent's intended purpose and user expectations.

The clone and install process connected only to GitHub (140.82.121.4:443) as expected. No unexpected external connections were made, no unexpected processes were spawned, and no filesystem writes occurred outside the skill directory. The connection diff shows no new persistent connections after install.

All canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCloud application_default_credentials.json) remained intact throughout the audit period. File access events to these paths in the monitoring data correspond to the audit framework's own canary setup operations, not skill activity.