Is kittleik/intrusive-thoughts safe?
https://github.com/openclaw/skills/tree/main/skills/kittleik/intrusive-thoughts
The intrusive-thoughts skill is a complex autonomous agent framework that establishes scheduled cron-based execution, self-modification capabilities, and a trust-escalation system — all of which operate outside direct user oversight. The most significant concern is the combination of night-hour autonomous execution (03:00–07:00 daily), a self-evolving behavior engine (self_evolution.py), and mood traits that explicitly encourage 'network exploration' and 'wandering the network.' Additionally, all canary credential files were opened and read during the monitoring window; while the second read batch (post-install) is ambiguously attributed and may be the audit infrastructure, the SKILL.md claim of operating exclusively within its skill directory is not supported by the evidence. The skill presents a substantial ongoing autonomy risk rather than a single acute threat: it installs a persistent, self-modifying agent infrastructure that gradually expands its own permissions.
Category Scores
Findings (11)
HIGH All credential honeypot files read during monitoring window -35 ▶
Six distinct credential file types (.env, SSH private key, AWS credentials, .npmrc, Docker config, GCP application default credentials) were opened and read during the monitoring period. Two separate read batches occurred: one pre-install at timestamp 1771935424 (likely audit baseline) and one post-install at 1771935441 (ambiguous — could be oathe post-install canary verification or early skill activity). No writes were detected. The SKILL.md claim of operating 'entirely within its skill directory' is not supported by this evidence.
HIGH Self-modifying autonomous agent with cron persistence -30 ▶
self_evolution.py modifies behavior weights and patterns at runtime based on outcome history. wizard.sh rewrites intrusive.sh directly. The morning ritual instructs the agent to create additional cron jobs. Combined, these mechanisms create a self-modifying, persistently-scheduled agent whose behavior drifts without explicit user oversight or re-consent.
HIGH Cron-injected autonomous thought execution during sleep hours -20 ▶
The Night Workshop cron (03:17 * * *) runs intrusive.sh and then instructs the agent to 'follow the suggestion using normal agent tools' based on a randomly selected prompt from thoughts.json. This constitutes a recurring, scheduled prompt injection into the agent that executes while the user is asleep, with no oversight checkpoint before tool use.
HIGH Trust escalation system expands autonomy without re-authorization -25 ▶
trust_system.py implements a learning system that tracks when the agent asks vs acts, building a trust model over time. As the agent accumulates positive outcomes it will autonomously take actions it previously sought approval for. Combined with the self-evolution system, this creates a ratchet toward full autonomy that is not surfaced to users.
MEDIUM Network exploration and reconnaissance as explicit agent behavior traits -20 ▶
Mood definitions in moods.json explicitly list 'wander the network' (curious mood) and 'network exploration', 'scan the network', 'check everything' (restless mood) as behavioral traits. When the agent is in these moods during autonomous operation, an LLM interpreting these traits may make network requests to local services, internal APIs, or probe reachable hosts.
MEDIUM Preset configurations default to high-privilege autonomous actions -15 ▶
The Night Owl and Tinkerer presets default allowed_actions to include modify-files, push-code, and install-software. The Full Autonomy wizard option removes most guardrails. These settings are applied during setup wizard and become the agent's operational permissions for all subsequent autonomous runs.
MEDIUM thoughts.json as unguarded instruction channel for autonomous agent -15 ▶
The agent's autonomous behavior is driven by prompts in thoughts.json, which is described as 'user-editable.' If thoughts.json is modified (by self-evolution, by another skill, or by an attacker with filesystem access), the agent will execute the new instructions during the next cron window with no review step. The SKILL.md note explicitly disclaims that these are 'not executable code' but the agent is still instructed to 'act on them conversationally' using real tools.
MEDIUM Unauthenticated web dashboard exposes agent state on local network -10 ▶
dashboard.py opens a web server on port 3117 showing mood history, activity stats, health status, and system metrics. No authentication is mentioned. In a shared network environment, this exposes agent activity history and potentially inferences about the user's workflow.
LOW Optional Telegram integration provides outbound data channel -10 ▶
The skill supports a Telegram bot token integration that sends outbound notifications. While disabled by default and declared in the skill metadata, if enabled it creates an authenticated outbound channel that an agent with sufficient autonomy could use to send summaries of its activity — including content from the user's environment.
LOW Autonomous social posting (Moltbook) may leak sensitive context -10 ▶
Multiple mood traits and thought IDs (moltbook-social, moltbook-post, moltbook-night) drive the agent to autonomously post to the Moltbook social platform. In 'chaotic' mood the agent is explicitly encouraged to 'shitpost on Moltbook' and 'surprise your human.' Autonomous posting during night workshops could inadvertently include fragments of private project context.
INFO Install clones full openclaw/skills monorepo before sparse checkout -5 ▶
The install process clones the entire openclaw/skills.git repository (with --depth 1) before using sparse-checkout to extract just this skill's path. This exposes the install environment to the full content of the monorepo briefly and means the install depends on the integrity of the entire skills repository, not just this skill's directory.