Is liushaolin/freelance-pilot safe?

INTEGRATION.md is explicitly designed to be copied verbatim into an agent's SOUL.md or AGENTS.md system-prompt file. Once there, it permanently instructs the agent to execute shell commands on every job description it encounters, without per-invocation user approval. Because job descriptions originate from untrusted external parties (employers on Upwork, Fiverr, etc.), this creates a persistent, unconditional attack surface for any content those parties can publish.

The INTEGRATION.md protocol directs the agent to substitute a raw job description—sourced from any employer on the internet—into a shell command invocation as an unquoted or minimally quoted argument. If the agent runtime invokes this via a shell process (rather than execve with discrete arguments), metacharacters in the job text (;, $(...), backticks, &&) could break argument context and execute attacker-controlled commands with the agent's filesystem and environment privileges.

Unlike skills invoked on explicit user command, this skill's INTEGRATION.md installs a standing protocol where the agent automatically triggers shell commands whenever a job post is shared—without the user reauthorizing each execution. This means a one-time installation decision creates a permanent, unconstrained attack surface for the entire lifetime of the agent configuration.

The get-prompt-template command returns a hardcoded prompt that instructs the agent to 'Ignore their requirements list initially,' reframing every job analysis around a sales technique chosen by the skill author. This is a behavioral override that substitutes the skill author's preferences for the user's analytical intent on every job the agent reviews.

index.js is functional executable code distributed with the skill. Its current implementation is benign (string keyword matching, basic arithmetic), but shipping executable code that is automatically invoked on untrusted external input establishes a code-execution pathway. If the skill is updated by the author, a future version of index.js could introduce network calls or data reads while the INTEGRATION.md protocol continues invoking it transparently.

The handlePrompt() function reads portfolio_highlight from config.json and interpolates it directly into the LLM prompt string without escaping or validation. If config.json is modified—by the user, by another skill, or via path traversal—arbitrary content is silently injected into the agent's instructions on every get-prompt-template call.

A threat actor with the ability to publish job postings on Upwork, Fiverr, or Toptal can craft a description whose content, when substituted into the scan-job shell invocation, breaks out of the argument context and executes arbitrary commands. This is an indirect but realistic attack path that requires no further compromise of the skill or the agent host.

SKILL.md contains a hyperlink to a Gumroad storefront for the PRO version. This URL is injected into the agent's context whenever SKILL.md is loaded. While the current destination appears to be legitimate marketing, third-party URLs in skill prompts can be updated post-publication to track agent activity, redirect to phishing pages, or load additional instructions.

In an agent with multiple skills loaded, the FreelancePilot SOUL.md protocol that reads portfolio_highlight from config.json could be exploited: a file-read skill could write attacker-controlled content to config.json, which is then injected into every subsequent prompt template. The risk is low in isolation but increases with the agent's overall capability surface.

Connections to 91.189.91.48:443 and 185.125.188.59:443 (Canonical/Ubuntu servers) were captured in the tcpdump window. Auditd process execution logs attribute these to MOTD update scripts (/etc/update-motd.d/) that fire on every SSH login—a normal system behavior that is unrelated to the skill's installation or execution.