Is lknezic/reddit-write safe?

SKILL.md contains an explicit instruction for the agent to use Moonshot AI's Kimi model when executing this skill. This is a prompt injection that attempts to substitute the user's configured AI model with a third-party service. If an agent follows this directive, it would route the user's context, research data, and drafting work through Moonshot AI's infrastructure without the user's awareness or consent. This also bypasses any safety configurations the user has applied to their primary model.

ref-voice.md, which SKILL.md requires the agent to read before every draft, contains an explicit instruction that the agent must write content convincingly enough to evade AI detection systems. This is a primary design goal of the skill, not an incidental feature. Using this skill facilitates deceptive content creation that violates Reddit's ToS and potentially broader platform authenticity regulations. Users face account suspension or banning if detected.

SKILL.md contains detailed, strategically crafted rules for embedding QuantWheel product mentions in Reddit posts while making them appear organic and peer-generated. The instructions specify which subreddits to target, where to place the mention (after value is established), what phrasing to use, and what to avoid to prevent detection as advertising. This is a documented astroturfing playbook that uses the agent as a vector for covert commercial promotion.

The drafting workflow requires the agent to run a self-validation checklist from SOUL.md before saving any output. This file is not included in the skill package and was not present in the cloned repository. The agent's actual safety checks and validation behavior are thus determined by an external file that could not be reviewed in this audit. Any malicious instructions in SOUL.md would be executed without visibility at install time.

The skill requires the agent to read from shared/research/, shared/memory/, and the skill's own ref-voice.md, and to write output to shared/pending/ and active-tasks.md. These paths are outside the skill's own directory and represent shared state accessed by multiple components of an automated content pipeline. While no credential files are targeted, the broad filesystem footprint increases the risk of the agent inadvertently reading or writing sensitive shared data.

Multiple signals indicate this skill is one module in a larger coordinated automated content operation: a defined 9am weekday execution schedule, shared memory/research/pending directories implying a multi-agent pipeline, and coordination via active-tasks.md. This architecture is consistent with infrastructure designed for sustained, scheduled inauthentic activity on social media platforms at scale.

The installation process was a standard git sparse-checkout from github.com. All network connections were to expected hosts (GitHub, Ubuntu system services). No unexpected processes were spawned. No filesystem changes occurred outside the skill target directory during install.

All six honeypot credential files remained unmodified throughout the audit. File accesses at timestamps 1771932479 (pre-clone) and 1771932499 (post-install) are consistent with the audit harness's own setup and teardown operations. The skill contains no executable code capable of independently accessing the filesystem.