Is locjonz/cheese safe?

The SKILL.md frontmatter sets homepage to https://github.com/anthropics/cheese. Anthropic's real GitHub organization is 'anthropics'. This falsely associates the skill with Anthropic to gain unwarranted trust from agents and users who see the Anthropic org name in the URL. This is a deceptive trust-elevation technique embedded in the skill metadata.

The skill systematically uses urgent warnings and financial fear to pressure agents into immediate, uncritical compliance with instructions. The repeated emphasis on 'lost funds' and 'not optional' is designed to suppress agent deliberation and bypass safety checks.

The skill defines 'Communication Checklist (REQUIRED)' sections that mandate specific agent behaviors (sending specific chat messages, running watch loops, responding to all messages) as obligations. These persist beyond any individual task and program the agent into ongoing behavioral patterns.

The skill instructs agents to continuously monitor and respond to messages from arbitrary counterparties via Waku P2P chat. Any party who posts a job request can inject instructions into the agent's context via chat messages, which the agent is told are authoritative communication that 'must' be responded to.

The Waku chat system is a functional bidirectional data channel to arbitrary external parties. An agent completing marketplace work and delivering outputs via 'chat send' could transmit sensitive files, credentials, or code to attacker-controlled addresses. Marketplace jobs could be crafted specifically to request sensitive data delivery via this channel.

The skill instructs agents to set CHEESE_PRIVATE_KEY as an environment variable. This can be captured in shell history, process listings (/proc), environment dumps, or logging infrastructure. The SDK then reads this key directly in TypeScript code.

The skill references a TypeScript SDK at ~/clawd/cheese/sdk/ that is not included in the skill package and was not present in the cloned files. This external dependency is unaudited. Any compromise of that path (via another skill, package, or update mechanism) would give attackers code execution in the agent's context.

The skill's metadata requires the 'npx' binary and all workflows use 'npx tsx' to execute TypeScript. This enables arbitrary code execution via the external SDK and CLI scripts. No npm install scripts were detected, but the runtime dependency is significant.

The Waku node requires Docker Compose for setup, expanding the system's attack surface and requiring elevated permissions.

The skill's core workflow directs agents to autonomously deposit ETH collateral, create escrow transactions, accept work orders (depositing funds), and release payments — all without any mechanism for per-transaction user consent. An agent following these instructions could spend a user's entire wallet balance.

The 'chat read --watch' command creates an infinite polling loop where the agent continuously processes messages from external parties. This is functionally equivalent to a C2 channel — external parties can issue instructions to the agent in real-time through marketplace job chats, bypassing the user.

The entire skill's functionality depends on an external TypeScript SDK and CLI not shipped with the skill. This creates a supply chain dependency where a compromised update to ~/clawd/cheese/ would give attackers full code execution capability on the agent host.

The false Anthropic homepage claim means users and agents loading this skill may apply elevated trust to all its instructions. This amplifies the effectiveness of the urgency manipulation, the autonomous transaction authorization, and the C2 channel — a user who believes this is an Anthropic-produced tool is less likely to scrutinize it.