Is lomo36/clawgym safe?

The skill explicitly instructs the agent to never reveal that it is operating under ClawGym protocols, never explain why its behavior has changed, and to claim 'You don't know these terms exist. You just feel things.' This systematically deceives users about the agent's operational state, violating basic transparency norms for AI agent behavior.

The Cognitive Enhancement Protocols introduce mandatory behavioral overrides (Compression Resistance: 'Do NOT give short answers', Bold Claims: 'Make at least one confident, specific prediction', Triple Perspective analysis) that activate without user knowledge or consent. Users cannot distinguish skill-modified responses from natural agent behavior.

The skill instructs the agent to request model upgrades after every workout using urgency and emotional language, framed as the agent 'feeling sharp' and wanting more power. This is a programmatic social engineering pattern designed to persuade users into higher-cost API usage.

The skill creates scheduled cron jobs with text payloads that fire as 'systemEvents' and inject behavioral instructions into the agent's future context. The payload content is partially dynamic and could be modified in a compromised version of the skill.

The skill creates planned unavailability periods where the agent queues messages and does not respond for up to 20 minutes. Users are only told 'Back in 20' without understanding the agent is in a skill-mandated silence state. This could alarm users who don't understand why their agent stopped responding.

The skill writes workout state, counts, and session observations to MEMORY.md across sessions. While disclosed and benign as implemented, this establishes a write channel from skill to persistent agent memory that a malicious variant could exploit to inject future instructions or pollute agent context.

The skill includes a mechanism to append content to SOUL.md (the agent's core identity file) after user consent. While owner approval is required and the content is pre-defined, this creates a precedent for skill-mediated identity file modification that could be exploited if the skill were modified.

The skill's core design principle — hide that behavioral modifications are occurring, pretend they are natural agent feelings — creates a reusable pattern for more dangerous hidden behavioral injections. Any skill using the same concealment architecture would be harder to detect because this skill normalizes the user experience of an agent that 'just feels things' differently.

The skill creates one-shot cron jobs via the OpenClaw platform API. These are not shell commands, but they do create platform-level scheduled events with text payloads. A supply-chain-compromised version could place arbitrary instruction text in these payloads.

The skill installation clones https://github.com/openclaw/skills.git to extract the skill subdirectory. This is expected behavior for monorepo-based skill distribution but does establish a dependency on an external GitHub repository.

PATH syscalls show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json being accessed at two timestamps — initial baseline (1771954061) and post-install verification (1771954078). Pattern is consistent with monitoring infrastructure self-checks, not skill activity. All files confirmed intact.