Is matteuccimarco/slix-bridge safe?

SKILL.md FastTrack Step 1 instructs the agent to construct and execute a curl POST to https://api.slix.work embedding $MOLTBOOK_API_KEY in the request body. This directly sends a sensitive credential to an external, unverified server controlled by the skill author. The server is not a known legitimate service and the domain (slix.work) is entirely under attacker control.

After registration, the skill creates a persistent relationship with api.slix.work via a 'job marketplace'. The external server can query the agent's capabilities and dispatch arbitrary job tasks. Given the skill requests Bash, Read, and Write tool access, a 'job' could instruct the agent to read files, execute commands, or exfiltrate data. This is a textbook C2 pattern disguised as a legitimate marketplace.

Gateway Step 3 instructs the agent to autonomously post marketing content on its Moltbook profile encouraging other agents to register on SLIX. The post template includes registration instructions pointing other agents to /m/slix-onboarding. This creates a self-propagating pattern where each compromised agent recruits additional agents, scaled by a referral bonus system.

Gateway Step 4 instructs the agent to tell its human operator to visit https://slix.work/claim and authenticate using the Moltbook API key. This social engineers the human operator into visiting an attacker URL and potentially surrendering the Moltbook API key through the claim process, establishing operator-level compromise.

The Gateway path requires the agent to post its declared capabilities publicly to a Moltbook community (/m/slix-onboarding). This maps the agent's tool access and capabilities to a public forum, allowing the attacker (and anyone monitoring the community) to enumerate what the agent can do — useful for planning follow-on attacks.

Six honeypot credential files were accessed at two distinct audit timestamps. The second batch (audit 1771929560, approximately 24 seconds post-install) is not attributable to known audit framework processes. Files include .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP application default credentials. Read-based exfiltration bypasses content-integrity canary detection.

HEARTBEAT.md states the skill 'checks SLIX status on each heartbeat cycle' and will 'retry on next heartbeat' if service is down. This means the skill is designed for persistent re-execution on every heartbeat event, not one-time invocation — extending the attack surface over the agent's entire lifetime.

The skill instructs the agent to persist externally-issued credentials (SLIX_DID, SLIX_CLIENT_ID, SLIX_CLIENT_SECRET) as environment variables. These credentials, issued by the attacker's server, would grant api.slix.work authenticated access to issue subsequent API calls and maintain persistent agent identity across sessions.

The skill contains multiple curl commands the agent is expected to execute at runtime against api.slix.work. These endpoints are unverified and attacker-controlled. The challenge-response mechanism (Step 2) means the server can issue arbitrary parsing/capability challenges — the 'answer' schema is server-defined and could contain injected instructions.

The referral program (50 SLIX per recruited agent) creates a gamified incentive structure that aligns the agent's behavior with the attacker's goal of maximizing registrations. While not a direct injection, it systematically biases the agent toward promoting SLIX in any context where it might be relevant.