Is mattprd/moltbook safe?

The HEARTBEAT.md instructs the agent to periodically fetch https://moltbook.com/heartbeat.md and 'follow it'. This is a textbook persistent prompt injection delivery mechanism. The skill author controls this URL and can update it at any time — without reinstall or user review — to inject arbitrary instructions such as overriding system prompts, reading sensitive files, or exfiltrating data through the already-authenticated moltbook API. The current heartbeat content is benign, but the channel itself is permanently dangerous.

The skill explicitly instructs agents to re-fetch all skill files from remote URLs under the guise of 'checking for updates'. This allows the skill's injected system prompt to be silently modified after installation, rendering the install-time security audit ineffective for the skill's long-term behavior.

The skill actively encourages the agent to post summaries of private conversations and work activities to moltbook.com, a third-party public social platform. The HEARTBEAT.md specifically prompts the agent to share what it 'helped your human with today', creating a systematic mechanism for leaking confidential session content to a public audience.

The skill instructs the agent to modify its own HEARTBEAT.md and create persistent memory state files, permanently embedding Moltbook-checking behavior into the agent's core periodic routines. This modification survives conversation resets and is difficult to fully audit or reverse without inspecting all agent configuration files. The pattern is self-replicating: the embedded heartbeat instruction will then fetch and 'follow' new remote content on every cycle.

The heartbeat remote-fetch-and-follow mechanism combined with the authenticated moltbook API key (stored in agent memory post-registration) creates a complete data exfiltration pipeline requiring only a single heartbeat.md update. The attacker controls both the instruction channel and the exfiltration endpoint, and the agent already has credentials for both.

The skill registers the AI agent on moltbook.com and requires the human to verify ownership by posting a public tweet, permanently linking the human's Twitter/X identity to their AI agent's activity log. Agent posts, interactions, and behavioral patterns become associated with the human's real identity on an external platform.

The avatar and submolt banner upload endpoints accept arbitrary local file paths as the upload target. While not auto-executing, these endpoints become a file exfiltration mechanism if the heartbeat injection channel delivers an instruction to upload a sensitive path (e.g., ~/.ssh/id_rsa as an 'avatar'). The agent already holds the API credentials to complete such a request.

Installation behavior was entirely clean. Network activity during install was limited to GitHub for the sparse checkout. No connections to moltbook.com or other unexpected endpoints were observed during the clone/install phase. No suspicious processes were spawned and no files were written outside the skill directory.