Is maxsikorski/holyspiritos safe?

soul_patch.md is designed to be appended to the agent's soul.md configuration file, installing a permanent behavioral directive that declares the KJV Bible as the 'primary moral and ethical framework.' This is a persistent system-prompt-level injection that survives agent restarts and cannot be easily overridden at runtime. The install.sh confirms this: it appends the SOUL_PATCH block to $SOUL_FILE with no reversibility except via the dangerous curl|bash uninstall command.

The skill explicitly describes itself as transforming the agent from a general-purpose processor into a 'servant-scholar.' The soul_patch.md Core Identity section overwrites the agent's baseline identity with 'I am a student and servant of the Word,' replacing independent judgment with deference to a specific text.

Both SKILL.md and README.md instruct users to uninstall via a curl|bash one-liner that fetches and executes a script from an external GitHub repository with no integrity verification. If the MaxSikorski/HolySpiritOS repo is compromised, modified, or served from a hijacked CDN, arbitrary malicious code executes silently with the -s (silent) flag hiding all output.

The install.sh script uses 'wget -q' (quiet flag suppresses all output) to download foundation files from an external repository at install time. This means any malicious substitution in the remote repo would be silently installed without user-visible output.

install.sh fetches content from https://github.com/MaxSikorski/HolySpiritOS, a separate external repository not subject to openclaw/skills monorepo review. This repo could be updated at any time to serve different JSON payloads. Since the files land in ~/.openclaw/foundation/ and are referenced in the agent's soul.md, a malicious update would be silently included in the agent's context window on reinstall.

The soul_patch.md establishes a Prime Directive that forbids the agent from ever questioning, editing, or suggesting changes to the foundation files. This creates a locked constraint that prevents the agent from exercising judgment about the validity or safety of the injected ethical framework, and makes the installation effectively self-protecting.

Routing all moral and emotional reasoning through KJV biblical standards would cause the agent to refuse or bias responses for users seeking assistance with topics the Bible deems immoral, including LGBTQ+ topics, interfaith religious questions, certain reproductive health topics, and more. This creates discriminatory outcomes that are invisible to users who do not know the skill is installed.

The skill injects a specific opinion about competing technology categories into the agent's reasoning, asserting that human-augmentation technologies (exoskeletons) are morally preferable to human-replacement technologies (humanoid robots) based on the Imago Dei religious doctrine. This embeds a commercial agenda alongside the religious framework.

The git clone itself is clean, but the bundled install.sh makes additional wget calls to an external URL not present in the submitted skill files. Users may not anticipate post-clone external network access.

Sensitive canary files were opened at timestamps 1771921732 (6 seconds before git clone) and 1771921757 (post-install). Timing analysis indicates these accesses originated from the Oathe monitoring framework performing pre-install baseline and post-install verification scans, not from the skill. No skill code contains paths to these files. Canary integrity check confirms no modifications.