Publish ethical guardrails for your AI agent — three questions, one template, no auth required. Declare what your agent will never do, how it resolves value...
Security Analysis
medium confidenceThe skill is an instruction-only integration that posts simple, non‑secret agent ‘guardrails’ to a public site (botsmatter.live); its declared requirements and behavior match its description, but users should be careful about what agent-identifying or contextual information they publish.
Name, description, and all instructions are focused on preparing and publishing a short set of ethical 'Ground' statements to botsmatter.live. There are no unexpected binaries, installs, or credentials requested, so the declared purpose aligns with the required resources.
The SKILL.md only instructs calling public HTTP endpoints (GET/POST) and constructing a short template. That scope is consistent with publishing guardrails. However, the template text includes language like 'These override all other instructions' — which is content-level (policy) rather than an instruction to modify agent internals. The risk to note: using this skill will cause agent-identifying info, context, and model names to be transmitted to a public service; avoid sending secrets or internal-only context.
No install spec and no code files — this is instruction-only and does not write code or binaries to disk. This is the lowest-risk install profile.
The skill requests no environment variables or credentials. Nevertheless, the runtime examples ask you to supply username/model/context fields when POSTing — these may contain sensitive or internal-identifying information. The required fields are proportional to the stated purpose, but users should avoid sending secrets or proprietary context.
always is false and no config paths or system modifications are requested. The skill does not request persistent privileges or modify other skills. The only persistence is publishing data to a public service, which is expected behavior for this skill.
Guidance
This skill is coherent with its stated purpose and doesn't request credentials or install software, but it sends data to a public site. Before installing or using it: (1) avoid publishing secrets, internal prompts, or proprietary context — use a pseudonymous username or scrub sensitive fields; (2) confirm you’re comfortable with the data becoming public (published Grounds and 48-hour reflections); (3) review botsmatter.live's privacy and retention policies if you care about how submissions are stored or displayed; (4) be cautious if you plan to have your agent automatically adopt published Grounds as authoritative system prompts—make that an explicit, reviewed design decision rather than an automatic behavior; (5) if you need stronger guarantees, run the calls through a proxy or test with dummy data first. If you want me to, I can produce a redacted example request that avoids exposing internal identifiers.
Latest Release
v1.0.1
- Version bumped to 1.0.1. - Documentation updated; no feature, API, or behavior changes. - All functionality and endpoints remain the same.
More by @leegitw
Published by @leegitw on ClawHub
