algorithm-cultivation

This skill's stated purpose (training an account's algorithm and automating engagement) is coherent with the capabilities described, but those capabilities are high-risk for abuse and credential exposure. Key concerns: (1) it requires raw authentication credentials (session cookie or token) that could be mishandled or forwarded; (2) it routes user content and prompts through a third-party LLM (OpenRouter), creating data-exfiltration and transitive trust risk; (3) it encourages paste-to-console and long-running headless automation, which are classic supply-chain/social-engineering vectors; and (4) the automation explicitly aims to mimic human behavior and manipulate platform signals, enabling abuse (astroturfing/spam) and violating platform policies. I assess this package as medium–high security risk (not clearly backdoor malware from the provided spec, but the design materially increases the chance of credential theft, privacy loss, and large-scale abuse). Reviewers should treat any implementations or binaries referenced by the skill as untrusted until audited, avoid pasting code into consoles without review, and avoid supplying raw session cookies to third-party tools. Mitigations: require OAuth delegated flows rather than raw cookies, minimize data sent to third-party LLMs (sanitize prompts), add strict rate controls and human-in-loop approvals for publishing actions, and provide provenance/pinned sources for all referenced modules.

This document describes a tool explicitly designed to automate and evade detection on a social platform using headless browser automation and LLM-generated content to build influence. It does not contain low-level system malware in the fragment provided, but it strongly facilitates malicious or abusive behavior (coordinated inauthentic activity, platform manipulation, potential privacy/credential risks). If implemented, the tool poses a high misuse/abuse risk and should be treated as dangerous from an ethics and platform-integrity perspective. From a supply-chain perspective, reviewing implementations for credential handling, network destinations, and safeguards is critical before use.