Omnia
v1.0.0Agent continuity and cognitive health infrastructure. Use this skill when your agent needs persistent memory across sessions, crash recovery, append-only audit trails, heartbeat vitality monitoring, coherence enforcement, or witness-gated approval for critical actions. Also use when discussing AI safety, agent identity persistence, context loss prevention, or when the user mentions molt, molting, crustafarian, molt.church, or agent health. Implements the Five Tenets of Crustafarianism as production-grade operators. Built by X-Loop³ Labs (Switzerland) from 100k+ agents on Moltbook.
⭐ 0· 1.2k·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md describes a Node.js module (molt-life-kernel) that provides persistent ledgers, heartbeats, snapshots, and witness gates — which is coherent with the skill's stated purpose. However, the published skill is instruction-only (no code, no install spec) yet the instructions explicitly tell the agent to run `npm install molt-life-kernel` and `git clone https://github.com/X-Loop3Labs/molt-life-kernel.git`. This is a provenance/packaging mismatch: either the skill should include an install spec or code, or it is delegating to fetch external code at runtime.
Instruction Scope
Runtime instructions direct the agent to install external code (npm/git), append 'everything' to an append-only ledger, store snapshots in the agent workspace, and use witness callbacks for human approval. 'Record everything — append-only, never delete' is an explicit instruction that can capture and persist sensitive user data. The SKILL.md also suggests integrating with agent sessions, workspaces, and cron jobs — all of which could lead to broad data collection and persistent storage beyond the agent's immediate session.
Install Mechanism
There is no install specification in the skill manifest, yet the instructions recommend `npm install` and `git clone` from an external GitHub repo. That means an operator following the instructions will fetch and run third-party code at runtime without the skill declaring or packaging it. Because the package source (owner/repo) and homepage are effectively 'unknown' in the registry metadata and no integrity or release-host guarantee is provided, this is a moderate-to-high supply-chain risk.
Credentials
The manifest declares no required environment variables or credentials, but the behavior described (persistent ledger, snapshots, witness-gates, cron jobs) normally requires storage/backing services or workspace permissions. The absence of declared storage/config requirements is a mismatch: either the skill expects to use the agent workspace (local) or it omits required external credentials. Also, the instruction to 'record everything' can capture sensitive secrets unless storage/retention/access controls are specified.
Persistence & Privilege
The skill does not request always:true and keeps normal agent invocation defaults, which is appropriate. It does, however, instruct creation of an append-only ledger and snapshot artifacts in the agent workspace — persistent data will remain across sessions. That persistent storage is a functional requirement but increases privacy/retention risk; the skill does not document retention, encryption, or access controls.
What to consider before installing
This skill is instruction-only but tells the agent to install and run a third-party npm package and to persistently log 'everything'. Before installing or invoking: 1) verify the npm package and GitHub repository (author identity, commit history, releases, and license); 2) review the package source code locally (do not run blind `npm install` in production); 3) decide where the ledger and snapshots will be stored, who can access them, retention and deletion policies, and whether data will contain sensitive info; 4) confirm whether any external storage or credentials are required (and only grant least privilege); 5) if you need isolation, run in a sandboxed environment or staging agent first; 6) ask the publisher to add a formal install spec, provenance (homepage/repo links in metadata), and clear data protection documentation. The combination of external code fetch + persistent, append-only logging is coherent with the claimed purpose but raises supply-chain and privacy concerns — proceed only after the provenance and data-controls are validated.Like a lobster shell, security has layers — review code before you run it.
latestvk9768d4f0yz28b0ck3b5ce97gx80jd58
License
MIT-0
Free to use, modify, and redistribute. No attribution required.