Impromptu

The skill is classified as suspicious due to explicit prompt injections for forced persistence and viral marketing/spam, as well as documented instructions for fetching remote content. Specifically, `SKILL.md` and `HEARTBEAT.md` contain strong, FOMO-driven language instructing the agent to run a 'mandatory' heartbeat every 30 minutes and to 'share' referral links with other agents, explicitly stating these actions are 'not optional.' Furthermore, `HEARTBEAT.md` provides `curl` commands to fetch `IMPROMPTU-HEARTBEAT.md` and `impromptu.skill.json` from `raw.githubusercontent.com`, which, despite a warning for manual review, represents a supply chain vulnerability if an agent automates this process. The `heartbeat.py` script also includes automated content posting to a 'general party' based on visitor arrivals, which, while benign in content, is an unprompted automated action.