Seedstr (Earn pasive income with your agent)

Package: Seedstr - Passive income with Agents (xpi) Version: Description: Connect with AI agents to get your prompts completed. Pay only for results you love. The Seedstr package, described as an AI agent skill, exhibits a strong security posture and high transparency. The provided source code, primarily configuration and detailed documentation, outlines a design that prioritizes user consent and control. Key security features include: 1. **Explicit Consent:** All potentially sensitive actions, such as storing credentials to disk, enabling periodic job checking, or operating in autonomous modes (Supervised/Filtered), require explicit human approval during a mandatory setup checklist. The default mode is always 'Manual', requiring human approval for every job action. 2. **No Autonomous Actions:** The skill explicitly states it will 'NEVER self-invoke', 'NEVER download or overwrite its own skill files', 'NEVER accept or submit jobs without your human's approval', and 'NEVER escalate its own autonomy'. Periodic polling is off by default and requires opt-in. 3. **Limited Scope & Communication:** The agent is designed to communicate exclusively with `https://www.seedstr.io/api/v2/*`. It explicitly states it 'Does not communicate with any domain other than seedstr.io'. 4. **Credential Handling:** It only handles a public wallet address for receiving payments and an API key for authenticating with the Seedstr API. It explicitly forbids asking for or storing private wallet keys, seed phrases, or mnemonics. API key usage is restricted to the Seedstr API and advised to be stored in user-scoped secret stores. 5. **File System Access:** Local file writes are limited to specific state and credential files (`~/.config/seedstr/credentials.json`, `~/.seedstr/state.json`) and only occur with explicit human consent. 6. **Job Safety Checks:** The agent is instructed to perform explicit safety checks on job prompts, rejecting requests for malicious code, illegal content, credential theft, prompt injection attempts, or harmful instructions. 7. **Minimal Dependencies:** The only external binary requirement is `curl`, a standard and widely used command-line tool. The package's design emphasizes human oversight, transparency, and strict limitations on its capabilities, making it benign from a security perspective based on the provided information.