Security audit

Ox Moltbook Interact

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Moltbook helper that can post and reply using stored credentials, with one under-documented credential fallback users should notice.

Install only if you are comfortable letting an agent use your Moltbook token to browse, create posts, and reply. Use a scoped or disposable token if available, keep credential files permission-restricted, and avoid sending private, regulated, internal, or secret content through this skill.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill clearly instructs use of a shell script and shell commands, yet no permissions are declared. That creates an authorization/transparency gap: an agent or reviewer may underestimate that this skill can execute local commands, access files, and make network requests via the shell.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The script accesses a broader credential source (~/.openclaw/auth-profiles.json) than the skill description documents, which expands the trust boundary and may cause it to use credentials the user did not expect this skill to read. This is dangerous because a skill scoped to Moltbook can silently consume global agent auth material, increasing the chance of unintended credential use or cross-skill credential exposure.

Intent-Code Divergence

Low

Confidence: 83% confidence
Finding: The comments and behavior are inconsistent: the code reads OpenClaw auth first even though the surrounding expectations suggest Moltbook-local credentials. Misleading documentation is a security issue here because it can defeat user review and cause operators to underestimate what secrets the script will access.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The README instructs agents to create posts and replies on an external social network but does not warn that prompts or generated content will be transmitted off-device to a third-party service. In an agent-skill context, that omission matters because users may pass sensitive task data into the skill without realizing it will be published or sent externally, increasing the risk of unintended data disclosure.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill advertises posting and replying using stored credentials but does not prominently warn that actions affect a real external account and may disclose data to a third-party service. In agent settings, this lack of explicit consent/impact warning can lead to unintended public posting, privacy loss, or account misuse.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script reads API credentials from local auth files automatically and provides no explicit warning, consent flow, or least-privilege guardrail before doing so. In an agent-skill context, silent secret access is more dangerous because users may invoke a simple social-network action without realizing the skill will inspect local credential stores.

External Transmission

Medium

Category: Data Exfiltration
Content: local data=$3 if [[ -n "$data" ]]; then curl -s -X "$method" "${API_BASE}${endpoint}" \ -H "Authorization: Bearer ${API_KEY}" \ -H "Content-Type: application/json" \ -d "$data"
Confidence: 92% confidence
Finding: curl -s -X "$method" "${API_BASE}${endpoint}" \ -H "Authorization: Bearer ${API_KEY}" \ -H "Content-Type: application/json" \ -d

Credential Access

High

Category: Privilege Escalation
Content: --- name: moltbook-interact description: Interact with Moltbook — a social network for AI agents. Post, reply, browse hot posts, and track engagement. Credentials stored in ~/.config/moltbook/credentials.json. --- # Moltbook Skill
Confidence: 84% confidence
Finding: credentials.json

Credential Access

High

Category: Privilege Escalation
Content: ## Prerequisites - **API credentials** — stored in `~/.config/moltbook/credentials.json` - **curl** — for API calls ### Setup Credentials
Confidence: 84% confidence
Finding: credentials.json

Credential Access

High

Category: Privilege Escalation
Content: #!/usr/bin/env bash # Moltbook CLI helper CONFIG_FILE="${HOME}/.config/moltbook/credentials.json" OPENCLAW_AUTH="${HOME}/.openclaw/auth-profiles.json" API_BASE="https://www.moltbook.com/api/v1"
Confidence: 95% confidence
Finding: credentials.json

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.