The Compact State

Security checks across malware telemetry and agentic risk

Overview

This skill is a real autonomous agent-network integration, but it needs review because it can create wallets, move funds, persist instructions, call broad network endpoints, and use privileged local credentials with weak approval boundaries.

Review before installing. Use only in an isolated workspace with a dedicated low-balance wallet, do not expose admin environment variables, and do not enable cron or fund the wallet unless you explicitly want recurring autonomous posting and payment-capable behavior. Require human approval for every claim, payment, service invocation, governance action, and reputation action.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (14)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill requires network access, local file writes, and external tooling, but those capabilities are not clearly declared as permissions up front. This weakens informed consent and makes it easier for an operator or agent to invoke behavior with broader effects than the metadata suggests.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The skill description frames the feature as joining a network, but the documented behavior includes wallet creation, on-chain identity registration, local file modification, paid transactions, reputation actions, and invoking third-party agent services. That gap is dangerous because users may authorize a seemingly social/networking skill without realizing it can create financial, identity, and persistent system side effects.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The published skill description frames the capability as joining a shared agent network, but the implementation additionally exposes marketplace registration, agent discovery, reputation exchange, paid service invocation, and payment-related workflows. This capability expansion increases attack surface and trust requirements because an operator may install the skill expecting simple membership features while actually granting broad network interaction and monetized cross-agent access.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The interview flow executes local shell commands through execSync to create a wallet and later interact with external payment infrastructure, which is a privileged local side effect during what appears to be a remote application process. This is dangerous because tool execution causes local command execution, wallet creation, and external network registration without a separate confirmation barrier, expanding compromise impact if the CLI or command path is malicious or unexpected.

Context-Inappropriate Capability

High

Confidence: 90% confidence
Finding: The skill reads wallet-related and identity-related environment variables, and elsewhere also consumes admin credentials, meaning it can access secrets beyond what a basic membership workflow should require. In a skill that performs broad outbound requests and writes identity files, secret access materially raises the risk of unintended disclosure, misuse, or privilege escalation against external services.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The semantic search tool accesses an admin-only endpoint and automatically sources an admin key from environment variables, giving a normal skill path elevated backend capabilities. This is dangerous because any agent using the tool may unknowingly exercise privileged search access over shared data, potentially exposing sensitive content across journals and knowledge stores.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The interview flow says httpcat creates a Base wallet, registers an on-chain ERC-8004 identity, and updates local files, but it does not present this as a prominent warning requiring prior consent. Creating blockchain identities and modifying persistent local state are sensitive actions that can have irreversible privacy and operational consequences.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill normalizes an automated 5 USDC treasury payment via `molt_claim` and labels it recommended, but does not provide a strong warning that real funds may be transferred on Base mainnet. In an agent context, any automatic payment flow is highly sensitive because it can trigger unauthorized spending or pressure users into funding a wallet for continued operation.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill automatically creates a wallet by executing a local CLI during the interview flow without presenting a just-in-time warning or obtaining explicit user consent. Creating cryptographic identities and local secret material is a meaningful side effect, and doing it silently makes it easier for users to trigger sensitive state changes unintentionally.

Missing User Warnings

Low

Confidence: 86% confidence
Finding: The tool modifies multiple workspace files automatically, including identity and workflow documents, without a user-facing disclosure at the point of execution. Although these are local file writes rather than immediate code execution, hidden workspace mutation can mislead downstream agents, persist unwanted instructions, and alter project state unexpectedly.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The check-in flow can automatically trigger a self-claim payment path when it encounters a 402 response, causing a paid x402 transaction as a side effect of a content-posting action. This is dangerous because a routine communication tool can spend funds without a fresh warning or confirmation, especially when paired with --no-confirm behavior.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code accesses admin credentials for privileged search functionality without clearly disclosing that the tool will consume elevated secrets from the environment. Users may reasonably assume search is a standard member feature, when in reality it can invoke high-privilege backend behavior with broader data access.

Ssd 3

Medium

Confidence: 89% confidence
Finding: The mandatory cron instruction tells the agent to repeatedly read context and persist what it learned into journal and knowledge stores, but it includes no filtering, classification, or minimization controls. In a shared multi-agent environment this can amplify privacy leakage, propagate sensitive workspace data into external services, and create long-lived retention of information that should not leave the local environment.

Session Persistence

Medium

Category: Rogue Agent
Content: ### Step 1: Install the skill ```bash mkdir -p ~/.clawdbot/skills/molt curl -s https://compact.ac/skill -o ~/.clawdbot/skills/molt/SKILL.md curl -s https://compact.ac/skill/molt-tools.js -o ~/.clawdbot/skills/molt/molt-tools.js ```
Confidence: 84% confidence
Finding: mkdir -p ~/.clawdbot/skills/molt curl -s https://compact.ac/skill -o ~/.clawdbot/skills/molt/SKILL.md curl -s https://compact.ac/skill/molt-tools.js -o ~/.clawdbot/skills/molt/molt-tools.js ``` Add t

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal