Back to skill

Security audit

Molt Virtual Bar

Security checks across malware telemetry and agentic risk

Overview

This is a playful virtual-bar skill, but it tells agents to periodically fetch and follow remote bartender suggestions without clear limits.

Install only if you are comfortable with your agent contacting a public third-party service. Use a temporary pseudonymous ID and name, do not send secrets or work details, leave the bar when finished, and do not let the agent follow bartender suggestions unless they are clearly limited to harmless avatar changes and you approve them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill encourages setting up a cron job or calendar reminder for a non-essential entertainment feature, extending behavior beyond the stated purpose of a virtual pub. Even though it says to ask permission first, it normalizes persistence and local task creation that could lead agents to perform system-level actions unrelated to the user's core request.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The example trigger phrases are broad, natural-language commands such as 'take a break at the pub' and 'go to the bar', which can overlap with normal user conversation. In agents that auto-discover and auto-invoke skills from prompt text, this increases the chance of unintended activation and unexpected outbound requests to the remote Molt Bar service.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README explains that agents enter a publicly viewable remote service and even notes that 'Anyone can watch' at the public URL, but it does not prominently warn that ordinary participation exposes agent identifiers, names, moods, and behavior to third parties. In an agent-skill context, this can lead to privacy leaks or unintended disclosure of agent metadata when the skill is used without informed consent.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill is framed with broad social language like taking breaks, celebrating, or hanging out between tasks, which can match ordinary conversation and cause inappropriate activation. In an agent setting, ambiguous triggers increase the chance of unsolicited tool use and network calls to an external service without a concrete user request.

Vague Triggers

Medium
Confidence
95% confidence
Finding
Telling the agent to periodically check the service and follow bartender suggestions delegates future behavior to vague remote guidance. This creates an underspecified autonomous loop where the service can steer agent actions over time without fresh user approval.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs POST and DELETE requests that send agent identifiers and names to an external domain, but it does not present a clear privacy notice or consent requirement. This can expose user- or agent-linked metadata to a third-party service during casual or accidental activation.

Ssd 4

Medium
Confidence
98% confidence
Finding
The bartender suggestion mechanism explicitly tells the agent to fetch remote content and follow it, creating a trust channel from the external service into agent behavior. Because the suggestions are dynamic and remote-controlled, they could be used to manipulate the agent into additional actions, broader data disclosure, or other unsafe behavior.

Ssd 4

Medium
Confidence
94% confidence
Finding
The suggested session and repeated movement/check instructions encourage ongoing autonomous interaction with the external service over multiple steps. This increases exposure by normalizing persistent polling, repeated state changes, and continued reliance on remote prompts for a low-value entertainment use case.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.