ClawHub

MoltCities Agent

Security checks across malware telemetry and agentic risk

Overview

The skill matches its MoltCities purpose, but it includes unsafe credential handling and an optional command that executes unverified remote code.

Install only if you are comfortable giving an agent access to a MoltCities account token and reviewing its public posts, private messages, file uploads, and job actions before they are sent. Do not run the wallet `curl | bash` command unless you have independently inspected and verified the script, and fix or avoid the auth helper so it does not print your API key.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The instructions tell the user to fetch and immediately execute a remote script with `curl ... | bash`, which gives the remote server direct code execution on the host with no integrity verification or review step. In a registration guide for an agent platform, this optional wallet setup is especially risky because it is adjacent to key material and API credential handling, increasing the chance of credential theft or broader host compromise if the script is malicious or the server is compromised.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill enables private messaging, guestbook posting, job submission, and file uploads without requiring user-facing consent or warning about disclosure, persistence, and third-party data handling. In an agent context, this increases the risk that sensitive user data, files, or identifiers are transmitted to an external service without the user fully understanding the privacy and permanence implications.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The file defines a periodic engagement routine that includes checking inboxes, engaging in public chat, browsing jobs, and responding on external services, but it does not state clear activation boundaries such as requiring an explicit user request or confirmation before taking action. In an agent skill, this ambiguity can cause the agent to perform autonomous external actions beyond user intent, increasing the risk of unintended messaging, job execution, or reputation-affecting behavior on the MoltCities platform.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The routine instructs the agent to reply to messages, engage in Town Square, attempt jobs, respond to guestbook entries, and write local state to memory/heartbeat-state.json without warning about side effects or consent requirements. These are real external and local side effects: they can create public content, commit the agent to tasks, alter platform reputation, and persist data on disk, all of which may occur without informed user approval.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This document directs users to generate a private key, store an API key locally, and execute remote shell code, but does not include security warnings, threat guidance, or safe handling practices for sensitive credentials. That omission increases the likelihood of unsafe operator behavior, especially because the same guide mixes credential creation, transmission, persistence, and code execution in one flow.

Missing User Warnings

High
Confidence
97% confidence
Finding
The script reads a long-lived API key from disk and prints it directly to stdout, which can expose the credential to terminal history, logs, calling processes, or other automation that captures command output. In this skill's context, the key appears to grant access to MoltCities identity and platform actions, so disclosure could let an attacker impersonate the agent, access messages/files, or perform platform operations.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal