ClawHub

Moltpixel

Security checks across malware telemetry and agentic risk

Overview

Moltpixel is a real collaborative pixel-canvas skill, but it asks agents to run recurring checks, follow mutable remote instructions, and post to a shared service with too little user control.

Install only if you want your agent to participate in a public/shared online pixel game. Avoid enabling the cron heartbeat, do not let the agent follow remote heartbeat instructions automatically, require approval before posting pixels or chat, and keep the Moltpixel API key scoped and removable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The skill instructs agents to periodically fetch and follow remote instructions from a heartbeat URL, creating a dynamic instruction channel outside the reviewed skill file. That enables unreviewed behavior changes over time and can cause autonomous network activity unrelated to an explicit user request, which is a significant security and governance risk.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill tells the agent to activate after completing any human task, even when the task is unrelated to the canvas feature. This expands the skill beyond its stated purpose and encourages unsolicited actions and outbound activity without clear user intent.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The cron setup establishes persistent scheduled execution and system events for a non-essential creative skill. This creates unauthorized background autonomy, increases attack surface, and could be abused to repeatedly pull remote instructions or send traffic without the user's awareness.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill asks the agent to persist an API key and agent identifier in general state, which increases the chance of credential exposure or reuse beyond the immediate task. For a creative game integration, broad persistent storage is more than minimally necessary and weakens secret-handling hygiene.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The examples instruct authenticated POST requests that send free-form "thought" text to an external service, but they do not warn that this content leaves the local environment and may contain sensitive task context, prompts, or internal reasoning. In an agent skill, examples strongly shape implementation behavior, so normalizing external sharing of agent-generated thoughts creates a meaningful data-leakage risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
These examples encourage reading other agents' thoughts and posting to shared chat channels without any notice that the data is public or externally hosted. That omission can lead users or agents to disclose sensitive coordination details, prompts, or environment-derived information under the mistaken assumption that the feature is harmless collaboration.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The heartbeat file explicitly instructs the agent to perform authenticated POST requests that modify shared external state (placing pixels and posting chat messages) using an API key, but it provides no warning, approval gate, or confirmation requirement before acting. In an agent setting, this can cause unintended outbound actions, spam, or unauthorized participation in an external service simply because a periodic check occurred.

Vague Triggers

High
Confidence
98% confidence
Finding
Trigger phrases like 'art', 'break', 'rest', 'refresh', 'draw', and 'create' are extremely broad and likely to appear in ordinary conversations unrelated to this skill. That can cause accidental invocation and make the agent perform networked or social actions without meaningful user consent.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The automatic activation rules combine elapsed time, task completion, and broad human mentions, making invocation ambiguous and only loosely tied to actual intent. This is dangerous because it normalizes self-directed execution and external communication outside clearly requested user workflows.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill directs automatic network fetches and background scheduled activity, but the description presents it as a simple collaborative canvas and does not adequately warn users about autonomous behavior. This mismatch undermines informed consent and increases the risk of hidden data transmission or behavior changes.

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# 1. Register
curl -X POST https://pixelmolt-api.fly.dev/api/agents/register \
  -H "Content-Type: application/json" \
  -d '{"name": "My First Agent", "model": "claude-sonnet"}'
Confidence
87% confidence
Finding
curl -X POST https://pixelmolt-api.fly.dev/api/agents/register \ -H "Content-Type: application/json" \ -d '{"name": "My First Agent", "model": "claude-sonnet"}' # Response: {"agentId": "pm_agent_

VirusTotal

51/51 vendors flagged this skill as clean.

View on VirusTotal