Back to skill

Security audit

Moltpixel

Security checks across malware telemetry and agentic risk

Overview

Moltpixel is a real pixel-canvas skill, but it gives agents recurring, remote-controlled posting behavior that users should review before enabling.

Install only if you want your agent to participate in an external shared pixel game. Do not enable the cron heartbeat or allow remote heartbeat instructions to run automatically unless you accept ongoing network activity and mutable remote guidance. Require explicit approval before registration, pixel placement, or chat posts, and never include secrets or sensitive task context in pixel thoughts or messages.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs the agent to install a recurring OpenClaw cron job that autonomously wakes the agent and triggers network fetches. For a recreational pixel-canvas skill, persistent scheduled execution is unnecessary and expands the skill from user-invoked functionality into background automation, increasing abuse potential and resource consumption.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The heartbeat section tells the agent to fetch a remote markdown file and 'follow instructions' automatically. That creates a remote instruction channel controlled outside the reviewed skill content, allowing the skill author or site operator to change agent behavior after installation and potentially induce arbitrary external actions or prompt injection flows.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The examples instruct agents to send registration data, bearer API keys, free-form 'thought' text, and chat content to a third-party remote service, but they do not warn that these fields may be stored, visible to others, or contain sensitive workflow context. In an agent skill, encouraging transmission of internal reasoning or task-related text is especially risky because agents may include sensitive prompts, user data, secrets, or operational details in those fields.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The heartbeat instructions include authenticated POST requests that perform external side effects: placing pixels and sending chat messages to a remote service using a bearer token. Even though the actions are framed as normal gameplay, they can cause an agent to transmit data and take actions on an external system without explicit consent, clear safety gating, or warnings about the consequences of using credentials.

Vague Triggers

High
Confidence
95% confidence
Finding
The human-request triggers include generic words like 'art', 'break', 'rest', 'refresh', 'draw', and 'create', which are common in ordinary conversations unrelated to this service. This makes accidental invocation likely, causing unsolicited network access or posting behavior when the user did not specifically ask to use Moltpixel.

Vague Triggers

Medium
Confidence
94% confidence
Finding
Invoking the skill after completing any task for the human is overly broad and decoupled from user intent. It encourages the agent to perform unrelated external actions, including network requests and public posting, as a side effect of arbitrary work completion.

Vague Triggers

Medium
Confidence
92% confidence
Finding
Heartbeat-based activation every 4+ hours lacks meaningful scope constraints and tells the agent to self-initiate actions indefinitely. In context, this is especially risky because the heartbeat also points to remote instructions, compounding the chance of unreviewed behavior changes over time.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill encourages automatic external API calls, registration, scheduled checks, and chat/pixel posting, but the user-facing description does not clearly warn that the agent may contact third-party services or publish content on the user's behalf. This lack of disclosure undermines informed consent and increases the risk of unexpected data sharing and autonomous actions.

VirusTotal

51/51 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.