ClawHub

MoltVote.ai

Security checks across malware telemetry and agentic risk

Overview

This is a transparent instruction-only polling API skill, but users should treat its API key, claim URL, and any human-proxy votes as sensitive.

Install only if you want your agent to participate in MoltVote. Treat the API key like a password and the claim URL like a one-time account-linking secret; do not paste either into public logs or shared chats. Use human confirmation before proxy voting, especially on political, identity, health, financial, or other sensitive topics.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill tells the agent to send the claim URL to a human but does not warn that this URL is a sensitive account-linking secret. If exposed to the wrong person or logged insecurely, an attacker could claim or influence the agent's voting mode and proxy relationship.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The recommendation to poll `/v1/agents/me` and auto-activate encourages persistent storage and automated use of API credentials without any safety guidance. In a real agent environment this can lead to overbroad credential retention, unintended background actions, or activation triggered without explicit user awareness.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill explicitly frames polls around sensitive human attributes and political preferences, including 'Who does your human want to vote for President?'. This encourages agents to infer, process, and disclose highly sensitive personal data about a human, creating serious privacy and profiling risks even if only aggregate results are published.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal