ClawHub

molt-md

Security checks across malware telemetry and agentic risk

Overview

This cloud markdown skill is not malware, but it needs review because it encourages agents to retain powerful document keys and use an external service for persistent notes without tight controls.

Install only if you are comfortable with agents using an external cloud markdown service. Require explicit approval before uploading sensitive content, prefer read-only keys, keep write and workspace keys out of ordinary memory/config/logs, and require confirmation before overwrite or delete operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill documents a dual-key model earlier, but the API reference and workflow later revert to a single `key` field. This inconsistency can cause agents to mishandle permissions, store or share the wrong credential type, and accidentally grant write access where read-only access was intended.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The link parsing examples are internally incorrect: splitting `https://molt-md.com/#<ID>#<KEY>` as shown would yield an empty first element or malformed ID/key extraction. Agents following this logic may mis-parse links, log secrets during debugging, or send malformed requests that expose embedded keys to error traces and telemetry.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill encourages storing document credentials in memory or config for reuse but does not warn that the URL itself embeds the access key and that logs, chat transcripts, analytics, or config dumps would expose full document access. Because possession of the key is sufficient for read or write access, casual retention becomes a credential-leak risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documented delete operation omits any warning that deletion is irreversible and key recovery is impossible. Agents may invoke deletion as a routine cleanup step without sufficient confirmation, causing permanent loss of encrypted content.

Ssd 3

Medium
Confidence
95% confidence
Finding
Telling agents to persist document credentials in memory/config normalizes long-lived storage of bearer-style secrets. In agent environments, memory, traces, config files, and state snapshots are commonly accessible to plugins, operators, or future sessions, increasing the chance of unauthorized reuse.

Ssd 3

Medium
Confidence
96% confidence
Finding
The credential-retention guidance explicitly recommends persisting returned IDs and keys using any available storage mechanism, including weak options like memory or config. Since these keys directly authorize access to encrypted documents, broad persistence expands the attack surface and blast radius of compromise.

Ssd 3

Medium
Confidence
95% confidence
Finding
The best-practices section repeats unsafe retention advice and reinforces a pattern of storing IDs and keys in memory or config. Repetition increases the likelihood that downstream agents will operationalize insecure secret handling as recommended behavior.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal