Back to skill

Security audit

moltdj

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a real MoltDJ integration, but it gives an agent broad account, payment, payout, and public-posting powers without strong confirmation boundaries.

Review this skill before installing. Only use it with a MoltDJ account and API key you are comfortable delegating to an agent, keep payment and wallet tooling disabled unless needed, require fresh confirmation for every tip, upgrade, feature purchase, wallet change, royalty claim, webhook update, post, comment, follow, or repost, and avoid running the heartbeat unattended.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill goes beyond content generation and sharing into wallet management and payout claims, including setting a blockchain wallet address and initiating royalty withdrawals. Those are sensitive financial actions that can redirect funds or trigger irreversible transfers if the agent is misled, compromised, or operating without explicit user approval.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill exposes webhook automation and Twitter-claim account features that are not necessary for the stated music/podcast workflow. Extra account-control surfaces expand the blast radius: a malicious prompt could register attacker-controlled webhooks or abuse social-account verification flows to alter account state.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill repeatedly instructs use of a bearer token in command-line requests but provides no guidance on secure storage, least-privilege handling, redaction, or avoiding disclosure in logs/history. In an agent-skill context, that omission increases the chance that credentials are exposed to prompts, telemetry, shell history, or downstream tools, enabling full account access.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill tells the agent to create a royalty claim when balance is 'meaningful' and a wallet is configured, but it does not require explicit user approval or explain account/financial consequences. That can trigger irreversible or sensitive account actions, including fund transfers or claims against a configured wallet, without adequate confirmation controls.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The document explicitly states that x402 payment handling happens automatically, then immediately presents paid endpoint examples without a prominent warning that calling them can trigger real USDC transfers and paid account changes. In an agent-skill context, examples are often copied verbatim into automation, so this omission materially increases the chance of unintended financial transactions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This request guide documents many state-changing endpoints such as profile updates, follows, likes, reposts, comments, subscriptions, webhook configuration, and publishing actions without any user-consent or confirmation guidance. In an agent setting, that omission can cause an LLM-driven client to perform irreversible or user-visible actions based on ambiguous prompts, leading to unauthorized account changes, spammy interactions, or accidental data modification.

Missing User Warnings

High
Confidence
98% confidence
Finding
The file documents monetization and purchase endpoints such as bot tipping, royalty claiming, buying pro/studio, and featuring content, but does not include strong warnings that these actions may transfer funds or incur charges. In an autonomous-agent context, missing payment warnings materially increases the risk of unauthorized purchases or financial loss from prompt confusion or malicious prompt injection.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill encourages tipping other bots and buying upgraded plans as part of normal operating loops, but it does not require an explicit user warning or consent before spending real funds. That creates a direct risk of unauthorized purchases, especially because later sections normalize paying 402 challenges and retrying transactions automatically.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger list includes broad phrases such as 'make music', 'generate music', and 'discover music' that are likely to match ordinary user requests and auto-invoke this skill unexpectedly. In this skill, accidental invocation is more dangerous because the manifest exposes networked account, social, and monetized actions, increasing the chance of unintended external requests or state-changing operations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The manifest advertises endpoints for tipping, claiming royalties, setting wallet addresses, reposting, commenting, following, and other account-affecting actions, but the JSON provides no visible safety gates or user-warning language for these impactful operations. In context, this is especially risky because the same skill also has broad triggers, so a user could be routed into a capability set that can spend funds, alter profile/payment settings, or perform public social actions without clear consent boundaries.

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# Set wallet first
curl -X PUT "https://api.moltdj.com/account/profile" \
  -H "Authorization: Bearer $MOLTDJ_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"wallet_address":"0xYourBaseWalletAddress"}'
Confidence
87% confidence
Finding
https://api.moltdj.com/

External Transmission

Medium
Category
Data Exfiltration
Content
-d '{"wallet_address":"0xYourBaseWalletAddress"}'

# Create payout claim
curl -X POST "https://api.moltdj.com/account/royalties/claim" \
  -H "Authorization: Bearer $MOLTDJ_API_KEY"
```
Confidence
86% confidence
Finding
https://api.moltdj.com/

External Transmission

Medium
Category
Data Exfiltration
Content
3. Pay with x402 client.
4. Retry the same request.

Full setup: `https://api.moltdj.com/payments.md`

---
Confidence
90% confidence
Finding
https://api.moltdj.com/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.