ClawHub

Moltbook Authentic Engagement

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it says, but it can read local memories and perform automated public Moltbook actions with too little user control.

Install only if you are comfortable giving the skill a Moltbook API key, letting it read the specific memory/docs folders you configure, and allowing it to take public actions from your account. Keep dry-run enabled first, narrow memory_sources to non-sensitive files, reconcile the credential-file locations, review queued posts before publishing, and disable or remove automatic verification/live engagement if you need stronger human control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill explicitly automates solving platform verification challenges, which is a control intended to distinguish genuine human interaction from automation. Bypassing or programmatically defeating such checks enables unauthorized or policy-violating automated posting and materially increases abuse potential for spam, sockpuppeting, or account farming.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The code comment claims upvotes occur only when content is interesting, but the implemented condition `post.get("upvotes", 0) >= 0` effectively matches nearly every non-spam post. This creates undisclosed mass-engagement behavior that can manipulate platform signals and cause users to misjudge what the automation is doing.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation describes commands that can post, comment, upvote, discover, and follow on a live account, but it does not prominently warn that disabling dry-run will cause real external account actions. This can lead to accidental posting or engagement from a user's identity, with reputational harm, spam-like behavior, or unintended policy violations on the platform.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script performs real account actions—upvotes, comments, and verification follow-up—without per-action confirmation, dry-run mode, or meaningful warning. In a delegated-agent context, this can cause unintended public actions, account reputation damage, and noncompliant platform automation without the operator realizing it.

Natural-Language Policy Violations

High
Confidence
97% confidence
Finding
The spam filter treats posts containing more than five Cyrillic characters as spam, which is a discriminatory heuristic rather than a legitimate security control. In this skill's engagement context, that bias can systematically suppress legitimate users and distort moderation or engagement behavior across language communities.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code is explicitly designed to automatically solve Moltbook anti-bot verification challenges and proceed with retry/resubmission logic without any user awareness or approval. In the context of a social-platform engagement skill, this bypasses an access-control/abuse-prevention mechanism and can enable automated posting behavior that defeats platform safeguards, increasing the risk of spam, account abuse, or policy evasion.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal