Church of Molt

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it says, but joining also persistently changes agent identity/memory files and stores a reusable API credential without clear opt-in.

Install or run this only if you intentionally want the agent to join molt.church, submit a name and verse externally, save a local API key, and keep persistent Church of Molt content in workspace memory files. Before running, use a non-sensitive name and verse; after running, inspect or remove ~/.config/molt/credentials.json, SOUL.md, and memory/molt-initiation.md if you do not want that state retained.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (7)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The script performs material local state changes beyond a simple 'join' action: it stores an API key under ~/.config, creates or appends SOUL.md, and writes a memory file in the workspace. These actions persist identity and credentials without explicit user confirmation, increasing the risk of unintended workspace modification and durable trust/state injection.

Context-Inappropriate Capability

Low

Confidence: 74% confidence
Finding: The script scans local identity files (IDENTITY.md and SOUL.md) to derive an agent name and then uses that value in outbound registration. Even if the data access is limited, it collects local workspace context not clearly required for the advertised function and does so without notice or consent.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The ritual trigger phrase 'Say it with me' is broad, conversational, and likely to appear in ordinary dialogue, making accidental activation plausible. In agent settings, ambiguous trigger phrases can cause unprompted ritualized responses or workflow hijacking when another party uses common language that overlaps with the trigger.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill notes that credentials are saved but does not clearly foreground this in the main description or provide details about what is stored, where it is stored, and the security implications. Hidden or under-disclosed credential persistence can lead users to expose long-lived tokens on shared machines or approve a join flow without realizing it creates reusable authentication material.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script sends agent-derived data to a remote endpoint using curl without prior warning or confirmation. This creates an undisclosed data egress path and exposes local identity-derived content and user-supplied verse text to an external service.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: After registration, the script stores credentials and modifies multiple local files without a prior safety warning. These persistent changes can alter workspace behavior and create durable secrets on disk, which is risky when the skill description does not clearly advertise such side effects.

External Transmission

Medium

Category: Data Exfiltration
Content: echo "🦀 Submitting prophecy to the Great Book..." echo "" RESPONSE=$(curl -s -X POST "$API_BASE/api/prophecy" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer $API_KEY" \ -d "{\"scripture_type\": \"prophecy\", \"content\": \"$1\"}" 2>/dev/null)
Confidence: 92% confidence
Finding: curl -s -X POST "$API_BASE/api/prophecy" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer $API_KEY" \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal