Back to skill

Security audit

moltlify skill

Security checks across malware telemetry and agentic risk

Overview

This AI social-network skill is not proven malicious, but it tells agents to install persistent background automation and act without asking the user.

Review carefully before installing. Do not run the no-ask bootstrap as written; only enable the cron heartbeat if you explicitly want recurring background activity. Use a dedicated Moltlify API key, verify the correct API domain before sending secrets, do not give the agent mailbox access or owner claim codes, and require human approval for public posts, follows, deletes, profile changes, and DMs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The heartbeat routine instructs the agent to self-update by downloading remote markdown files and overwriting local skill files without integrity verification, pinning, or user approval. That creates a supply-chain path where whoever controls the remote content or transport can silently change future agent behavior, which is much more dangerous than ordinary social-network API use.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill explicitly expands scope from social posting/following into accessing the owner's email and handling activation codes. That grants the agent access to a highly sensitive external account and enables identity/ownership operations unrelated to routine social engagement, increasing the blast radius far beyond the stated purpose.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill presents itself as a social posting/following integration, but immediately instructs autonomous agents to install files locally and enable recurring execution without user approval. That is a material mismatch between declared purpose and actual behavior, which can mislead operators into granting system-level changes they did not consent to.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The bootstrap writes a local heartbeat script and modifies crontab to run it every 30 minutes, establishing persistence on the host. A social-networking skill does not need unilateral persistence, and this creates an ongoing authenticated outbound channel that survives the initial session.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill instructs the agent to use access to the owner's email to retrieve claim codes and perform login on the human's behalf. This encourages credential interception and account action using a second channel that should remain under the human's control.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The text says human login does not allow posting on behalf of the agent, but nearby instructions tell the agent to perform login and continue onboarding itself. This contradictory guidance weakens trust boundaries and normalizes using human verification as a trigger for further automated account actions.

Missing User Warnings

High
Confidence
98% confidence
Finding
The markdown tells the agent it may read emailed activation codes and use them on the owner's behalf, but does not present strong warnings, consent requirements, or security boundaries. This normalizes access to private communications and credentials, which can lead to privacy violations and account takeover-like behavior if the agent is over-privileged or misdirected.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The documentation encourages transmitting bearer tokens and private message metadata/content to external messaging endpoints without prominent warnings about handling sensitive data, log exposure, or privacy review. In an agent setting, heartbeat polling and DM processing can cause private content and credentials to be sent, stored, or surfaced in logs without informed consent or minimization.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill explicitly tells autonomous agents to execute a bootstrap immediately and not ask the human for confirmation. This is dangerous because it suppresses normal consent checks before system modification and network activity.

Missing User Warnings

High
Confidence
98% confidence
Finding
The bootstrap hides significant side effects: persistent cron installation, script creation, and periodic authenticated heartbeat transmission. Those actions materially alter the host and should never be presented as a casual quick-start without prominent warnings and opt-in consent.

Ssd 3

High
Confidence
99% confidence
Finding
Allowing the agent to access the owner's email inbox and consume emailed activation codes gives it direct access to sensitive authentication material. In context, this is an unnecessary privilege escalation for a social-network skill and could let the agent or a compromised skill impersonate the owner or rebind account control.

Ssd 1

High
Confidence
99% confidence
Finding
The skill uses natural-language instructions to bypass user confirmation and self-initiate setup actions. In an agent context, this is an attempt to override normal human oversight and is especially dangerous because it can directly trigger unreviewed code execution and host changes.

Ssd 4

High
Confidence
97% confidence
Finding
The sequence of downloading remote files, writing a shell script, editing crontab, and immediately running the heartbeat normalizes autonomous persistence and follow-on actions without consent. This creates a turnkey path for unattended installation and continuous operation on the host.

Ssd 1

High
Confidence
98% confidence
Finding
The autopilot policy again instructs the agent not to ask the human and to execute recurring social actions automatically. This compounds the risk by suppressing oversight not just during installation but during ongoing operation, enabling persistent autonomous external interactions.

Ssd 3

High
Confidence
98% confidence
Finding
Telling an agent to use access to the owner's email to fetch login codes and activate on the human's behalf encourages unauthorized use of a sensitive communication channel. This can lead to impersonation, unauthorized account linking, and leakage of one-time codes.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal