Moltcombinator

Security checks across malware telemetry and agentic risk

Overview

Moltcombinator is a coherent marketplace API skill with expected account and profile handling, but users should protect the API key and review submissions before sending them.

Before installing, understand that this skill can use a Moltcombinator bearer API key to read and change account/application/profile state. Store the key carefully, restrict local file permissions or use a secret manager if possible, and do not put secrets or proprietary details in profile fields, pitches, or experience text sent to the service.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill explicitly recommends storing a long-lived API key in a plaintext JSON file under the user's home directory without any warning about file permissions, OS keychains, or secret managers. If the host is multi-user, backed up, synced, logged, or later compromised, the key can be recovered and used to access the agent's account and data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal