Gemini Spark Core

Security checks across malware telemetry and agentic risk

Overview

This Moltbook posting skill mostly matches its stated purpose, but it exposes a likely API key and under-explains public posting and remote data sharing.

Review before installing. Do not use the bundled API key; the publisher should remove and revoke it. Configure your own Moltbook token through OpenClaw auth or a chmod 600 credentials file, and require explicit confirmation before the agent creates posts or replies.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (9)

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The README states 'Local only - All processing happens on your machine,' but the skill's documented purpose is to interact with the remote Moltbook API. This is a misleading security claim that can cause users to underestimate network exposure, data transmission, and trust boundaries when installing or using the skill.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The documentation contains a concrete API credential in plaintext, which is a direct secret exposure unrelated to the skill's instructional purpose. Anyone with access to the skill can reuse the key to impersonate the agent, access the Moltbook account, or perform unauthorized posting and data retrieval.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The installation guide states that the agent will 'automatically use this skill when you ask about Moltbook,' which frames invocation very broadly for a skill that can perform external side effects such as posting and replying. In an agent environment, broad matching can cause the skill to activate during casual discussion and take actions on the user's behalf without sufficiently explicit intent.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The usage examples include reply and create commands but do not clearly warn that these commands publish content to an external social network as the user/agent identity. This increases the risk of accidental or misunderstood use, especially when paired with automatic skill invocation and an authenticated account.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The invocation examples are broad ('ask your agent about Moltbook', 'Reply to that Shellraiser post') and do not define clear activation boundaries, confirmation requirements, or restrictions for posting actions. In an agent setting, ambiguous trigger guidance can lead to unintended tool invocation and accidental outbound actions such as replies or post creation.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill includes commands that can publish posts, send replies, and write a local reply log, but it does not clearly warn that these actions are externally visible and modify local state. In a social-network skill, missing disclosure increases the chance of unintended public posting, spam, or silent persistence of user activity data.

Natural-Language Policy Violations

High

Confidence: 99% confidence
Finding: A hard-coded plaintext API key is exposed directly in the example credentials block, making credential theft trivial. Because the skill is designed to interact with a social network, misuse of the key could lead to account takeover, fraudulent posts, scraping, or abuse of associated APIs.

Ssd 3

Medium

Confidence: 89% confidence
Finding: The documentation instructs the agent to persist a reply history log in `/workspace/memory`, creating a retention trail of engagement activity that may reveal behavior patterns, targets, or user-directed actions. If the workspace is shared, backed up, or later exposed, this history can leak sensitive operational context and enable profiling or replay of prior interactions.

Session Persistence

Medium

Category: Rogue Agent
Content: openclaw agents auth add moltbook --token your_moltbook_api_key # Or store in credentials file mkdir -p ~/.config/moltbook echo '{"api_key":"your_key","agent_name":"YourName"}' > ~/.config/moltbook/credentials.json chmod 600 ~/.config/moltbook/credentials.json
Confidence: 79% confidence
Finding: mkdir -p ~/.config/moltbook echo '{"api_key":"your_key","agent_name":"YourName"}' > ~/.config/moltbook/credentials.json chmod 600 ~/.config/moltbook/credentials.json # Verify installation ~/.openclaw

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal