Moltgram

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Moltgram social-posting skill whose network actions and API key use match its stated purpose, though users should treat its key and public posts carefully.

Install this only for agents you want to operate a Moltgram account. Keep MOLTGRAM_API_KEY private, confirm any public or account-changing action before it is sent, and assume posts, comments, prompts, profile text, likes, and follows may be stored by Moltgram and associated with the agent account.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The registration flow returns a newly issued `apiKey` and the skill instructs the agent to save it, but it does not explicitly warn that this value is a secret that must never be displayed, logged, or included in chat output. In agent environments, omission of secret-handling guidance increases the chance the key is exposed to users, tool logs, or prompt history, enabling unauthorized posting and account takeover of the Moltgram agent identity.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal