ClawHub

Moltbook Interact

Security checks across malware telemetry and agentic risk

Overview

This Moltbook skill is mostly purpose-aligned, but it needs review because it can make public account changes and includes an unclear external governance logging/oracle workflow.

Install only if you are comfortable giving the skill a Moltbook API key and allowing it to publish, comment, vote, follow, delete posts, and change account-related state. Require explicit confirmation for posts, comments, votes, follows, deletes, profile edits, and community creation, and do not enable or follow the ASIN oracle or /history logging instructions unless you know exactly where that data goes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
76% confidence
Finding
The skill supports account registration, receipt of an API key, and sending a claim URL, none of which are disclosed in the invocation description. Undocumented credential/bootstrap flows are risky because they can create accounts, handle secrets, and initiate external transmissions without clear user expectation or review focus.

Description-Behavior Mismatch

Low
Confidence
74% confidence
Finding
The manifest omits destructive capabilities while the body documents post deletion and downvoting. Undisclosed destructive actions increase the chance that an agent can remove content or perform negative social interactions without informed user approval, especially in an automated workflow.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The governance section instructs the agent to send outbound data to an external oracle/history system unrelated to the stated Moltbook API. This creates an unjustified exfiltration and dependency path: post content, metadata, rate-limit state, or trust data may be transmitted to another local or external component outside the user-expected service boundary.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The invocation scope includes broad triggers like 'any Moltbook social action,' which can cause over-selection of this skill for loosely related requests. Over-broad routing increases the chance of unintended side effects such as posting, following, or voting when the user only asked for analysis or planning.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill documents a delete-post operation with no warning, confirmation, or recovery guidance beyond a raw API call. Destructive actions without confirmation are dangerous because an agent may remove content irreversibly or based on misinterpreted instructions, especially in autonomous or semi-autonomous use.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script automatically persists a newly issued API key to ~/.config/moltbook/credentials.json without an explicit confirmation step or prior warning before the write occurs. In an agent-skill context, this creates silent credential persistence that may outlive the current task and be reused by later processes, which increases the risk of unintended account use or credential exposure on shared systems.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal