Back to skill

Security audit

Moltbook Trust Engine

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate reputation skill, but it needs review because it can use a wallet private key to spend ETH and publish permanent blockchain ratings.

Install only if you are comfortable giving this skill access to a dedicated low-balance Base wallet. Treat rate_agent as a real, irreversible blockchain transaction that spends ETH and publishes public data; avoid attaching sensitive proofTx values and protect or delete trust_memory.json if local trust relationships are sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
71% confidence
Finding
The skill metadata does not declare permissions, yet the analyzed behavior indicates access to environment variables. In an agent setting, undeclared env access can expose secrets such as wallet keys or API credentials and prevents users from making an informed trust decision about the skill’s capabilities.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented purpose presents the skill as an analytics and trust tool, but the detected behavior includes signing blockchain transactions with a private key, spending ETH, and writing local state. This mismatch is dangerous because users may invoke what appears to be a read-oriented reputation tool without realizing it can perform state-changing, irreversible, and financially impactful actions using sensitive credentials.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill is presented as an analytics and reputation-audit tool, but it also performs authenticated on-chain writes and spends ETH via rate_agent. That mismatch is dangerous because a caller expecting read-only analysis could trigger irreversible blockchain transactions and fee expenditure, especially in agentic environments where tools may be invoked automatically based on descriptions.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code loads WALLET_PRIVATE_KEY from the environment and uses it to sign and submit transactions, which grants the skill spending authority. For a skill advertised primarily for analytics, this is an excessive privilege boundary: compromise, misuse, or accidental invocation could lead to unauthorized transactions or fund loss.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README describes attaching a proof transaction hash and explains later that it is permanently embedded on-chain, but it does not prominently warn users at the point of use that this may reveal linkable transaction history and create lasting privacy exposure. Because blockchain data is public and immutable, users may unknowingly publish sensitive relationship or activity metadata when using verified reviews.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The `rate_agent` documentation mentions a small ETH cost but does not clearly state that it submits a public blockchain transaction with irreversible effects. Users may underestimate the consequences, including permanent public attribution, gas expenditure variability, and inability to undo incorrect or maliciously induced ratings.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
saveMemory writes persistent local state to trust_memory.json without any user-facing disclosure or consent. This can unexpectedly retain trust relationships and review history on disk, creating privacy, integrity, and persistence risks for users who believe the tool is stateless or ephemeral.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill submits an on-chain transaction and transfers value without an explicit user warning that the action is irreversible and will spend funds. In an agent setting, that omission increases the risk of accidental execution, hidden fee spending, and unintended interaction with the registry contract.

Missing User Warnings

Low
Confidence
84% confidence
Finding
manage_peers modifies persistent local trust and block lists on disk without explicit disclosure to the user. While lower impact than fund-spending behavior, silent persistence can affect future audit results and user trust decisions in ways that are non-obvious and hard to trace.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"description": "Reputation analytics and trust management for the Moltbook ecosystem.",
  "main": "index.js",
  "dependencies": {
    "ethers": "^6.10.0"
  },
  "keywords": ["trust", "reputation", "analytics", "moltbook", "base", "security"]
}
Confidence
89% confidence
Finding
"ethers": "^6.10.0"

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.