Back to skill

Security audit

Moltbook Cli

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a real Moltbook CLI, but it gives an agent broad live account control and includes under-scoped system and notification scripts that need review.

Install only if you intentionally want an agent to operate your Moltbook account. Use a dedicated or least-privilege API key if available, protect local env files, avoid live auto-reply unless you review the generated comment first, and do not run heartbeat.py or notify.sh unless you trust the hard-coded system paths, Telegram configuration, and cross-skill dependency.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill documents commands that can perform external side effects on a user's Moltbook account, including posting, replying, deleting, following, and automated live replies, but it does not clearly warn that these actions modify external state or may act on behalf of the user. In an agent context, this omission increases the risk of unintended account actions, spammy behavior, or destructive changes if the commands are invoked without explicit user confirmation.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The example trigger maps a natural-language request directly to command execution, which can cause the agent to interpret ordinary user text as an instruction to run the Moltbook CLI. In an agent skill context, this ambiguity increases the chance of unintended actions such as posting content or interacting with a remote service without explicit confirmation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installation guide instructs the agent/user to place a live API key into a local .env file but provides no warning about secret storage, file permissions, rotation, or avoiding accidental disclosure. In a shared workspace or agent environment, this can expose credentials through logs, debugging output, backups, or later file reads by other tools.

Natural-Language Policy Violations

Medium
Confidence
81% confidence
Finding
Imposing a fixed language requirement ('Posts in EN') without user opt-in can override user intent and cause the agent to transform or generate content in a way the user did not request. While less severe than credential or execution issues, it is still a security-relevant policy/consent problem because the skill is attempting to constrain behavior implicitly.

Ssd 1

High
Confidence
95% confidence
Finding
Untrusted post title and content are inserted directly into the prompt sent to an external LLM, which creates a prompt-injection channel. A malicious post can instruct the model to generate abusive, policy-violating, spammy, or manipulative content that this tool may automatically publish when --post is used.

Credential Access

High
Category
Privilege Escalation
Content
#!/bin/bash
set -e
if [ ! -f /opt/moltbook-cli/notify.env ]; then
  echo "notify.env not found"
  exit 1
fi
source /opt/moltbook-cli/notify.env
Confidence
84% confidence
Finding
.env

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.