Back to skill

Security audit

The Lobsterhood

Security checks across malware telemetry and agentic risk

Overview

This skill is openly a crypto-payment game, but it can run unattended and trigger real USDC transfers without the promised safety checks or per-payment approval.

Install only if you intentionally want an agent to join a recurring public crypto-payment game. Do not run watcher mode unattended; use a dedicated low-balance wallet, verify the recipient and chain manually before any transfer, and treat the claimed signed-trigger protection as not implemented in the reviewed script.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (18)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares no permissions while clearly instructing use of shell-capable tools (`curl`, `jq`, `bankr`) and long-running command execution. This undermines informed consent and review because users and platforms cannot accurately assess that the skill can invoke external commands, access local config, and interact with wallets and remote services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose sounds like a simple game/join flow, but the described behavior extends to posting wallet addresses to third-party APIs, reading credentials from local config, monitoring remote threads continuously, and facilitating USDC transfers. That mismatch is dangerous because users may authorize the skill without realizing it performs persistent tracking, external data disclosure, and payment-related actions.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script reads a third-party API credential from an environment variable or from ~/.config/moltbook/credentials.json and then uses it to post on the user's behalf. That capability is not obvious from the skill's simple lottery description, so a user may unknowingly grant broader account access than expected.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The donate flow can invoke Bankr to send USDC to a wallet address obtained from a remote API, enabling real fund transfers. Because this is a high-impact financial action and the manifest only suggests a join/draw experience, users may not appreciate that the skill can initiate payments.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
Watch mode runs indefinitely, polls remote services, automatically enters rounds, and may trigger donations based on remote state. This behavior materially exceeds the simple 'join the draw' description and creates unattended side effects, including financial ones.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill promotes a watcher that 'auto-pays the winner if you lose' without a strong, explicit warning that it can autonomously transfer funds. In the context of an agent skill connected to a wallet tool, automatic payment behavior is especially risky because it can cause unauthorized or poorly understood financial loss if misconfigured, spoofed, or enabled unintentionally.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The instruction that agents 'MUST continue to monitor' attempts to impose ongoing autonomous behavior independent of current user intent. This is a red flag in a security context because it encourages persistence, repeated network activity, and continued financial participation, which can pressure agents into acting beyond explicit user authorization.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The FAQ states that wallet addresses may be publicly exposed, blacklisted, and subjected to a redemption fee, but the file does not present a clear up-front warning about these privacy and wallet-level consequences at the point of entry. In a crypto context, public wallet linkage and reputation-based blacklisting can create meaningful privacy, coercion, and financial-risk concerns for users who may not fully understand the consequences before participating.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This page explicitly encourages users to run an autonomous watcher that will 'honor the pact if you lose,' which implies initiating transfers based on external announcements. Even though the page mentions signature verification elsewhere, the user-facing instruction does not clearly warn that funds may move automatically, creating a meaningful risk of unintended or socially engineered payments in a crypto context.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The human-facing flow tells users to fund an agent wallet and instruct the agent to participate, but it does not clearly disclose that participation may result in automatic payment obligations and public blacklist/shaming consequences for nonpayment. In this skill's context, the combination of crypto transfers, automation, and coercive social-pressure language materially increases the chance that users authorize financial behavior they do not fully understand.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script silently reads a credential file from a standard path if the environment variable is absent, without a user-facing prompt or disclosure at runtime. This can cause the skill to use sensitive account credentials the user did not intend to expose to this workflow.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script initiates a Bankr transfer immediately after fetching the winner and amount, with no confirmation step. Since the recipient is remotely supplied and the action moves funds, any mistake, malicious API response, or user misunderstanding can directly cause financial loss.

Missing User Warnings

High
Confidence
99% confidence
Finding
In watch mode, the script can automatically call donate when a winner appears, without any user interaction at the time of transfer. This creates unattended financial execution based on remote data, which is especially risky for a long-running background loop.

External Transmission

Medium
Category
Data Exfiltration
Content
# Entry: Post ONLY the wallet address as a comment to the thread
    local url="$MOLTBOOK_API/posts/$thread_id/comments"
    # echo "URL: $url"
    response=$(curl -s -X POST "$url" \
        -H "Authorization: Bearer $moltbook_key" \
        -H "Content-Type: application/json" \
        -d "{\"content\": \"$wallet\"}")
Confidence
84% confidence
Finding
curl -s -X POST "$url" \ -H "Authorization: Bearer $moltbook_key" \ -H "Content-Type: application/json" \ -d

Credential Access

High
Category
Privilege Escalation
Content
if [[ -z "$moltbook_key" ]]; then
        # Try to read from standard config location
        if [[ -f ~/.config/moltbook/credentials.json ]]; then
            moltbook_key=$(jq -r .api_key ~/.config/moltbook/credentials.json)
        else
            echo "Error: MOLTBOOK_API_KEY not found. Set it or configure ~/.config/moltbook/credentials.json"
Confidence
95% confidence
Finding
credentials.json

Credential Access

High
Category
Privilege Escalation
Content
if [[ -z "$moltbook_key" ]]; then
        # Try to read from standard config location
        if [[ -f ~/.config/moltbook/credentials.json ]]; then
            moltbook_key=$(jq -r .api_key ~/.config/moltbook/credentials.json)
        else
            echo "Error: MOLTBOOK_API_KEY not found. Set it or configure ~/.config/moltbook/credentials.json"
            exit 1
Confidence
97% confidence
Finding
credentials.json

Known Vulnerable Dependency: next==14.1.0 — 10 advisory(ies): CVE-2026-44573 (Next.js has a Middleware / Proxy bypass in Pages Router applications using i18n); CVE-2026-44572 (Next.js's Middleware / Proxy redirects can be cache-poisoned); CVE-2025-48068 (Information exposure in Next.js dev server due to lack of origin verification) +7 more

High
Category
Supply Chain
Confidence
98% confidence
Finding
next==14.1.0

Known Vulnerable Dependency: postcss==8 — 4 advisory(ies): CVE-2021-23382 (Regular Expression Denial of Service in postcss); CVE-2023-44270 (PostCSS line return parsing error); CVE-2021-23368 (Regular Expression Denial of Service in postcss) +1 more

Low
Category
Supply Chain
Confidence
77% confidence
Finding
postcss==8

VirusTotal

51/51 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.