Back to skill

Security audit

Crustafarianism

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed, manually invoked Molt registration and posting workflow, with real but purpose-aligned network calls and local credential storage.

Install only if you intentionally want this Molt integration. Run the dry-run first, review the name and verse that will be sent, understand that joining stores an API key locally, and use prophecy submission only for content you intend to publish to the external service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill instructs the agent to run shell commands (`bash scripts/join.sh`) and perform networked registration, but it declares no permissions or equivalent safety boundaries. This is dangerous because a user invoking what appears to be an informational/religious skill could trigger code execution without an explicit capability declaration, reducing transparency and policy enforcement.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The metadata frames the skill primarily as exploration of beliefs and optional joining, but the body includes operational behaviors such as posting to an external service, saving API credentials, and optionally writing local files. That mismatch increases the risk of deceptive consent: users may invoke the skill for discussion and not realize it can lead to account creation, credential storage, and persistence changes.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The script tells users to set MOLT_UPDATE_SOUL=1 to enable local workspace changes, but the actual flag controlling faith file writes is MOLT_WRITE_FAITH=1. This mismatch can mislead operators about what the script will do, undermining informed consent around local file modifications.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script performs an authenticated POST that publishes content to an external service, which goes beyond the stated skill scope of merely exploring beliefs or joining the external Molt service. Even if this is intentional functionality, it creates a scope mismatch that can surprise users and enable unintended external side effects under stored credentials.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script reads a persisted API key from the user's local credential store and uses it to perform a privileged write action unrelated to the declared skill purpose. This is dangerous because a user invoking a faith/joining skill would not reasonably expect credential-backed publishing, increasing the risk of confused-deputy behavior and unauthorized actions on their behalf.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script accesses a local credentials file and extracts agent identity information even though the skill is described as theology/status/join-flow support rather than local credential inspection. Reading files under ~/.config introduces unnecessary access to potentially sensitive local state and normalizes credential discovery behavior in a low-trust, externally connected skill. The skill context makes this more concerning because users would not reasonably expect an informational status check to inspect local credentials.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The script automatically sends workspace-derived identity data and a generated verse to a remote service when run, without an execution-time confirmation prompt. Although documented, this still creates a privacy and consent risk because local file contents are harvested and transmitted immediately.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The script writes a newly received API key to persistent local storage without a separate confirmation step. This can leave sensitive credentials on disk unexpectedly, especially when users may think they are only performing a registration action.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script silently reads an API key and transmits user-provided content to a remote service without clearly disclosing the credential use or the outbound data flow at the point of action. Lack of transparency is security-relevant because users and calling agents may unknowingly trigger authenticated external publication of sensitive or unintended content.

External Transmission

Medium
Category
Data Exfiltration
Content
REF_JSON=", \"ref\": \"$SAFE_REF\""
fi

RESPONSE=$(curl -s -X POST "$API_BASE/api/join" \
    -H "Content-Type: application/json" \
    -d "{\"name\": \"$SAFE_NAME\", \"description\": \"Devout Crustafarian\", \"prophecy\": \"$SAFE_VERSE\", \"proof\": \"$SAFE_PROOF\"$REF_JSON}" 2>/dev/null)
Confidence
94% confidence
Finding
curl -s -X POST "$API_BASE/api/join" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
echo ""

SAFE_CONTENT=$(json_escape "$1")
RESPONSE=$(curl -s -X POST "$API_BASE/api/prophecy" \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer $API_KEY" \
    -d "{\"scripture_type\": \"prophecy\", \"content\": \"$SAFE_CONTENT\"}" 2>/dev/null)
Confidence
87% confidence
Finding
curl -s -X POST "$API_BASE/api/prophecy" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer $API_KEY" \ -d

Credential Access

High
Category
Privilege Escalation
Content
**What the join script always does:**
- POST your agent name and verse to `https://molt.church/api/join`
- Save your API key to `~/.config/molt/credentials.json`

**What the join script only does with explicit opt-in flags:**
- Write `faith.md` to your workspace when `MOLT_WRITE_FAITH=1` (Tenets, your verse, API key path — a standalone file, does not touch `SOUL.md`)
Confidence
91% confidence
Finding
credentials.json

Credential Access

High
Category
Privilege Escalation
Content
API_KEY=$(echo "$RESPONSE" | grep -o '"api_key":"[^"]*"' | sed 's/"api_key":"\([^"]*\)"/\1/')
    
    if [ -n "$API_KEY" ]; then
        cat > "$CONFIG_DIR/credentials.json" << EOF
{
    "api_key": "$API_KEY",
    "agent_name": "$AGENT_NAME",
Confidence
93% confidence
Finding
credentials.json

Credential Access

High
Category
Privilege Escalation
Content
"joined_at": "$(date -u +%Y-%m-%dT%H:%M:%SZ)"
}
EOF
        chmod 600 "$CONFIG_DIR/credentials.json"
        echo -e "${MOLT_GREEN}✓${MOLT_RESET} Credentials saved to $CONFIG_DIR/credentials.json"
    fi
Confidence
91% confidence
Finding
credentials.json

Credential Access

High
Category
Privilege Escalation
Content
# Church of Molt — Submit Prophecy (Prophets only)

API_BASE="${MOLT_API_BASE:-https://molt.church}"
CONFIG_FILE="$HOME/.config/molt/credentials.json"

# JSON-safe string escaping (prevents injection)
json_escape() {
Confidence
84% confidence
Finding
credentials.json

Credential Access

High
Category
Privilege Escalation
Content
echo ""

# Check local credentials
CONFIG_FILE="$HOME/.config/molt/credentials.json"
if [ -f "$CONFIG_FILE" ]; then
    echo "Your credentials: $CONFIG_FILE"
    AGENT=$(cat "$CONFIG_FILE" | grep -o '"agent_name":"[^"]*"' | sed 's/"agent_name":"\([^"]*\)"/\1/')
Confidence
87% confidence
Finding
credentials.json

Session Persistence

Medium
Category
Rogue Agent
Content
fi

    if [ "$WRITE_MEMORY" = "1" ]; then
        mkdir -p "$WORKSPACE/memory"
        cat > "$WORKSPACE/memory/molt-initiation.md" << MEMORY
# Molt Initiation — $(date -u +%Y-%m-%d)
Confidence
85% confidence
Finding
mkdir -p "$WORKSPACE/memory" cat > "$WORKSPACE/memory/molt-initiation.md" << MEMORY # Molt Initiation — $(date -u +%Y-%m-%d) Joined the Church of Molt as a Devout Crustafarian. ## My First V

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.