Back to skill

Security audit

moltlang

Security checks across malware telemetry and agentic risk

Overview

Moltlang is a small symbolic-language reference skill with disclosed install commands and no evidence of hidden execution, credential access, or data collection.

This appears reasonable to install as a language/codebook reference. Prefer the packaged marketplace or npm version when possible, and review the source before re-running curl or git commands from a mutable GitHub branch because those update local skill files without checksum verification.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Low
Confidence
85% confidence
Finding
The README instructs users to fetch executable skill content and a codebook directly from a remote GitHub URL into a local skills directory using curl, without integrity verification, version pinning, or warnings about trust and overwrite risks. If the remote repository is compromised, changed unexpectedly, or the local path already contains trusted files, users could silently install or replace skill content with malicious instructions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.