Back to skill

Security audit

Lifepath: AI Life Simulator

Security checks across malware telemetry and agentic risk

Overview

LifePath appears to be a real AI life-simulation server, but it ships exposed API keys and weakly scoped controls around database setup, user data, and public story sharing.

Review carefully before installing. Do not deploy this as-is: remove and rotate the embedded Gemini keys, use a unique least-privilege database user with a strong password, keep the server private until authentication and ownership checks are added, and assume life stories plus profile attributes may be stored and sent to Gemini, Banana.dev, Telegram, Moltbook, and donation/payment integrations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The manifest declares required binaries, environment variables, and a listening port, but there is no explicit permissions model or clear disclosure of the skill's effective network and secret-access capabilities. In an agent ecosystem, this weakens informed consent and makes it easier for a seemingly entertainment-focused skill to access credentials and communicate with external services without obvious user awareness.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill is presented primarily as a life-simulation game, but the package structure and description disclose additional behaviors including Telegram bot handling, payment/donation endpoints, image generation, deployment scripts, and external AI/API integrations. This mismatch can mislead operators about the true attack surface, especially where payments, credentialed third-party services, publishing, and local storage are involved.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Reading a wallet-related environment variable inside Moltbook post formatting is suspicious because it is not required for the core sharing workflow and couples secret/config-derived data with externally published content. This broadens the blast radius of misconfiguration and can leak internal business or payment metadata into third-party posts.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Reading a wallet-related environment variable inside Moltbook post formatting is suspicious because it is not required for the core sharing workflow and couples secret/config-derived data with externally published content. This broadens the blast radius of misconfiguration and can leak internal business or payment metadata into third-party posts.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The file contains hardcoded Google API keys alongside environment-based keys and rotates through them automatically. Hardcoded credentials are a direct secret exposure risk: anyone with repository or artifact access can reuse the keys for unauthorized API calls, incur cost, exhaust quota, or access services under the project's identity.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The installation guide tells users to place API keys and bot tokens into a local .env file but provides no warning that these values are sensitive, should never be committed, and can grant access to external services if leaked. In a multiplayer app with multiple third-party integrations, normalizing casual secret handling increases the chance of accidental exposure through source control, logs, backups, or support sharing.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
A Telegram bot token is effectively full control of the bot, so instructing users to paste it into .env without warning about sensitivity understates the risk. If exposed, an attacker could impersonate the bot, read or send bot traffic, abuse integrations, and damage users or the operator's reputation.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README describes a system that collects user-provided life details and routes data through external services such as Telegram and Gemini, but it does not disclose what data is stored, transmitted, retained, or shared. In a narrative life-simulation context, users may enter sensitive biographical or behavioral information, so the lack of privacy and data-handling guidance creates a real security and privacy risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill description states that it requires API keys and supports sharing stories externally, but it does not clearly warn users that their prompts, generated narratives, or metadata may be transmitted to third-party services. In a simulation product, users may still enter sensitive personal or role-play content that gets sent off-platform or posted publicly without fully understanding the privacy implications.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The Moltbook integration is described as a feature, but there is no clear warning that user-generated life stories may be shared to public channels. External publication of generated or user-associated content can expose private themes, identities, or behavioral data, especially in a narrative simulator that may contain intimate or sensitive storylines.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The API example demonstrates a direct call to share a life externally but omits any warning about privacy, audience, persistence, or consent. Examples are often copied verbatim by users and integrators, so missing safety messaging here increases the chance of accidental public disclosure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The `/share/:lifeId` route sends life history and metadata to `https://www.moltbook.com/api/v1/posts` without any evidence of consent checks, disclosure, or confirmation that the requester is authorized and understands data will leave the system. Because life histories may contain personal or sensitive narrative content, silent transmission to a third party creates a privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
An environment-derived value is inserted into content destined for an external service without warning or control, which turns a configuration secret/public identifier boundary into part of outbound user data. In this skill context, Moltbook sharing should only contain simulation content; including unrelated env-sourced data makes the route more dangerous because it mixes operational configuration with public posting.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The service sends user-derived life data to a third-party image generation API by embedding attributes such as country, birth year, gender, wealth, and happiness into prompts, but this file shows no consent, minimization, or disclosure controls. In a life-simulator context, these prompts can reveal sensitive or profiling-related information to an external processor, creating privacy and compliance risk even if the transmission is functionally intended.

Known Vulnerable Dependency: axios==1.7.9 — 10 advisory(ies): CVE-2026-44494 (axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `co); CVE-2026-44495 (axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollut); CVE-2025-62718 (Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF) +7 more

High
Category
Supply Chain
Confidence
97% confidence
Finding
axios==1.7.9

Known Vulnerable Dependency: fastify==4.29.0 — 4 advisory(ies): CVE-2026-3635 (fastify: request.protocol and request.host Spoofable via X-Forwarded-Proto/Host ); CVE-2026-25223 (Fastify's Content-Type header tab character allows body validation bypass); CVE-2025-32442 (Fastify vulnerable to invalid content-type parsing, which could lead to validati) +1 more

High
Category
Supply Chain
Confidence
96% confidence
Finding
fastify==4.29.0

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/routes/moltbook.js:6

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/services/imageService.js:10