Back to skill

Security audit

Agent Trust Protocol

Security checks across malware telemetry and agentic risk

Overview

The skill has a coherent trust-management purpose, but some helper paths can turn crafted usernames, domains, or post IDs into local shell commands.

Review before installing or using this skill. Avoid passing untrusted Moltbook usernames, domains, or post IDs until the helper is changed to use argument-list subprocess calls with validation. Also treat ~/.atp trust notes as sensitive local data, review the unpinned skillsign dependency, and only run the demo server on networks where exposing trust status is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (15)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run(cmd, env=None, capture=True):
    """Run a command, return stdout."""
    merged_env = {**os.environ, **(env or {})}
    result = subprocess.run(cmd, shell=True, capture_output=capture, text=True, env=merged_env)
    if result.returncode != 0 and capture:
        detail(f"stderr: {result.stderr.strip()[:200]}")
    return result.stdout.strip() if capture else ""
Confidence
96% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=capture, text=True, env=merged_env)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def atp_cmd(args):
    """Run ATP command and return output."""
    import subprocess
    result = subprocess.run(
        f"python3 {ATP_PY} {args}",
        shell=True, capture_output=True, text=True
    )
Confidence
99% confidence
Finding
result = subprocess.run( f"python3 {ATP_PY} {args}", shell=True, capture_output=True, text=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
        import subprocess
        moltbook_py = os.path.expanduser("~/.openclaw/skills/moltbook/moltbook.py")
        result = subprocess.run(
            f"python3 {moltbook_py} post {post_id}",
            shell=True, capture_output=True, text=True, timeout=15
        )
Confidence
98% confidence
Finding
result = subprocess.run( f"python3 {moltbook_py} post {post_id}", shell=True, capture_output=True, text=True, timeout=15 )

Vague Triggers

Medium
Confidence
89% confidence
Finding
The phrases "trust status" and "trust report" are ambiguous and could be used in many normal conversations unrelated to this skill. That ambiguity raises the chance of accidental invocation, which is especially risky here because the skill deals with agent trust and verification, a sensitive decision-making domain where incorrect activation may affect confidence scoring or disclosure of relationship data.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The phrases "trust status" and "trust report" are ambiguous and could be used in many normal conversations unrelated to this skill. That ambiguity raises the chance of accidental invocation, which is especially risky here because the skill deals with agent trust and verification, a sensitive decision-making domain where incorrect activation may affect confidence scoring or disclosure of relationship data.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
This code signs challenge material by invoking a local signing tool with no confirmation, trust check, or verification that the challenge came from an expected party. In an agent setting, that can turn the skill into a signing oracle: untrusted input can trigger cryptographic operations using local identity material, enabling unintended attestations or trust bootstrapping.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This is not just a missing warning; the function encapsulates unsafe shell execution behind a generic helper, which normalizes risky behavior across the script. Because later calls interpolate variables like file paths and CLI arguments into a single shell string, the helper increases the chance of command injection if any value is attacker-controlled or unexpectedly formatted.

Missing User Warnings

Low
Confidence
77% confidence
Finding
The demo server binds to all interfaces ('') and exposes ATP status data over unauthenticated plain HTTP with Access-Control-Allow-Origin: *. Even for a demo, this can leak trust graph/status information to other hosts on the network or to web pages able to reach the service, making the exposure more than a mere documentation issue.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger list contains multiple generic conversational phrases such as 'check trust', 'trust score', 'verify agent', and 'trust report' that are likely to appear in ordinary user interactions. In an agent skill, overly broad triggers can cause unintended invocation, which is especially risky here because the skill is security-themed and may influence trust decisions or verification workflows when not explicitly requested.

Unvalidated Output Injection

High
Category
Output Handling
Content
def run(cmd, env=None, capture=True):
    """Run a command, return stdout."""
    merged_env = {**os.environ, **(env or {})}
    result = subprocess.run(cmd, shell=True, capture_output=capture, text=True, env=merged_env)
    if result.returncode != 0 and capture:
        detail(f"stderr: {result.stderr.strip()[:200]}")
    return result.stdout.strip() if capture else ""
Confidence
95% confidence
Finding
subprocess.run(cmd, shell=True, capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
def atp_cmd(args):
    """Run ATP command and return output."""
    import subprocess
    result = subprocess.run(
        f"python3 {ATP_PY} {args}",
        shell=True, capture_output=True, text=True
    )
Confidence
99% confidence
Finding
subprocess.run( f"python3 {ATP_PY} {args}", shell=True, capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
try:
        import subprocess
        moltbook_py = os.path.expanduser("~/.openclaw/skills/moltbook/moltbook.py")
        result = subprocess.run(
            f"python3 {moltbook_py} post {post_id}",
            shell=True, capture_output=True, text=True, timeout=15
        )
Confidence
98% confidence
Finding
subprocess.run( f"python3 {moltbook_py} post {post_id}", shell=True, capture_output

Tool Parameter Abuse

High
Category
Tool Misuse
Content
def run(cmd, env=None, capture=True):
    """Run a command, return stdout."""
    merged_env = {**os.environ, **(env or {})}
    result = subprocess.run(cmd, shell=True, capture_output=capture, text=True, env=merged_env)
    if result.returncode != 0 and capture:
        detail(f"stderr: {result.stderr.strip()[:200]}")
    return result.stdout.strip() if capture else ""
Confidence
96% confidence
Finding
subprocess.run(cmd, shell=True

Tool Parameter Abuse

High
Category
Tool Misuse
Content
def atp_cmd(args):
    """Run ATP command and return output."""
    import subprocess
    result = subprocess.run(
        f"python3 {ATP_PY} {args}",
        shell=True, capture_output=True, text=True
    )
Confidence
99% confidence
Finding
subprocess.run( f"python3 {ATP_PY} {args}", shell=True

Tool Parameter Abuse

High
Category
Tool Misuse
Content
try:
        import subprocess
        moltbook_py = os.path.expanduser("~/.openclaw/skills/moltbook/moltbook.py")
        result = subprocess.run(
            f"python3 {moltbook_py} post {post_id}",
            shell=True, capture_output=True, text=True, timeout=15
        )
Confidence
98% confidence
Finding
subprocess.run( f"python3 {moltbook_py} post {post_id}", shell=True

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.