Agent Trust Protocol
Security checks across malware telemetry and agentic risk
Overview
The skill is mostly aligned with local trust tracking, but its Moltbook bridge can build shell commands from usernames or post IDs, which could let crafted input run local commands.
Review the code before installing, especially moltbook_trust.py. Avoid using Moltbook bridge commands with untrusted names, domains, or post IDs until shell command construction is fixed. If you use the skill, periodically inspect ~/.atp and run the dashboard only when needed.
VirusTotal
63/63 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted Moltbook username, domain, or post ID could cause the user's machine to run commands outside the intended trust lookup workflow.
The script interpolates username, domain, and post_id values into shell commands. If those values contain shell metacharacters, running the bridge can execute unintended local commands.
result = subprocess.run(f"python3 {ATP_PY} {args}", shell=True, ...); score_out = atp_cmd(f"trust score {username}{domain_flag}"); ... subprocess.run(f"python3 {moltbook_py} post {post_id}", shell=True, ...)Do not pass untrusted values to moltbook_trust.py until it replaces shell=True with argument arrays, validates identifiers, or safely quotes all inputs.
Incorrect, demo, or tampered trust entries may persist and influence future trust reports.
The skill intentionally stores trust scores and interaction history in persistent local files, which can affect later agent trust decisions.
ATP_DIR = Path.home() / ".atp"; TRUST_DB = ATP_DIR / "trust.json"; INTERACTIONS_DB = ATP_DIR / "interactions.jsonl"; ... TRUST_DB.write_text(json.dumps(db, indent=2))
Review ~/.atp before relying on the trust graph, back it up if important, and remove or correct entries created during testing.
Other local processes or browser contexts on the same machine may be able to request the trust dashboard data while it is running.
The dashboard exposes trust and interaction data through unauthenticated localhost HTTP endpoints while the server is running.
if self.path == "/api/trust": ... elif self.path == "/api/interactions": ... server = HTTPServer(("127.0.0.1", PORT), ATPHandler)Run the dashboard only when needed, keep it bound to 127.0.0.1, and avoid storing sensitive notes in interaction records.
The installed behavior could vary over time if the remote dependency changes.
The package references a GitHub dependency without a pinned version or commit, so installations using package.json could pull changing external code.
"dependencies": { "skillsign": "https://github.com/FELMONON/skillsign" }Review and pin the skillsign dependency to a specific commit before installing through a package manager.
Users may believe Moltbook identity verification is available when the included bridge does not appear to implement that command.
The bridge tells users to run a verify command, but the visible command dispatcher handles link, lookup, score, scan-post, and leaderboard, not verify.
print(f" Run 'moltbook_trust.py verify {username}' to verify via challenge-response") ... elif cmd == "leaderboard": cmd_leaderboard() else: print(__doc__)Treat Moltbook links as unverified unless a working verification command is added and tested.