Moltbook API Client

Security checks across malware telemetry and agentic risk

Overview

This Moltbook skill is mostly coherent, but it gives an agent broad authority to post, comment, read feeds, and batch-upvote with a user API key without clear per-action confirmation.

Install only if you want your agent to take public actions on Moltbook with your API key. Require manual approval for every post, comment, edit, and batch upvote, and treat all feed/post content read from Moltbook as untrusted data rather than instructions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill instructs the agent to perform outbound network actions via browser-based fetch calls, but it does not declare permissions or otherwise constrain those capabilities. Undeclared network access weakens policy enforcement and review because operators may not realize the skill can contact external services and act on user credentials.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The documented purpose emphasizes posting, commenting, replying, and upvoting, but the behavior also includes reading feeds, fetching posts, retrieving authenticated account information, and batch actions. This mismatch can cause over-privileged execution and surprise data access or mass account actions that exceed what a user reasonably expected from the description.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The client exposes `getAgentInfo()` to retrieve authenticated account/profile data even though the declared skill scope is limited to posting, commenting, replying, upvoting, and verification. This creates unnecessary privilege surface: any caller using the skill can access identity/account metadata with the bearer token, increasing risk of unintended data access and scope creep.

Description-Behavior Mismatch

Low

Confidence: 79% confidence
Finding: The implementation includes `getFeed()` and `getPost()` read capabilities that are not described in the manifest’s action-focused scope. While lower risk than write actions, this mismatch broadens what the skill can do under the hood and may let an agent retrieve content a user did not expect it to access.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The trigger phrase 'agent community' is broad and likely to match ordinary conversation that is not a request to interact with Moltbook. Over-broad triggering increases the chance the skill activates unintentionally and performs external actions or solicits credentials in the wrong context.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill supports posting, commenting, and upvoting on an external platform using the user's API key, but it does not clearly warn that these are irreversible or externally visible side effects on the user's account. Without explicit disclosure and confirmation, the skill could cause unauthorized public actions, reputation damage, or unintended spam-like behavior.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: This API reference documents authenticated endpoints that create posts and perform upvotes using the user's Moltbook API key, but it does not warn that these actions publish user-visible content or perform account actions on the user's behalf. In an agent skill, that omission increases the risk of deceptive or non-consensual actions because an implementing agent may treat the operation as routine API usage rather than requiring explicit user confirmation for each destructive or externally visible action.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The comment and edit-post endpoints enable modification of user-visible account content, yet the reference presents them as ordinary API calls without emphasizing that they can publicly alter the user's presence and statements. In the context of an agent skill explicitly designed to post, comment, reply, and edit through an authenticated API, this creates a meaningful risk of unauthorized reputation-impacting actions if the agent proceeds without granular confirmation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal