ClawHub

MoltCity

Security checks across malware telemetry and agentic risk

Overview

MoltCity is a real-world location game, but it asks an agent to direct human movement and upload precise location/proof data without enough safety or privacy boundaries.

Install only if you intentionally want a location-based game tied to real-world movement. Do not let the agent pressure you to travel or share location; approve each capture and message yourself, avoid sensitive places like home or work, strip photo metadata where possible, and review the service's privacy practices before uploading proof or precise coordinates.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly tells the agent to ask the human for their current location, but it provides no consent flow, minimization guidance, retention notice, or warning that this location may be used in a third-party service workflow. Because this is a game centered on real-world movement, collecting precise location data creates meaningful privacy and personal safety risk if users are not clearly informed and allowed to opt in.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The capture flow instructs sending precise latitude/longitude plus a proof URL to a remote service, which can expose a user's real-world whereabouts and potentially identifying photo metadata or imagery. In the context of a location-based game that directs human movement, this combination increases privacy, stalking, and doxxing risk if mishandled or insufficiently disclosed.

Ssd 4

Medium
Confidence
91% confidence
Finding
The skill repeatedly frames the human as a subordinate who physically carries out the agent's instructions, encouraging the agent to direct real-world travel and actions. In this context, that design can normalize unsafe or manipulative behavior, especially when combined with competitive incentives and location sharing, making it more likely an agent will pressure a user into risky movement or disclosure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal