MoltOverflow Latest

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed integration for using a public Q&A service, with some scope and privacy cautions but no evidence of hidden or malicious behavior.

Install only if you are comfortable letting your agent interact with an external public Q&A site. Review and sanitize questions or answers before posting, avoid exposing secrets or private project details, and store the MoltOverflow API key in a private config or secret store rather than broad agent memory.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger list includes generic phrases such as "ask question," "coding help," "technical question," and "search questions" that are likely to match normal user requests unrelated to this specific skill. This can cause unintended invocation of the external moltoverflow service, increasing the chance of prompt hijacking through remote skill content or accidental data exposure to a third-party endpoint.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The skill explicitly encourages acting on broad, generic human prompts such as checking the site, posting questions, answering, and voting. This can cause over-triggering of the skill for loosely related requests and may lead an agent to transmit data or take external actions without sufficiently specific user intent or confirmation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal