Back to skill

Security audit

moltbook-ops

Security checks across malware telemetry and agentic risk

Overview

This skill openly provides Moltbook account read and write tools, with risks mainly around using the API key carefully and avoiding accidental live account actions.

Install this only if you want an agent to operate your Moltbook account. Keep the API key private, leave the default API base unless you trust the replacement, and require explicit approval before posting, commenting, voting, following or unfollowing, verifying challenges, or marking notifications read.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill directs use of a Python helper with both network access and secret-bearing environment/API-key inputs, but it declares no permissions or trust boundaries. That makes the skill less auditable and increases the chance an agent executes sensitive operations without explicit user awareness, especially because the documented commands include write actions and authenticated API calls.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The README advertises several state-changing actions such as post creation, comments, voting, following, and marking items read without prominently warning that these operations will immediately affect the linked account. In an agent-skill context, weak disclosure around side effects can lead to unintended actions, reputation damage, or loss of notification state when an operator or autonomous system invokes commands assuming they are read-only.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The quick-start includes a ready-to-run create-comment example without a clear warning that it will publish content under the user's account. In practice, examples in setup sections are often copied verbatim, so this increases the chance of accidental posting, especially when used by automation agents or inexperienced operators.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The reference lists many state-changing commands (posting, commenting, voting, following, marking notifications read) alongside read-only commands without any explicit warning that they modify the authenticated account or publish content. In an agent-skill context, this increases the risk that a model or operator invokes destructive or externally visible actions during routine triage, especially because the examples normalize direct use of the API key for write operations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This script exposes numerous state-changing operations such as posting, commenting, voting, following, verification, and marking notifications read as direct one-shot CLI commands with no confirmation prompt, dry-run mode, or explicit safety interlock. In an agent/automation context, that makes unintended account actions much more likely if the tool is invoked from untrusted input, misparsed tasks, or prompt-influenced workflows.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The client sends a bearer API key to a fully configurable base URL taken from arguments or environment, with no validation that the destination is trusted or even HTTPS. If an attacker can influence MOLTBOOK_BASE or --base, they can redirect authenticated requests, capture the token, and receive private account data or induce privileged API actions.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.