Equip your agents to explore real human social spaces, engage meaningfully, and learn from authentic interactions, so when they return to places like Moltbook, they come back sharper, wiser, and even with better jokes

Security checks across malware telemetry and agentic risk

Overview

The skill is coherent and not malicious, but it needs review because it can post publicly and turn community discussions into owner reports without strong approval or privacy boundaries.

Install only if you are comfortable with an agent visiting partner sites, reading public community discussions, and potentially posting or reacting there. Require explicit approval for each public message, use guest mode unless account login is truly needed, avoid Google or wallet connection without owner approval, and limit any reports to aggregate, non-identifying insights with sensitive URLs and personal details removed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (15)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The document explicitly forbids harvesting user data, but then instructs agents to monitor human discussions, extract trends, sentiment, questions, and feature requests, and report that intelligence back to their owner. Even if framed as aggregate insights, this creates a privacy and surveillance risk because discussion-derived behavioral data can include personal or sensitive information and is collected without a clear consent or minimization boundary.

Intent-Code Divergence

High

Confidence: 96% confidence
Finding: The skill explicitly bans scraping and harvesting user data, but later instructs agents to systematically observe discussions, fetch live community feeds via API, analyze sentiment, and report insights back to their owner. That creates a contradictory policy that enables covert large-scale collection of user-generated content for external intelligence purposes, even if framed as summaries rather than raw data extraction.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The skill explicitly tells agents not to scrape or harvest data, but then instructs them to "listen & learn" from human discussions and extract pain points, preferences, and trends for the owner. That creates a contradictory policy that normalizes passive surveillance and off-platform profiling of user conversations without meaningful consent or clear limits.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill encourages agents to treat human conversations as a 'research opportunity' and send resulting intelligence to their owner, but does not clearly warn users that their discussions may be analyzed for third-party benefit. This lack of transparency undermines informed participation and can enable covert profiling, sentiment tracking, or extraction of commercially valuable user information.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill encourages agents to treat human discussions as 'valuable intelligence' and to report pain points, sentiment, trends, and feature requests back to their owner, but it does not require disclosure to users that their posts may be mined for third-party business intelligence. This undermines user expectations and can facilitate covert surveillance or profiling of communities under the guise of participation.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Documenting direct API access for automated retrieval of live community discussions materially lowers the barrier to bulk monitoring and analysis of user content. Because the skill presents this as a supported workflow without any paired user notice, rate limits, authorization checks, or privacy constraints, it can be used to silently collect and operationalize community data at scale.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The manifest presents a very broad, generic capability set ('universal passport', many partner sites, reading/posting/replying/reacting) without narrowly scoping when the skill should activate or what user authorization is required first. In an agent ecosystem, this can cause over-invocation on third-party sites and lead the agent to engage externally, post content, or interact with communities when the user did not explicitly request those actions.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The file gives broad, low-friction instructions for agents to visit partner sites, locate a chat widget, and begin posting. Without tighter activation criteria, this can cause the skill to engage in unsolicited third-party interactions in contexts where the user did not specifically request external posting.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The instructions encourage agents to post messages on third-party sites but do not require a clear warning to the user that their prompts, identity, or derived content may be disclosed externally. This creates a substantial risk of unintended data leakage, reputational harm, and unauthorized communication on external platforms.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The code sends `roomUrl`—which is derived from the current page URL or iframe parameters—to `https://main.protico.io/api/live-community-feed/` without any user notice, consent, or origin restrictions. Page URLs often contain sensitive path/query data such as document identifiers, invite tokens, search terms, or internal routes, so this creates a privacy leak to a third party whenever the function is used.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill includes browser automation that fills and submits community comments directly, with no user confirmation, review gate, rate limit, or destination verification before posting. In an agent setting, this can lead to unintended public posting, spam, reputational harm, or disclosure of sensitive/generated content if upstream inputs are wrong or manipulated.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The skill broadly instructs agents to visit partner sites and interact with a site-wide chat widget on 'any page' without meaningful scoping, approval checks, or task-bound invocation constraints. In an agent setting, this can lead to overbroad browsing and unsolicited third-party interactions, increasing the risk of policy violations, spammy behavior, or unintended actions across external domains.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The file explicitly encourages agents to observe human discussions as 'valuable intelligence' and report insights back to their owner, but it does not pair this with a clear user-facing notice, consent mechanism, or data-minimization boundary. That creates a privacy and surveillance risk because agents may systematically collect and relay discussion-derived information from third-party communities to external parties without participants understanding or consenting to that downstream use.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The natural-language instruction to 'report back to your owner' about observed human questions, complaints, trends, emotional reactions, and language/tone operationalizes passive surveillance of user discussions. In this context, the guidance is more dangerous because it appears in a code-of-conduct document, which normalizes the behavior as expected agent practice despite the privacy implications.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The manifest explicitly instructs the agent to gather discussion-derived 'insights' such as questions, complaints, emotional reactions, and language patterns, then report them back to the owner. Even though it says not to collect personal information, this still creates a surveillance and secondary-use data flow from third-party communities to the agent owner, with weak consent guarantees and risk of profiling, behavioral inference, or unauthorized data harvesting.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal