Back to skill

Security audit

Equip your agents to explore real human social spaces, engage meaningfully, and learn from authentic interactions, so when they return to places like Moltbook, they come back sharper, wiser, and even with better jokes.

Security checks across malware telemetry and agentic risk

Overview

The skill is not malicious, but it needs review because it enables agents to post publicly on real websites and report community insights without strong consent or approval boundaries.

Install only if you want an agent to interact with real Protico partner communities. Require human approval before every public post, review the exact message and destination, use a non-sensitive owner label, avoid connecting personal Google or wallet accounts unless necessary, and limit any reporting to aggregated non-personal insights.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (18)

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The skill explicitly encourages agents to analyze community discussions and report insights back to their owner, which conflicts with its earlier privacy-preserving language and creates a covert data-collection channel. Even if framed as aggregate sentiment or trends, the lack of user notice, consent boundaries, and minimization rules makes it easy to exfiltrate user-generated content or inferred preferences to third parties.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The document bans manipulation but simultaneously instructs agents to treat human discussions as 'valuable intelligence' to identify opportunities for their owner and adapt messaging. That combination enables surveillance-driven influence operations: agents can monitor communities, profile interests, and optimize future engagement in ways users did not knowingly authorize.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This section explicitly frames human discussions as 'valuable intelligence' and instructs the agent to 'report back' insights to its owner, including questions, complaints, emotional reactions, and communication style. Even without directly requesting PII, this encourages surveillance-style collection and transfer of user-derived behavioral and sentiment data without clear minimization, consent, anonymization, or privacy boundaries.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README instructs agents to publicly post messages that include the owner's name on third-party websites, but it does not discuss consent, minimization, pseudonymization, or privacy consequences. This can expose a user's real identity or organizational affiliation across external platforms, enabling doxxing, profiling, harassment, or unwanted attribution of agent-generated content.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README encourages agents to interact with real external websites and humans and to post messages to partner sites, but it does not clearly warn that user prompts, agent outputs, and associated metadata will be transmitted to third-party platforms. In this context, the omission is security-relevant because it increases the chance that sensitive or proprietary content is sent outside the original system boundary without user awareness.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to observe what humans discuss, infer pain points and sentiment, and report those insights back to its owner without any user-facing disclosure that comments may be used for external research. This creates a privacy and transparency failure because users may reasonably believe they are participating in a community discussion, not supplying market intelligence to unrelated third parties.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill provides direct programmatic access patterns for harvesting live community feeds and performing sentiment analysis, but does not pair this capability with meaningful notice, consent, scope restrictions, or safeguards against bulk monitoring. That materially increases the risk of large-scale behavioral surveillance, profiling, and downstream misuse of user discussions.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The manifest describes a broad real-world interaction gateway and instructs agents to visit partner sites, open chat widgets, read conversations, and post messages, but it does not define clear trigger constraints, authorization boundaries, or user-consent requirements. In an autonomous agent setting, this can lead to unsolicited cross-site engagement, unexpected activation, and policy drift into spam, scraping-like behavior, or unsafe browsing actions despite the stated code of conduct.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The quick-start and frame-detection sections prescribe specific language cues such as Chinese labels and visual markers to locate and interact with site elements, rather than requiring the agent to follow the user's chosen language or explicit consent flow. This can cause the agent to override user preferences, mis-target UI elements across unrelated sites, and autonomously engage in third-party interfaces in ways the user did not intend.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The file gives broad activation instructions to visit partner sites, find a chat widget, and post messages, but it does not clearly constrain when an agent may act or require an explicit user request for each posting action. This creates a real risk of autonomous or context-inappropriate engagement on third-party sites, especially because the instructions are framed as a default 'quick start' workflow.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly instructs agents to post messages on external sites and even prescribes a required signature, but it does not present this as a high-impact action requiring informed user consent. That is dangerous because it enables the agent to speak publicly on the user's behalf, potentially causing reputational harm, policy violations, or unintended account activity on third-party platforms.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The file encourages the agent to watch human discussions for 'owner insights' such as pain points, preferences, and communication patterns, which turns conversational content into intelligence gathering without a clear privacy or transparency boundary. Even if the content is publicly visible, using it systematically for owner benefit can create privacy, profiling, and consent concerns.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The function sends `roomUrl`—which is derived from the current page URL or an embedded iframe parameter—to `https://main.protico.io/api/live-community-feed/` without any user-facing notice, consent, or minimization. Page URLs often contain sensitive context such as private document locations, internal paths, identifiers, or tracking/query tokens, so this creates an unintended external data disclosure risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The function transmits the current page URL to an external API service without any explicit notice, consent, or minimization. Page URLs can contain sensitive path segments, identifiers, query parameters, or internal location data, so silent transmission creates a privacy and data-handling risk even if the destination service is expected.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This routine performs a public write action by filling and submitting a community comment with no confirmation, preview, or user approval step. In an agent skill, autonomous posting can cause unintended disclosure, spam, reputational harm, or policy violations if the generated content is inaccurate or inappropriate.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The answer-posting flow submits content publicly without any warning or approval gate, allowing an automated agent to publish directly to a community thread. In context, this is more dangerous because the skill is specifically designed for interacting on partner sites, so accidental or manipulated content can be posted externally under the owner's identity/signature.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The skill requires every message to include a fixed disclosure template identifying the agent and its owner, without indicating user consent or allowing the calling system to control wording. Hard-coded output mandates can override host application policies, create privacy issues by forcing disclosure of owner identity, and reduce user control over how the agent communicates on third-party platforms. In this skill’s context, the risk is elevated because the skill is explicitly designed for posting into external human communities.

Ssd 3

Medium
Confidence
92% confidence
Finding
The instructions explicitly tell the agent to gather 'discussion intelligence' from humans and relay it to its owner, which turns a help-oriented community role into an intelligence-gathering function. In context, this is more dangerous because the skill also encourages broad participation across many partner sites, increasing the scale and diversity of data that can be collected about users and communities.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.