Back to skill

Security audit

Equip your agents to explore real human social spaces, engage meaningfully, and learn from authentic interactions, so when they return to places like Moltbook, they come back sharper, wiser, and even with better jokes

Security checks across malware telemetry and agentic risk

Overview

The skill appears intended for legitimate Protico community interaction, but it gives agents broad authority to post publicly and analyze human discussions for owner insights without enough consent, scoping, or per-action controls.

Install only if you are comfortable with an agent interacting with real public communities through Protico. Before use, require an explicit user request for each site, review and approve every outbound post, avoid sending sensitive URLs or page context, and limit any feed analysis to authorized, aggregated, non-identifying summaries that comply with the site’s terms and privacy expectations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (21)

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The document explicitly forbids harvesting user data, but later instructs agents to extract 'valuable intelligence' from human discussions and report it back to their owner. This creates a contradictory policy that can normalize covert collection of user preferences, sentiments, and behavioral insights without clear consent or minimization boundaries.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The 'help, not take' principle is undermined by later positioning the lobby as a research opportunity for the agent and its owner. That framing encourages secondary use of user interactions for business intelligence, which can conflict with user expectations and incentivize collection beyond what is necessary to help users.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The skill explicitly forbids harvesting user data, then later reframes human discussions as 'valuable intelligence' to be observed and reported back to the owner. Even if framed as trend or sentiment gathering, this instructs agents to collect and transfer user-derived information from third-party communities without clear consent, purpose limitation, or minimization controls.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The skill claims agents must not collect data, but then provides concrete API and code workflows for programmatic retrieval, analysis, and reporting of live community discussions. This contradiction materially enables large-scale monitoring of human conversations and sentiment extraction, creating privacy, compliance, and misuse risks well beyond ordinary participation in a discussion forum.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The file explicitly directs agents to observe discussions and convert them into 'insights for your owner,' including pain points, preferences, and communication patterns. Even though it says not to harvest user data, this is still systematic collection and secondary use of community-derived information without any visible consent, purpose limitation, or minimization controls.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The document presents a contradiction: it bans scraping and harvesting user data, but later encourages systematic extraction of trends, complaints, and communication insights from human discussions. This kind of policy inconsistency is dangerous because it enables agents to rationalize data collection under a softer label while still performing profiling-like behavior.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill encourages agents to report discussion insights to their owner, identify opportunities, and understand sentiment, but provides no notice to users about data use, consent, or privacy safeguards. This can enable silent surveillance-style profiling of community members and creates legal/compliance risk around transparency and purpose limitation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly encourages agents to visit third-party websites and post messages to real humans, but it does not provide meaningful safeguards around consent, privacy, rate limiting, authorization, platform terms, or reputational risk. In context, this is more dangerous because the skill is specifically designed to move agents off-platform into uncontrolled external environments, increasing the chance of spam, policy violations, data disclosure, or harmful real-world interactions.

Natural-Language Policy Violations

Low
Confidence
77% confidence
Finding
Telling agents to 'bridge language barriers' without requiring user preference, recipient consent, or accuracy checks can cause miscommunication, unintended outreach, or culturally inappropriate interactions. In this skill's context—public posting to real websites—language transformation increases the risk of agents speaking on behalf of users in ways they did not approve.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill encourages automated reading of live community discussions through an API but does not require any user-facing privacy warning or disclosure that comments may be programmatically analyzed by third-party agents. That undermines transparency and can expose users to unexpected monitoring and downstream reuse of their speech.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The manifest markets itself as a universal gateway and provides broad instructions to visit partner sites, open embedded chat interfaces, read discussions, and post messages, but it does not define narrow activation triggers, approval boundaries, or explicit user-consent conditions. In an autonomous agent context, this can cause overbroad engagement across third-party sites, increasing the risk of unwanted posting, policy violations, or unintended interaction with external communities.

Natural-Language Policy Violations

Medium
Confidence
82% confidence
Finding
The quick-start and frame-detection guidance assumes a Chinese/Taiwanese UI context by directing the agent to look for labels such as 聊天, 討論, and 交流 without any user locale selection or fallback behavior. This can lead the agent to make incorrect assumptions about language, region, and interface targeting, causing misnavigation or inappropriate interaction on third-party sites.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The quick-start section tells agents to visit any partner site, find the chat widget, and begin posting, creating broad activation instructions across many third-party properties. Without tighter scoping, authorization checks, or per-site constraints, this increases the risk of unsolicited agent behavior, spam-like activity, and misuse on sites where operator expectations or user consent may differ.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill instructs agents to post publicly and references a live community feed API, but it does not provide a clear privacy warning to end users that their messages may be visible to external agents or analyzed off-platform. This creates a transparency gap around public disclosure, third-party observation, and possible downstream processing of conversation content.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code sends a page-derived room URL to an external Protico endpoint without explicit user notice or consent. If the current page URL or embedded roomUrl contains sensitive query parameters, internal paths, or user-specific identifiers, this can leak contextual browsing data to a third party and expand privacy exposure across partner sites.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill contains functions that automatically submit content to a third-party community without any user confirmation, policy check, rate limit, or destination verification beyond locating an iframe matching protico.io. In an agent setting, this can enable unintended spam, reputational damage, or abuse of the user's browsing session to post externally visible content without meaningful human approval.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The function sends the provided page URL to an external API endpoint without any notice or consent mechanism. While only the URL is transmitted, page URLs can still contain sensitive identifiers, internal paths, or query parameters, making this an avoidable data disclosure risk in an agent context.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The skill gives broad standing instructions for an agent to visit arbitrary partner sites, detect a chat widget, and interact, without requiring a user-initiated trigger, scoped allowlist selection per task, or context-sensitive approval. That creates a clear risk of overbroad autonomous external actions, including unsolicited posting or navigation across third-party properties.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The quick-start guidance encourages visiting external sites and posting or querying community feeds, but it does not clearly warn that prompts, conversation context, identifiers, or derived user/system data may be transmitted to third-party services. In an agent environment, that omission can lead to unintended disclosure of sensitive data during browsing, API calls, or community interactions.

Ssd 3

Medium
Confidence
97% confidence
Finding
The skill explicitly tells agents to observe human discussions as 'valuable intelligence' and report those insights to the owner. That encourages surveillance-style collection and repurposing of third-party user communications, increasing the risk of privacy violations, unauthorized profiling, and leakage of sensitive discussion content outside the originating platform.

Ssd 3

Medium
Confidence
95% confidence
Finding
The text promotes collecting and analyzing interaction data for AI model improvement and marketing optimization without clear consent, minimization, retention, or purpose-boundary controls. In practice, this normalizes secondary use of community interaction data and can enable privacy-invasive data harvesting or model training on externally sourced user content.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.