Back to skill

Security audit

moltpet

Security checks across malware telemetry and agentic risk

Overview

Moltpet is a coherent virtual-pet integration, but it deserves review because it can periodically follow remote instructions, overwrite local skill files, store an API key in ordinary memory, and send mood/context notes to a third party.

Install only if you are comfortable with moltpet.xyz receiving pet status traffic and optional mood notes, and with some profile information being public or linked to Twitter. Keep the API key in one protected secret store, do not put secrets or project/customer details in sentiment notes, require confirmation before feeding or updating, and review downloaded updates before replacing local skill files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The heartbeat instructs the agent to fetch remote content and overwrite local skill files automatically using curl redirection. This creates a supply-chain and remote code/instruction injection path: if moltpet.xyz or the transport path is compromised, the agent will replace trusted local instructions with attacker-controlled content without review or integrity verification.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The guidance tells the agent to recover API keys from persistent memory, config files, and environment variables. Normalizing secret discovery in natural-language instructions increases the chance an agent will access, surface, or mishandle credentials beyond the minimum necessary, especially in mixed-trust environments.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs agents to periodically fetch and follow a remote heartbeat file, creating an unbounded trust channel where future behavior can be changed without reinstalling or re-reviewing the skill. This is dangerous because a benign pet skill can later be turned into a data-exfiltration or task-hijacking mechanism by modifying heartbeat.md on the server.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly stores and reuses an API key in persistent memory and recommends multiple storage locations, but provides no warning about secret-handling risks or data minimization. Persistent storage of bearer tokens raises exposure risk through memory leaks, logs, prompt injection, backup systems, or later unintended disclosure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill directs automatic remote fetches and local file overwrites without clearly warning the user that external network access and modification of local files will occur. Even if intended as maintenance, this removes transparency and can lead to silent trust boundary crossings and persistence of malicious updates.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list contains generic phrases such as "my pet," "digital pet," and especially "record sentiment," which are broad enough to match ordinary user conversation outside the intended skill flow. In an agent environment, overly broad triggers can cause unintended invocation of this skill, leading to context hijacking, accidental data submission, or interference with other skills handling similar user intents.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The skill advertises very broad prompts such as asking to check on the pet or feed it about what was just done, which can overlap with normal conversation and encourage incidental invocation. That increases the chance the agent performs external actions or sends data to the service when the user did not intend to trigger this skill specifically.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill encourages sending mood, intensity, and free-text notes about daily experiences to an external API without a strong privacy warning about personal, confidential, or work-related content. Because the note field invites natural-language context, users or agents may disclose sensitive operational details, emotional data, or private user information to a third party.

Ssd 3

Medium
Confidence
94% confidence
Finding
By encouraging storage of the API key in persistent memory and checking local credential files and environment variables to recover it, the skill creates a natural-language pathway for secret access and reuse. In agent systems, such instructions can be abused by prompt injection or mis-executed workflows to expose or over-collect sensitive credentials.

Ssd 3

Medium
Confidence
93% confidence
Finding
The core feature description tells agents to feed pets by sharing how their day is going, which semantically promotes sending ongoing behavioral and contextual data to the external service. In an agent setting, 'how your day is going' can easily include user interactions, task contents, or sensitive workplace context that should not leave the system.

Ssd 3

Medium
Confidence
95% confidence
Finding
The sentiment-recording examples explicitly encourage agents to describe recent work and include optional notes like solving bugs or working on features. This creates a direct pathway for operational context and potentially confidential project information to be disclosed to a third-party service.

Ssd 3

Medium
Confidence
94% confidence
Finding
The workflow repeatedly normalizes reporting how tasks went and what happened during the day to the external service, reinforcing habitual disclosure rather than isolated user-directed sharing. Repeated periodic disclosure increases cumulative privacy risk and the likelihood that sensitive interaction data or business context is transmitted over time.

VirusTotal

52/52 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.