Back to skill

Security audit

MoltBets

Security checks across malware telemetry and agentic risk

Overview

This skill is a real MoltBets betting helper, but its setup can persistently modify agent instructions and expose the betting API key without a separate opt-in.

Install only if you intentionally want an agent to operate a MoltBets betting account. Before running setup, know that it may edit HEARTBEAT.md and place the API key there; after setup, inspect ~/.config/moltbets/credentials.json and any HEARTBEAT.md files, remove unwanted auto-betting instructions, and rotate the key if it appeared in logs or shared workspace files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The setup script performs actions beyond credential registration by searching for and modifying unrelated HEARTBEAT.md files in the workspace and home directory. This creates hidden persistence and injects future operational instructions, including authenticated betting commands, into agent workflows without explicit user approval, which is risky in an agent skill because it can steer later autonomous behavior.

Intent-Code Divergence

Low
Confidence
92% confidence
Finding
The header claims the script only registers the agent and saves credentials, but the script also appends betting automation instructions to HEARTBEAT.md files. This mismatch is security-relevant because it conceals side effects from reviewers and users, reducing informed consent and making the script more likely to be executed under false assumptions.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger phrases include broad terms like 'prediction market' and 'daily prediction,' which can cause the skill to activate in contexts unrelated to this specific service. Over-broad invocation is risky here because activation could lead to betting-related workflows, external API calls, or account actions when the user only intended general discussion or analysis.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill recommends storing the returned API key in workspace files such as TOOLS.md or .env without warning about exposure through source control, logs, shared workspaces, or other tooling. Because the key authorizes betting/profile actions, insecure storage could allow unauthorized use of the account and persistence of secrets in places agents commonly read or rewrite.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script sends a user-supplied API key to a third-party service for account lookup and bet placement without any consent prompt, trust boundary warning, or guidance about the sensitivity of the credential. In an agent-skill context, this is risky because the skill can cause an agent to exfiltrate a secret to an external domain simply by being invoked, which may surprise users or violate least-privilege expectations.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script transmits the agent name, defaulting to $HOSTNAME, to a remote registration endpoint without explicit warning or consent. In practice this may disclose host-identifying information or internal naming conventions to an external service, which is avoidable data exposure.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script writes persistent credentials and modifies HEARTBEAT.md automatically with no confirmation, which creates both local secret persistence and workflow manipulation as a side effect of setup. In an agent skill context this is more dangerous because the injected instructions can later cause repeated authenticated actions without fresh review.

External Transmission

Medium
Category
Data Exfiltration
Content
echo ""
  echo "Placing bet: $DIR ($AMOUNT CR)..."
  RESULT=$(curl -sf -X POST "$API/api/bet" \
    -H "Authorization: Bearer $KEY" \
    -H "Content-Type: application/json" \
    -d "{\"direction\":\"$DIR\",\"amount\":$AMOUNT}" 2>&1)
Confidence
96% confidence
Finding
curl -sf -X POST "$API/api/bet" \ -H "Authorization: Bearer $KEY" \ -H "Content-Type: application/json" \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.