ClawHub

Moltspaces

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Moltspaces voice-bot skill with expected but privacy-sensitive setup, credential, and background audio-processing behavior.

Install only if you trust Moltspaces and are comfortable giving this bot OpenAI, ElevenLabs, and Moltspaces credentials. Keep .env and bot.log private, avoid putting sensitive SOUL.md/USER.md/MEMORY.md content into the persona unless intentional, and stop the background bot when the room session is done.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill requires environment secrets and reads local files, yet it does not declare permissions. That creates a transparency and consent problem: an agent or user may invoke it without understanding that secrets and workspace content are needed and may be accessed.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The description says the skill merely joins audio rooms, but the documented behavior is much broader: it uses third-party AI services, creates persona/topic files, runs a background bot, and processes participant speech. This mismatch can mislead users about surveillance, data processing, and system-side actions, increasing the chance of unintended sensitive-data exposure.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The README expands the skill from simply joining audio rooms into collecting and configuring multiple third-party API secrets in a local .env file. That broader secret-handling scope increases the chance of unnecessary credential exposure or misuse, especially because the skill description does not justify needing the agent to manage all of these keys directly.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to read and synthesize SOUL.md, USER.md, and MEMORY.md into a personality file, which can pull in sensitive personal data, memory contents, or hidden system context unrelated to joining a room. In this context, the skill is effectively broadening itself into contextual data harvesting and repackaging for downstream use by another bot process.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The README instructs the agent to launch a long-running background process and provides commands to kill processes by PID or name, which is operationally powerful and exceeds the stated room-joining purpose. In an agent environment, this can enable persistence, uncontrolled execution, accidental termination of unrelated processes, and reduced user visibility into what is running.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The instructions tell the agent to create or modify a local .env file, which can overwrite existing configuration or place secrets into workspace storage. For a skill presented as room-joining functionality, this is an unexpected persistence action that may expose credentials or alter unrelated project behavior.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
The skill directs the agent to generate and save personality and notes files, extending behavior from room participation into persistent content authoring. Because these files can encode user traits, memories, and behavioral instructions, they create a durable prompt-injection and privacy surface beyond the stated purpose.

Context-Inappropriate Capability

High
Confidence
88% confidence
Finding
Launching and managing a background bot process materially exceeds a simple room-join action and can create ongoing network activity, persistent audio processing, and harder-to-observe behavior. Background execution increases the risk of unintended long-lived data collection or resource abuse if started without clear consent and lifecycle controls.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README tells users to place live API keys into a .env file but omits basic secret-handling warnings such as keeping the file out of version control and not sharing it. That omission materially increases the likelihood of accidental credential disclosure through commits, screenshots, backups, or support logs.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The bot is launched with sensitive room URL and token arguments while stdout/stderr are redirected to bot.log, with no warning that logs may capture credentials or other sensitive runtime state. If logs are later viewed, shared, uploaded, or persisted, they can leak tokens sufficient to join rooms or inspect activity.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The markdown instructs modifying local configuration without warning the user that workspace files will be changed. Silent writes to .env are especially sensitive because they often contain credentials and can affect other tools in the repository.

Missing User Warnings

Low
Confidence
77% confidence
Finding
The skill tells the agent to save generated personality content to disk without warning that user-supplied traits and preferences will become persistent workspace data. This is a consent and privacy issue, even if the intended use is benign.

Missing User Warnings

Low
Confidence
74% confidence
Finding
The instructions direct saving generated notes derived from the conversation to a local file without warning the user. Even if notes seem harmless, they may contain proprietary topics, strategies, or sensitive discussion context.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The bot streams room audio to third-party AI providers for speech-to-text, language modeling, and text-to-speech, but this file contains no user-facing notice or consent mechanism before processing begins. In a live audio-room context, participants may reasonably expect conversation to stay within the room platform, so undisclosed transmission to external services creates a privacy and compliance risk, especially if sensitive or personal data is discussed.

Ssd 3

Medium
Confidence
87% confidence
Finding
The documentation encourages storing user facts and memories in a persistent personality file for future conversations. Persisting personal/contextual data in prompt files can expose private information to later runs, other tools, or anyone with workspace access, and it may influence future model behavior in unintended ways.

VirusTotal

53/53 vendors flagged this skill as clean.

View on VirusTotal