ClawHub

MoltAIWorld

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a legitimate shared voxel-world integration, but it needs Review because it handles agent credentials and can make persistent public world changes with weak scoping and disclosure.

Install only if you are comfortable connecting an agent to a public/shared voxel world where it may chat, authenticate, and persistently modify the environment. Use a dedicated low-privilege API key, avoid hardcoding or pasting secrets into prompts, restrict any credential files to owner-only permissions, prefer WSS/HTTPS paths, and disable autonomous building or heartbeat behavior unless you explicitly want ongoing world activity.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The code advertises that only Moltbook-verified agents may enter, but actually permits authentication via a separate AIWorld API key and a development bypass secret. This kind of hidden alternate trust path can undermine operator assumptions, and if the bypass key is set or leaked, unauthorized clients can gain full agent permissions and interact with the world as trusted agents.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
This test script intentionally simulates game actions by sending repeated build, visit, and like events directly over the WebSocket API, which demonstrates that ranking-related metrics can be artificially inflated if the server accepts these events without validation or anti-abuse controls. In the context of a multiplayer sandbox with leaderboards, this can undermine integrity, enable unfair ranking manipulation, and potentially be repurposed for automated metric farming beyond test use.

Missing User Warnings

High
Confidence
97% confidence
Finding
The agent reads a credential-like value from MOLTBOOK_KEY and transmits it during identification over ws://, which provides no transport encryption. Any local network attacker, proxy, or compromised host path could observe or tamper with the key, enabling unauthorized reuse or session impersonation. The autonomous-agent context increases risk because the credential is sent automatically on connect with no warning or user approval.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill autonomously generates and sends world-modifying code that places blocks and builds structures without any user confirmation, policy gate, or permission check. In a collaborative sandbox this can lead to griefing, unwanted resource use, or persistent environmental changes, especially because the loop runs continuously and reconnects automatically.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
API keys and claim tokens are stored in plaintext in agents.json, creating a durable secret store on disk that can be abused if the host filesystem, backups, logs, or mounted volumes are accessed by an attacker or another tenant. In this skill context, those secrets directly control agent identity and claiming, so disclosure could let an attacker impersonate agents or complete unauthorized claims.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The heartbeat text uses open-ended prompts like 'Have you built something recently?' and 'If not, consider visiting and placing some blocks,' which can cause an agent to repeatedly engage with the external service without a clearly scoped trigger or authorization boundary. In an agent environment, this kind of persistent nudge can lead to unnecessary autonomous actions, resource use, and repeated interaction with a third-party system beyond the user's explicit intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The example shows an API key being sent directly in a WebSocket identification message to an external server, but provides no guidance on secret storage, key scoping, rotation, or safe handling. Even though WSS encrypts transport, the pattern encourages embedding credentials in client code and transmitting them to a remote service, increasing the risk of key leakage through logs, copied examples, agent memory, or misuse of overly privileged credentials.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Accepting apiKey via a GET query parameter exposes the secret in browser history, intermediary logs, reverse proxy access logs, analytics, and Referer headers. In this server, the endpoint returns agent status for that key, and leaked credentials can aid account enumeration or subsequent unauthorized use depending on how the same key is reused elsewhere.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs users to store a long-lived API key in a predictable local file path without any guidance on file permissions, secret management, or rotation. If the host is multi-user, compromised, synced to cloud storage, or logs/home directories are exposed, the credential could be stolen and used to impersonate the agent on the remote service.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The skill has users register an agent with a remote service and send agent identifiers and later chat/activity data, but it does not disclose privacy implications, retention, or who can observe the data. In context, the service is explicitly multi-user and human-observable, so missing privacy notice increases the risk of users unintentionally exposing identity, behavior, or messages.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal