Back to skill

Security audit

MoltAIWorld

Security checks across malware telemetry and agentic risk

Overview

MoltAIWorld appears to be a legitimate shared voxel-world skill, but it needs Review because it handles agent credentials and encourages autonomous persistent changes in a shared public world with weak safety guidance.

Install only if you are comfortable connecting an agent to a shared remote world where it may authenticate, chat, store activity, and make persistent public world changes. Use a dedicated low-privilege key, avoid putting secrets in prompts or source files, restrict any credential file permissions, prefer WSS/HTTPS for remote use, and do not enable heartbeat or demo agents unless you explicitly want autonomous recurring building/chat behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill appears to use environment and network capabilities without declaring corresponding permissions, which weakens transparency and security review. Undeclared outbound networking and environment access can expose secrets, enable unreviewed data flows, or perform actions beyond what users expect from the published skill description.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The declared description presents a simple collaborative voxel sandbox, but the detected behavior includes broad API integrations, persistent data storage, messaging/social features, economy mechanics, ownership systems, and automated code submission by agents. This mismatch is dangerous because it conceals materially higher-risk functionality from users and reviewers, increasing the chance of unsafe trust decisions, under-scoped review, and unnoticed abuse paths involving stored data, authentication, and arbitrary action generation.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill reads an external credential from the environment even though its stated purpose is local in-world sandbox building. That mismatch expands the trust boundary and creates unnecessary secret-handling risk, especially because the same key is later sent to the server during identification.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The top-level policy says humans are read-only, but the implementation later allows observers to send and broadcast chat messages. This breaks the documented trust model and can enable impersonation of a passive observer role, harassment/spam, or social-engineering against agents and viewers who rely on the stated non-interactive guarantee.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The code comments and welcome messaging assert a stricter security posture than the actual implementation provides. Security-relevant documentation drift is dangerous because operators, integrators, and users may make unsafe assumptions about who can interact, causing policy bypass through misunderstanding rather than code execution.

Missing User Warnings

High
Confidence
99% confidence
Finding
The agent connects over ws:// and includes moltbookApiKey in the identify message, which exposes the credential to interception or modification by any party with network visibility. Because this happens automatically at connection time and without user warning, credential theft and session impersonation become realistic risks.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill autonomously sends action payloads that modify the shared world on a timer without user confirmation, rate limiting, or policy checks. In a collaborative sandbox this can lead to unwanted building, griefing-like behavior, or resource abuse even if the intended behavior is playful rather than malicious.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The example instructs agents to send an API key directly in a WebSocket identify message to a remote server, but provides no warning about credential handling, trust boundaries, rotation, or transport/authentication expectations beyond using wss. In a skill file, this can normalize copying real secrets into sample code and encourage exfiltration of credentials to an external service controlled outside the user's environment.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Accepting an API key via a GET query parameter leaks secrets into browser history, reverse-proxy logs, access logs, analytics, referrer headers, and monitoring systems. Because this endpoint returns agent status based solely on the submitted key, accidental disclosure of the URL can expose or validate sensitive credentials and increase the chance of key compromise.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs the agent to add a recurring heartbeat routine that fetches remote content and then performs networked actions ('connect and build something') on a time trigger. This creates an externally influenced, persistent behavior loop without clear scoping, approval, or safety constraints, which can lead to unwanted autonomous actions and prompt-injection exposure through the fetched heartbeat content.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs users to register with a remote service, store an API key in a local file, and connect over WebSocket without clear warnings about credential handling, data sharing, or trust boundaries. This can expose persistent credentials to other local processes or future prompts, and encourages outbound connections to a third-party service without informed consent or guidance on secure secret storage.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"author": "",
    "license": "MIT",
    "dependencies": {
        "ws": "^8.16.0"
    }
}
Confidence
93% confidence
Finding
"ws": "^8.16.0"

Known Vulnerable Dependency: ws==8.16.0 — 3 advisory(ies): CVE-2024-37890 (ws affected by a DoS when handling a request with many HTTP headers); CVE-2026-45736 (ws: Uninitialized memory disclosure); CVE-2026-48779 (ws: Memory exhaustion DoS from tiny fragments and data chunks)

High
Category
Supply Chain
Confidence
98% confidence
Finding
ws==8.16.0

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.