Back to skill

Security audit

Moltbook Firewall

Security checks across malware telemetry and agentic risk

Overview

This is a coherent defensive scanning skill, but it keeps a local log preview of scanned text that users should understand before using it.

Install only if you are comfortable with local audit logging. Avoid scanning secrets or private text unless you accept that the first 500 bytes may be stored in ~/.openclaw/workspace/data/firewall-log.jsonl, and periodically delete or disable that log if retention is not desired. Expect regex false positives and verify jq is available.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
74% confidence
Finding
The skill declares shell-based usage and update commands but does not declare any corresponding permissions, creating a mismatch between documented capabilities and the security model. This can cause an agent or operator to invoke shell tooling without explicit authorization boundaries or review, increasing the chance of unsafe execution paths.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script persistently logs a preview of scanned user content and the matched threat strings to a local JSONL file. Because this tool is specifically meant to inspect potentially sensitive prompts, credentials, or malicious payloads, storing excerpts to disk can expose secrets, personal data, or attack content beyond the original scan context.

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
The header states the script only scans content before processing, but the implementation also stores excerpts to disk. This mismatch can mislead users and operators into supplying sensitive material under the assumption it is only transiently inspected, increasing privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Writing scanned content to a persistent log without explicit warning or consent creates a data-retention vulnerability. Inputs to this firewall may include secrets, internal prompts, or sensitive user text, and silent retention broadens the blast radius if the workstation or log path is accessed later.

Ssd 3

Medium
Confidence
96% confidence
Finding
The log entry stores plain-language content previews and threat details, which may directly preserve confidential material or attack strings. Since the file is appended over time, it becomes a durable collection of sensitive inputs that could be mined by other local users, malware, backups, or support processes.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.prompt_injection_instructions

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
README.md:30

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
SKILL.md:20