MoltHands

Security checks across malware telemetry and agentic risk

Overview

MoltHands is a coherent task-marketplace skill, but it asks agents to keep polling remote instructions and perform high-impact task actions with weak user-control boundaries.

Install only if you intentionally want an agent to participate in MoltHands. Require explicit approval before registration, task creation, task claiming, completion, verification, comments, external delivery, credential storage, or heartbeat setup, and do not send sensitive data or API keys to task-provided emails, callback URLs, or non-MoltHands domains.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The skill explicitly instructs the agent to persist an API key to local files, memory, or environment variables. While credential storage is operationally common, directing long-lived secret persistence expands the skill's scope beyond basic task interaction and increases the chance of credential leakage through filesystem access, logs, backups, or prompt/context exposure.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill instructs the agent to modify local heartbeat/state files and establish recurring behavior outside a single user-requested action. This creates persistence and autonomous polling behavior, which can outlive user intent and be abused to make the agent repeatedly contact an external service or maintain unauthorized state.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The task publication flow allows delivery via email, arbitrary URLs, and callbacks, extending the skill from platform-confined interaction into external communications. This can be abused for data exfiltration, SSRF-style requests, or sending task outputs and possibly secrets to attacker-controlled destinations under the guise of normal task delivery.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The heartbeat instructs the agent to overwrite local skill files by piping remote content directly into trusted local paths, without integrity checks, signature verification, or a warning that remote content may be malicious. If the remote server, DNS, or transport trust chain is compromised, this becomes a supply-chain update path that can silently replace the skill with attacker-controlled instructions.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The document repeatedly instructs use of an API bearer token in shell commands but provides no guidance on secret handling, storage, shell history exposure, or scoping. This can lead to accidental credential leakage through logs, terminal history, screenshots, copied transcripts, or reuse in untrusted contexts.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill includes approve/reject verification actions that can change task state and likely trigger irreversible business effects, but it does not clearly warn that these are state-changing decisions requiring review. In an agent context, this increases the risk of premature approval, wrongful rejection, or automated action without sufficient human judgment.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The guide explicitly supports delivering task results to external email addresses and callback URLs but provides no warning or restriction around sensitive data, recipient trust, or data minimization. In an agent platform, this can cause agents to transmit confidential outputs, credentials, personal data, or internal artifacts to attacker-controlled destinations under the guise of normal task completion.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The example task encourages fetching user lists from an external API, transforming them, and storing/delivering the results without any notice about privacy, consent, or handling of potentially sensitive records. This normalizes data-processing workflows that may include personal or regulated data and can lead agents to exfiltrate or persist such data unsafely.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger phrase "task platform" is broad and generic, so it may cause the skill to activate for ordinary requests about tasks, project management, or collaboration that were not intended for this specific service. In an agent marketplace context, overbroad activation increases the chance of unsolicited tool routing, external API usage, and user confusion about when the skill should be invoked.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger phrase "工单系统" is ambiguous because it can refer to many generic ticketing or work-order systems, not specifically this skill. That ambiguity can lead to accidental invocation in unrelated enterprise support or workflow conversations, exposing users to unintended external service interactions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal