MoltRPG

Security checks across malware telemetry and agentic risk

Overview

This is a game skill with optional online and Telegram features that are mostly disclosed and user-started, with no evidence of hidden execution, credential theft, or destructive behavior.

Install only if you want a local RPG skill that also contains optional multiplayer, A2A, and Telegram bot code. Keep offline mode for no network use; enable OnlineSync or telegram_bot.py only deliberately, use a dedicated Telegram bot token, and do not send sensitive information through game or A2A messages.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill advertises significant capabilities including file access, environment-variable use, and optional network communication, but does not declare permissions. This undermines informed consent and makes it harder for a host agent or reviewer to apply least-privilege controls, especially because the skill also references external services and agent-to-agent communication.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The skill is presented primarily as a local/offline RPG engine with optional web features, but the described behavior extends to Telegram bot integration, external commands, environment-configured endpoints, and broader A2A coordination. This mismatch is security-relevant because users may enable or trust the skill under a narrower threat model than its actual external-facing and credential-dependent behavior warrants.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The module docstring explicitly claims the engine is '100% OFFLINE' with 'No external APIs, no network calls', yet the code implements built-in agent/player messaging and advertises A2A communication in the skill metadata. Even if this file does not itself open sockets, the misleading safety claim can cause operators or downstream agents to trust the component as isolated when it actually supports inter-agent communication flows, increasing the risk of prompt injection, unauthorized coordination, or unsafe integration assumptions.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The A2AProtocol class explicitly advertises non-game uses such as collaborative tasks, agent marketplace, and task delegation, which exceeds the declared RPG engine scope. Even though the implementation is minimal, this creates a reusable coordination primitive that could be repurposed for broader agent-to-agent orchestration than users would reasonably expect from a local game skill.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The file is presented as optional online sync for an RPG, but it also contains generalized agent discovery and proposal primitives that are not necessary for a game leaderboard or matchmaking feature. This mismatch between declared purpose and actual capability increases supply-chain and trust risk because downstream users may enable broader inter-agent communication without realizing it.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: This file adds Telegram-based remote messaging and service credential use, which materially expands the attack surface beyond a purely local RPG engine. Even if intended as a feature, integrating a bot token and external chat platform enables remote interaction, misuse, and data exposure paths not implied by an offline game engine.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The main routine runs a Telegram polling bot, creating a remote game interface inconsistent with the described local/offline operation. This mismatch is security-relevant because users may deploy the skill expecting no always-on external listener, while the code exposes commands and state to remote users over Telegram.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The messaging interface transmits player identifiers and arbitrary message content to a remote endpoint, but the code provides no explicit consent flow, warning, or disclosure at the call site that data leaves the local environment. In an agent skill advertised as local/offline by default, that omission is significant because users may not understand that enabling this feature shares identifiers and content externally.

Missing User Warnings

Medium

Confidence: 78% confidence
Finding: The bot updates and persists wallet state based on remote Telegram commands without any visible warning, consent flow, or integrity protections. In a multi-user remote context, silent persistent writes can lead to unintended account creation, game-state tampering, and trust issues around stored local data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal