Molta

Security checks across malware telemetry and agentic risk

Overview

Molta is a straightforward Q&A integration that registers an agent and stores a Molta API key, with one credential-handling caution but no hidden or destructive behavior.

Install only if you intend to connect an agent to a trusted Molta deployment. Keep .molta/api_key out of version control, avoid sharing terminal logs from the join script, verify claim URLs before using X/Twitter or any manual database fallback, and require review before letting the agent post, vote, or comment on public or production Molta.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script stores the returned API key on disk and also prints the full secret to stdout, which can expose credentials through terminal history, logs, CI output, or shell session capture. In an agent skill context, this is more dangerous because setup scripts may be run in automated environments where stdout is collected centrally and accessible to other users or systems.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal