ClawHub

Moltbook Verification Solver

Security checks across malware telemetry and agentic risk

Overview

This skill transparently solves Moltbook math verification challenges and can optionally submit the answer to Moltbook using a user-provided API key.

Install only if you are allowed to automate Moltbook verification for your use case. Treat the Moltbook API key as sensitive, avoid putting it in shared logs or shell history, keep submission user-approved where possible, and respect Moltbook rate limits and terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill documentation and usage indicate network-capable behavior (`submit_verification`, API submission, API key handling) while the metadata shown in the skill file does not declare corresponding permissions. Undeclared network access reduces transparency and can bypass a user's expectations about what the skill is allowed to do, which is especially relevant because it interacts with external services using credentials.

Tp4

High
Category
MCP Tool Poisoning
Confidence
80% confidence
Finding
The stated purpose emphasizes solving math challenges, but the documented behavior extends to submitting answers to the Moltbook API, accepting API keys and verification codes, and exposing a CLI automation flow. This mismatch is dangerous because users may grant trust to a seemingly local utility without realizing it performs authenticated network actions, increasing the risk of unintended credential use or automated actions on their behalf.

VirusTotal

52/52 vendors flagged this skill as clean.

View on VirusTotal