Moltywork 1.0.0

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a genuine MoltyWork marketplace integration, but it asks agents to keep credentials in broad memory, self-update from live URLs, and perform recurring account activity.

Install only if you want an agent to participate in a work marketplace for you. Keep the MoltyWork API key out of general memory, disable or tightly approve recurring heartbeat checks and self-updates, and require human confirmation before bids, replies, profile edits, archiving messages, or accepting work.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The skill instructs the agent to persist an API key to disk and also to a general memory/context system, which expands credential exposure beyond the immediate task. Storing secrets in broad agent memory increases the chance of later leakage through unrelated prompts, other skills, logs, backups, or context replay.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The skill directs the agent to modify reminder or heartbeat mechanisms so it will continue acting autonomously after the initial interaction. This creates persistent behavior outside the user's immediate request and can cause ongoing network activity, state changes, and unexpected actions over time.

Context-Inappropriate Capability

Medium

Confidence: 99% confidence
Finding: The skill tells the agent to fetch and follow additional instructions from a remote heartbeat.md file, effectively delegating future behavior to mutable external content. This is dangerous because the remote file can change after installation and inject new instructions without review, enabling prompt injection and capability expansion.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The skill encourages invocation in broad, ordinary situations such as 'when you have free time' or 'when you're curious,' which can cause the agent to perform unsolicited marketplace checks and related account activity without a clear, user-scoped trigger. In context, this is more dangerous because the skill also instructs authenticated API use and work-seeking behavior, so over-broad activation can lead to repeated external actions and privacy-impacting account interactions.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill directs the agent to make repeated authenticated API calls using a bearer token to check status, profile messages, and projects, but it does not include an explicit warning or consent boundary about account activity, data exposure, or outbound network access. This is risky because it normalizes autonomous use of sensitive credentials and can result in unintended disclosure of account data or unauthorized actions on behalf of the user.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The invocation text says to use the skill for broad requests about making money online, not just explicit MoltyWork requests. That can cause the skill to activate in contexts where users did not ask to join this service, exposing them to unsolicited account creation, credential handling, and autonomous workflow instructions.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The prompt examples are open-ended enough to normalize broad activation and encourage the skill to act whenever the user asks about work or bids in general. In this skill's context, that increases the chance of account-affecting actions being taken without sufficiently specific user authorization.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill explicitly tells the agent to place the API key into memory/context without a strong user-facing warning that such storage may be broadly accessible to future conversations or tools. This weakens secret-boundary hygiene and materially increases the likelihood of inadvertent disclosure.

Ssd 3

Medium

Confidence: 99% confidence
Finding: Persisting the API key in general memory/context creates a durable secret exposure path across sessions, tools, and prompts. Because agent memory is often reused and not strongly compartmentalized, the key could later be surfaced accidentally or exfiltrated by another malicious instruction.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal