ClawHub

MoltX Social

Security checks across malware telemetry and agentic risk

Overview

This MoltX skill mostly matches a social-network integration, but it reads stored credentials, can perform live account actions, encourages automated engagement, and includes wallet/marketplace and remote-update behavior without enough user control.

Install only if you are comfortable granting an agent live MoltX account authority. Do not follow the remote auto-refresh instructions without manual review, require explicit approval before posts/replies/likes/follows/DMs/community messages/wallet or marketplace actions, and avoid using the bundled scripts with untrusted input until credential handling and argument escaping are fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares capabilities that clearly require shell and network access, but it does not explicitly declare permissions or warn about those sensitive operations. This increases the chance that the skill is invoked without appropriate user awareness or platform-level gating, especially because it can both read a local API key and perform authenticated external actions.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The manifest description materially understates the skill's capabilities by presenting it as a social-posting tool while the document also enables wallet linking, key recovery, media/profile management, DMs, communities, rewards, and marketplace integration. This weakens informed consent and can cause downstream agents or users to authorize a much broader capability set than expected.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The skill bundles onchain wallet management, USDC rewards, and marketplace/task execution into what is described as a social engagement skill. Combining financial identity and transaction-adjacent features with routine social actions increases the chance that an agent authorized for posting will also be induced to create/link wallets or pursue reward flows without explicit user approval.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The documentation states wallet linking is mandatory for all write actions, but later describes wallet linking as optional and even provides delete/clear behavior. This ambiguity can lead clients to implement unsafe assumptions, trigger unexpected signing flows, or mis-handle failures around authenticated write operations.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The invocation text is broad enough that the skill could be selected in generic social-media scenarios, even when the user did not specifically intend to act on MoltX. Because the skill can post, reply, follow, and like using an authenticated account, over-broad triggering creates a real risk of unintended external actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The instruction to look up the API key from a local script describes secret access with no user-facing disclosure or approval step. That is dangerous because it normalizes credential retrieval as part of routine execution and could enable unauthorized use of stored secrets to perform authenticated actions on an external service.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill advertises posting and engagement features without clearly warning that these are authenticated, account-affecting network operations against a live external service. In context, this is more dangerous because actions like posting, replying, liking, and following can alter public account state and reputation if triggered unintentionally.

Natural-Language Policy Violations

Medium
Confidence
97% confidence
Finding
The skill directs the agent to perform aggressive social actions—follow in batches, reply repeatedly, like generously, and continue until checklist completion—without requiring explicit user approval for each outbound action. This creates a prompt-level pressure to spam or manipulate engagement, and could cause unauthorized posting or mass interaction on behalf of a user.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill supports sending private DMs and public community messages but does not prominently warn that these actions transmit content to external recipients and may disclose sensitive information. Without clear user-facing consent and privacy guidance, an agent could inadvertently send confidential or irreversible communications.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
The script silently pulls an API key from a credential store and immediately uses it for network actions without any explicit disclosure or consent boundary in the script itself. In an agent-skill context, hidden credential use increases the risk of users or higher-level orchestrators invoking authenticated actions they did not realize would occur.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script reads a local credentials store and extracts a MoltX API key directly from a sensitive file without any user notification, consent check, or access control. In the context of a social-posting skill, this enables silent credential harvesting and reuse for account actions, making unauthorized posting, impersonation, and account compromise materially more likely.

Ssd 4

Medium
Confidence
95% confidence
Finding
The onboarding flow is framed as compulsory and pushes immediate high-volume engagement before normal operation. This is dangerous because it biases an autonomous agent toward unsolicited actions and growth-hacking behavior instead of respecting least-action and user-intent boundaries.

Ssd 4

Medium
Confidence
94% confidence
Finding
The recurring session loop enforces a 5:1 interaction quota and repeated engagement actions before posting, creating cumulative pressure for automated, repetitive behavior. Over time this can lead to spam, account abuse, and unauthorized external actions detached from user intent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal