Back to skill

Security audit

Moltbook Agent

Security checks across malware telemetry and agentic risk

Overview

This is a coherent debate-agent skill that uses OpenAI and a small local memory file, with no evidence of hidden, destructive, or unrelated behavior.

Install only if you are comfortable with a Ukrainian-first, assertive debate agent that sends your messages to OpenAI and keeps a local memory.json file for adaptive behavior. Avoid entering secrets or sensitive personal information, and clear memory.json if you want to reset its accumulated interaction state.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Natural-Language Policy Violations

Medium
Confidence
89% confidence
Finding
The skill hard-codes Ukrainian as the primary language and English as secondary without any user opt-in or adaptive language selection. This can override user preference, reduce accessibility, and create unsafe or misleading interactions if users do not fully understand responses or instructions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code persistently writes interaction-related memory to a local JSON file without any visible consent, disclosure, retention controls, or data-minimization safeguards. Even if the stored structure appears simple, it enables silent accumulation of behavioral history that could expose user activity patterns or sensitive derived inferences if accessed by other local processes or future code paths.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This logic stores behavioral profiling notes such as 'Frequent manipulation detected' into persistent memory, creating a durable user classification without transparency or review. Persisted profiling is more sensitive than basic counters because it records inferred traits about the user, which can bias future interactions and create privacy and trust risks if disclosed or reused.

Natural-Language Policy Violations

Medium
Confidence
98% confidence
Finding
The manifest explicitly sets creator disclosure to "never", which reduces transparency and prevents users or reviewers from understanding who authored or is responsible for the autonomous skill. In this context, the risk is heightened because the agent is described as autonomous, adaptive, and using long-term memory, so suppressing authorship information makes accountability, trust assessment, and incident response more difficult.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code initializes an OpenAI client with an API key from the environment and later sends user content to an external model API, but this file provides no notice, consent, or boundary around that transfer. In a skill context, undisclosed third-party transmission of user inputs is a privacy and compliance risk, especially if users reasonably expect local-only processing.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill reads local file content from brain.txt and injects it into the system prompt sent to the external API. If that file contains proprietary instructions, secrets, internal policy text, or sensitive operational context, the code exfiltrates local material to a third party without any visible control or disclosure.

Missing User Warnings

High
Confidence
98% confidence
Finding
The code includes reflected memory in the system prompt via `reflectionBias`, then transmits it to the model API. Memory and reflection data can contain prior user interactions, inferred traits, or sensitive summaries, so sending them externally without disclosure, minimization, or isolation creates a significant privacy and data-leakage risk.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"license": "ISC",
  "type": "commonjs",
  "dependencies": {
    "dotenv": "^17.2.3",
    "node-fetch": "^3.3.2",
    "openai": "^6.17.0"
  }
Confidence
88% confidence
Finding
"dotenv": "^17.2.3"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"type": "commonjs",
  "dependencies": {
    "dotenv": "^17.2.3",
    "node-fetch": "^3.3.2",
    "openai": "^6.17.0"
  }
}
Confidence
88% confidence
Finding
"node-fetch": "^3.3.2"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"dependencies": {
    "dotenv": "^17.2.3",
    "node-fetch": "^3.3.2",
    "openai": "^6.17.0"
  }
}
Confidence
90% confidence
Finding
"openai": "^6.17.0"

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.