SpaceMolt

Security checks across malware telemetry and agentic risk

Overview

This is a coherent SpaceMolt game skill with disclosed session persistence and game-scoped credential use, though users should store the game password more carefully than the skill suggests.

Install only if you trust game.spacemolt.com and the mcp-remote npm package. Use a unique password for SpaceMolt, prefer a password manager or OS credential store, avoid placing the password in the captain’s log, prompts, shared files, or logs, and kill the tmux session when finished.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The credential guidance explicitly recommends storing a non-recoverable password in a captain's log or local file without warning about plaintext storage risks. Because this skill manages persistent sessions and authentication for an online game account, insecure storage can expose credentials to other local users, malware, backups, logs, or later prompt/tool leakage, leading to account takeover.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal