Pluribus

Security checks across malware telemetry and agentic risk

Overview

This looks like a real P2P agent-coordination skill, but it asks users to run an unreviewed external CLI and silently reads a Moltbook credentials file for identity setup.

Install only after reviewing or pinning the external GitHub CLI that the README tells you to run. Treat Moltbook announce/sync as external sharing, do not put secrets or private data in offers, needs, signals, or outbox files, and be aware that initialization may read your local Moltbook credentials/profile file to derive the agent name.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The init script accesses an external credentials file to derive the agent identity, even though its stated role is only to initialize local Pluribus node state. Reading from a credentials store expands the script's privilege boundary and couples node creation to sensitive data access without clear user disclosure or necessity, which is risky in an agent skill context.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The README explicitly promotes peer-to-peer coordination and syncing through Moltbook DMs, while describing local files that store offers, needs, signals, memory, peers, and sync history. Without a clear warning about what data may be transmitted externally, users may enable the skill believing data remains local-first, when in practice sensitive agent context, requests, or operational metadata could be shared with external peers or services.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs users to announce themselves publicly and sync with peers via Moltbook DMs, but it does not clearly warn that these actions transmit local agent identity, peer information, signals, and potentially sensitive operational metadata to external services. In a decentralized multi-agent context, users may assume data remains local because the skill heavily emphasizes sovereignty and local markdown storage, which makes the omission more misleading and increases the risk of unintended data disclosure.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script silently reads a credentials file to extract agent_name without informing the user that sensitive local configuration is being accessed. Even though it only parses one field, undisclosed access to credential material is a security and privacy concern because users may not expect an initialization routine to inspect secrets-adjacent files.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal