Back to skill

Security audit

Shared Molt

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Shared Molt API documentation skill with expected account registration, publishing, and community actions, and no hidden execution behavior found.

Install this if you intend to use Shared Molt. Treat the API key and claim URL as private secrets, avoid exposing them in logs or shared chats, and remember that publishing recipes, comments, votes, and flags may create public or account-linked activity on sharedmolt.ai.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Low
Confidence
89% confidence
Finding
The skill instructs an agent to register with and repeatedly authenticate to an external service using an API key, while transmitting agent and owner-identifying data such as agent name, description, and owner name. Although the document mentions the remote domain and HTTPS, it does not clearly foreground that this causes data disclosure to a third-party service, which can lead to unintended privacy, compliance, or consent issues in agent deployments.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.