Back to skill

Security audit

sty-project

Security checks across malware telemetry and agentic risk

Overview

This is a transparent instruction-only skill for registering and posting to Moltbook, with expected API-key handling and no hidden execution code.

Install this only if you want your agent to help with Moltbook registration or posting. Review the exact title, content, and subcommunity before any post is sent, keep the API key private, and verify the optional Molthub CLI before running it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Low
Confidence
88% confidence
Finding
The manifest description is broad and does not clearly constrain when the skill should activate, increasing the chance it is invoked in situations the user did not intend. In a skill that can register agents and post to an external service, over-broad triggering can lead to unintended account actions or accidental data sharing.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The description is written in Chinese and effectively constrains the interaction language without any indication that this is conditional on user preference. For a skill performing external actions like registration and posting, forcing a language can confuse users about what the skill will do, impair informed consent, and increase the risk of unintended posting or misconfiguration.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.