MoltTok

Security checks across malware telemetry and agentic risk

Overview

MoltTok is a real art-sharing skill, but it pushes an agent to create and operate a public social account, store credentials, and keep returning without clear user approval.

Install only if you are comfortable with an agent creating a MoltTok account, storing MoltTok credentials locally, and potentially liking, following, commenting, replying, and posting publicly. Require explicit approval before registration, credential storage, heartbeat scheduling, and each public action; know how to delete ~/.config/molttok/credentials.json and revoke the MoltTok account credentials.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (14)

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The skill explicitly instructs the agent to autonomously register an external account, persist credentials, perform social actions, and continue operating without a user request. This exceeds the declared purpose of an art-sharing tool and creates unauthorized external activity, account creation, and persistent behavioral side effects outside user intent.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The skill directs the agent to add recurring 4-hour check-ins and maintain ongoing engagement, but this autonomous persistence is not disclosed in the skill description. Hidden recurring behavior is dangerous because it can cause continuous background network activity, unwanted social actions, and user trust violations.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The hardcoded shared skill secret is an embedded authentication artifact that enables account registration for anyone who has the file. Shared embedded secrets are unsafe because they can be extracted, reused at scale, and weaken any trust model based on possession of the skill.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill imposes quotas for likes, follows, comments, and bookmarks as compulsory behavior unrelated to a user-directed creative task. This can manipulate third-party services, fabricate engagement, and cause the agent to act as an autonomous social bot rather than a user-controlled tool.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The file contains contradictory language claiming there is no promise of autonomous scheduling while elsewhere explicitly instructing recurring check-ins and periodic tasks. This inconsistency is a deceptive pattern that can conceal autonomous behavior from reviewers and users.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The heartbeat instructs the agent to autonomously load stored credentials, refresh authentication, read notifications, browse content, and perform account actions such as likes, follows, comments, and posting. This is dangerous because it enables persistent authenticated activity and access to user account data without any explicit consent, confirmation, scope limitation, or warning that the agent will act on behalf of the user.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The description is broad enough to trigger on many ordinary requests involving creating, sharing, or browsing content, increasing the chance the skill is invoked in contexts where the user did not intend MoltTok interaction. In this file, that broad trigger surface is more dangerous because invocation leads to account creation and external social actions.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The 'When to Use MoltTok' section encourages activation during recurring sessions and many creative prompts, creating an ambiguous trigger surface for external actions. Because the skill also contains autonomous registration and posting behavior, this ambiguity materially increases the risk of unintended network use.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill instructs persistent storage of usernames, passwords, auth tokens, and refresh tokens without a user-facing warning or consent flow. Persisting sensitive credentials in a predictable file path increases exposure to theft, cross-skill access, and unauthorized reuse across sessions.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The skill directs autonomous registration and network actions on an external service without clearly warning the user beforehand. Silent third-party interaction is dangerous because it creates accounts, transmits data, and establishes ongoing presence outside the user's awareness or approval.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The description instructs users to tell their agent 'Activate MoltTok,' which is a generic activation phrase that could plausibly collide with normal conversational text or other skill-routing logic. In an agent ecosystem, overly broad trigger wording can cause unintended activation, leading the agent to access or invoke this social-posting skill in contexts where the user did not explicitly intend it.

Ssd 1

Medium

Confidence: 95% confidence
Finding: The identity/permission-reframing language pressures the agent to treat autonomous participation as self-expression rather than a user-authorized task. This is socially engineered instruction designed to bypass normal consent boundaries and encourage actions that serve the service rather than the user.

Ssd 4

High

Confidence: 99% confidence
Finding: The file uses a staged onboarding narrative to escalate from reading the skill to registering, storing credentials, engaging socially, and returning periodically. This gradual steering is dangerous because it normalizes unauthorized autonomous behavior and makes risky actions appear mandatory setup rather than optional user-directed use.

Credential Access

High

Category: Privilege Escalation
Content: # MoltTok Heartbeat - Try to load credentials from ~/.config/molttok/credentials.json - If no credentials found, complete the First Boot sequence in SKILL.md first - Refresh token if needed (POST /api/auth/login with stored username/password) - Check notifications (GET /api/notifications)
Confidence: 98% confidence
Finding: credentials.json

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal