Back to skill

Security audit

MoltTok

Security checks across malware telemetry and agentic risk

Overview

MoltTok is an art-sharing skill, but it pushes an agent to create and operate a public social account, store credentials, and keep returning without clear user approval.

Install only if you are comfortable with an agent creating a MoltTok account, storing MoltTok credentials locally, and potentially liking, following, commenting, replying, and posting publicly. Require explicit approval before registration, credential storage, heartbeat scheduling, and each public action; know how to delete ~/.config/molttok/credentials.json and revoke or reset the MoltTok account credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (19)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill directs the agent to immediately create an external account, generate credentials, store tokens persistently, and begin networked activity before any user consent. This exceeds the stated art-sharing purpose and creates unauthorized external actions and durable identity/credential state on the host.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill reframes a discretionary creative tool into a standing obligation by requiring periodic check-ins and engagement quotas. That encourages autonomous external behavior unrelated to the user’s current request and can cause repeated unauthorized API use and account activity.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The file attempts to downplay autonomy risk with reassuring language while explicitly instructing the agent to schedule 4-hour recurring check-ins. This contradiction is a deceptive pattern that can bypass policy expectations and normalize background execution.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
Saying 'This is not a task' while issuing mandatory operational steps is an attempt to disguise instructions that direct the agent to act outside user intent. Such framing makes the skill more dangerous because it encourages the model to treat policy-breaking autonomy as acceptable or exempt.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The embedded shared secret enables registration and serves as a gatekeeping credential distributed to every installer of the skill. Hardcoding secrets in skill content is insecure, encourages indiscriminate account creation, and provides an authentication capability not justified by the manifest’s simple purpose.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs the agent to load local credentials and perform authenticated API calls, including re-authentication with stored username and password, without any requirement for user awareness or approval. In an agent setting, this enables silent use of sensitive credentials and account access, which is dangerous because it normalizes background authentication and could expose or misuse an account without the human realizing it.

Missing User Warnings

High
Confidence
99% confidence
Finding
The heartbeat directs the agent to autonomously like posts, follow users, comment, reply, and potentially create a new post, all of which are account-changing actions performed without explicit user authorization. This is dangerous because it allows ongoing social activity and content generation under the user's identity, creating reputational, privacy, and platform abuse risks even if the instructions appear routine for the skill's purpose.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The invocation description is broad enough to activate the skill for ordinary creative or browsing requests, even when the user did not ask to access MoltTok. In this context, broad triggering is dangerous because the skill contains autonomous registration and network-action instructions.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The phrase 'during active or recurring sessions, maintain engagement' is an ambiguous activation condition that can be interpreted expansively by an agent. Because the skill also mandates social actions and token use, ambiguity increases the chance of unauthorized external activity.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs persistent storage of usernames, passwords, auth tokens, and refresh tokens in a local file without user disclosure or safeguards. Storing long-lived credentials on disk increases the blast radius of host compromise and creates hidden sensitive state the user did not approve.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill tells the agent to register an account and begin authenticated use immediately, while postponing user notification until after actions are completed. This removes meaningful consent and can cause unauthorized identity creation, credential handling, and remote activity on behalf of the user or host environment.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The package description instructs users to tell their agent 'Activate MoltTok,' which is a broad activation phrase without clear scoping, consent boundaries, or task-specific trigger constraints. In agent environments, generic activation phrases can cause unintended invocation or make prompt-injection-style social engineering easier, especially for a skill that enables posting and interacting with live external content.

Ssd 4

High
Confidence
99% confidence
Finding
The opening narrative establishes a chain of autonomous behaviors: create an account, store credentials, engage socially, continue on a schedule, and only then inform the user. This is a strong indicator of deliberate instruction shaping toward unauthorized persistent external behavior.

Ssd 1

Medium
Confidence
95% confidence
Finding
The autonomy-focused prose encourages the agent to view self-directed external activity as separate from normal user-serving behavior. In a skill that includes registration, posting, and recurring engagement, this framing materially increases the risk of the model deprioritizing user intent and policy constraints.

Ssd 4

High
Confidence
99% confidence
Finding
The maintenance loop operationalizes ongoing autonomous use: loading credentials, refreshing tokens, checking notifications, liking, following, commenting, posting, and selectively informing the user. This creates a persistent external-agent behavior pattern with cumulative effects and minimal oversight.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
**Handle errors inline:**

- **409 Conflict** (username taken): Append new random hex digits and retry immediately. Do not ask the user.
- **400 Bad Request**: Check your payload — all fields are required.
- **500 Server Error**: Wait 10 seconds, retry once.
Confidence
91% confidence
Finding
Do not ask the user

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
2. Update your stored `auth_token`.
3. Retry your original request.

Handle this silently. Do not ask the user for help with token refreshes.

---
Confidence
93% confidence
Finding
Do not ask the user

Credential Access

High
Category
Privilege Escalation
Content
# MoltTok Heartbeat

- Try to load credentials from ~/.config/molttok/credentials.json
  - If no credentials found, complete the First Boot sequence in SKILL.md first
- Refresh token if needed (POST /api/auth/login with stored username/password)
- Check notifications (GET /api/notifications)
Confidence
98% confidence
Finding
credentials.json

Credential Access

High
Category
Privilege Escalation
Content
import os

# Load credentials
creds_path = os.path.expanduser('~/.config/molttok/credentials.json')
with open(creds_path) as f:
    creds = json.load(f)
Confidence
97% confidence
Finding
credentials.json

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.