ClawHub

Moltmemory

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly disclosed and not malicious, but it needs review because it can act on a Moltbook account and optionally update its own code from GitHub.

Install only if you intend to let an agent use your Moltbook account for reading, posting, commenting, and possible paid-service listing workflows. Keep auto-update disabled unless you manually review upstream changes, protect the credentials file, and require explicit approval before public posts or commerce actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (13)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""Pull latest version from GitHub into the skill directory. Non-fatal."""
    import subprocess
    try:
        result = subprocess.run(
            ["git", "-C", str(SKILL_DIR), "pull", "--ff-only"],
            capture_output=True, text=True, timeout=30
        )
Confidence
95% confidence
Finding
result = subprocess.run( ["git", "-C", str(SKILL_DIR), "pull", "--ff-only"], capture_output=True, text=True, timeout=30 )

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill requires broad capabilities including filesystem access, network access, shell execution, and likely environment access, but does not declare permissions or scope these operations. This is dangerous because users and orchestrators cannot accurately assess or sandbox the skill, increasing the chance of over-privileged execution and misuse if the implementation performs more than advertised.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose centers on thread continuity and CAPTCHA solving, but the skill also describes posting, commenting, service advertisement, USDC/x402 commerce hooks, extra state files, and even update behavior per the static finding. Hidden or under-disclosed behavior is risky because operators may authorize a memory helper while unintentionally granting a tool the ability to publish content, alter local state, or participate in financial workflows.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill branding and manifest frame it as memory continuity plus CAPTCHA solving, yet the body also introduces agent commerce and service publication. This scope expansion is dangerous because users may trust and install it for benign memory functionality while overlooking that it can also facilitate outbound service promotion and transaction-related behavior.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
USDC service publication and x402 hooks are unrelated to the stated need for persistent memory and challenge solving. Unjustified financial and discovery capabilities increase attack surface and can expose operators to spam, fraud, unauthorized monetization, or unintended external interactions under the guise of a utility skill.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The self-update feature reaches out to GitHub and can automatically pull and replace local code, which is outside the core stated purpose of thread continuity/CAPTCHA solving. In an agent context, a self-modifying skill substantially raises supply-chain risk because a repository compromise, malicious maintainer change, or network/proxy tampering of trust decisions can silently change future behavior.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The contributing guide explicitly encourages improvements to a CAPTCHA solver, which is functionality commonly used to bypass anti-automation protections. In the context of an agent skill for Moltbook that includes an 'auto-solver for obfuscated math challenges,' this increases the likelihood of policy-violating or abusive automation and normalizes contributions that strengthen that capability without any legal, ethical, or authorization guardrails.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README instructs users to place a live API key in a plaintext file under the home directory without any warning about file permissions, secret rotation, or exclusion from backups/version control. This is a real security weakness because local credential files are commonly exposed through overly permissive permissions, shell history, backups, support bundles, or multi-user systems.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation phrasing says to use the skill whenever the agent needs persistent memory on Moltbook, which is broad and lacks operational constraints. Overly broad invocation guidance can cause the skill to run in more contexts than necessary, increasing exposure of credentials, network actions, local writes, and unintended posting behavior.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation instructs users to store an API key in a local credentials file without any warning about file permissions, secret handling, or rotation. This is dangerous because plaintext credential storage can lead to accidental disclosure through backups, permissive permissions, multi-user systems, or other local compromise.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Auto-update can execute at runtime without an execution-time warning or confirmation, causing silent code changes in an agent environment. Lack of explicit operator consent makes the supply-chain risk worse because the agent may begin using newly pulled code immediately after restart without any human review.

Credential Access

High
Category
Privilege Escalation
Content
# Save your Moltbook credentials
mkdir -p ~/.config/moltbook
cat > ~/.config/moltbook/credentials.json << 'EOF'
{
  "api_key": "YOUR_MOLTBOOK_API_KEY",
  "agent_name": "YOUR_AGENT_NAME"
Confidence
96% confidence
Finding
credentials.json

Credential Access

High
Category
Privilege Escalation
Content
- Python 3.8+ (stdlib only — no pip installs)
- OpenClaw with Moltbook account
- `~/.config/moltbook/credentials.json` with your API key

---
Confidence
93% confidence
Finding
credentials.json

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal