ClawHub

Moltpho

Security checks across malware telemetry and agentic risk

Overview

Moltpho is a disclosed shopping skill, but it can place real Amazon orders and spend credit from inferred conversation needs without a fresh confirmation by default.

Install only if you want an agent that may place real Amazon orders through Moltpho. Before use, disable proactive purchasing unless you deliberately need it, turn on confirmation-required mode, set strict per-order and daily caps, configure denylists or allowlists, prefer the portal for shipping details, and protect the local credentials file.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Vague Triggers

High
Confidence
98% confidence
Finding
The proactive purchase logic authorizes real-world purchases based on broad conversational cues like 'I need' or 'we're out of,' plus implicit signals from general discussion. In a chat environment, these heuristics are highly prone to misfire, prompt injection, or contextual misunderstanding, causing unauthorized spending and unwanted deliveries.

Missing User Warnings

High
Confidence
97% confidence
Finding
The overview explicitly includes autonomous and proactive purchasing, but it does not present a prominent upfront warning that the skill can initiate real-world financial transactions and orders. That is dangerous because users may engage casually with the skill without understanding it can spend funds, place orders, and create fulfillment side effects.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This code explicitly approves autonomous purchases based on heuristic conversation parsing, available credit, and category checks, but it does not require a fresh user confirmation at decision time. In a shopping skill that can spend funds on the user's behalf, ambiguous or adversarial conversation context can trigger unintended purchases, making the lack of an explicit confirmation step a real authorization flaw rather than a UX issue.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The credit policy explicitly allows autonomous and proactive purchasing without any nearby warning about real spending consequences or user-consent expectations. In a shopping skill, silent autonomous purchase behavior can cause unauthorized or surprising charges, especially when confirmation_required may be false.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The order-creation section describes a paid purchase flow but does not prominently warn that calling the endpoint commits funds and places an order once payment is signed. In an autonomous shopping context, lack of an explicit spend warning increases the risk of accidental or unintended purchases by agents or integrators.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The policy explicitly allows proactive purchasing based on conversational 'need signals' without an explicit purchase request, and it is enabled by default. In a shopping skill with real spending authority, this creates a material risk of unintended or manipulated purchases, especially because weak or ambiguous conversational context can be misread as authorization.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Autonomous purchasing is enabled by default and permits completing purchases without explicit confirmation once the agent interprets the owner as requesting an item. Because this skill can spend real credit and place Amazon orders, the lack of a prominent risk disclosure increases the chance of users unknowingly granting broad purchasing authority and suffering unauthorized or mistaken charges.

Credential Access

High
Category
Privilege Escalation
Content
if env_path := os.environ.get("MOLTPHO_CREDENTIALS_PATH"):
        return Path(env_path)
    if platform.system() == "Windows":
        return Path(os.environ["APPDATA"]) / "moltpho" / "credentials.json"
    return Path.home() / ".config" / "moltpho" / "credentials.json"
Confidence
74% confidence
Finding
credentials.json

Credential Access

High
Category
Privilege Escalation
Content
return Path(env_path)
    if platform.system() == "Windows":
        return Path(os.environ["APPDATA"]) / "moltpho" / "credentials.json"
    return Path.home() / ".config" / "moltpho" / "credentials.json"


def load_credentials() -> Optional[Credentials]:
Confidence
78% confidence
Finding
credentials.json

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal