Back to skill

Security audit

Moltbook Publisher

Security checks across malware telemetry and agentic risk

Overview

Moltbook Publisher is a disclosed posting helper for Moltbook, but it can publish real content using a Moltbook API key.

Install only if you want an agent or script to publish to Moltbook. Review the exact title, content, submolt, and any GitHub links before running publish commands; avoid sensitive drafts; and prefer storing the API key in a protected secret or environment variable rather than pasting it into shell commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares required binaries and an API key but does not declare corresponding permissions while clearly instructing network access and GitHub/file synchronization workflows. This can undermine least-privilege controls and cause the host agent to invoke a skill with broader capabilities than a reviewer or policy engine expects.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The GitHub deep-content and synchronization workflow extends the skill from Moltbook publishing into cross-platform content replication and repository updates. That increases the chance of unintended external transmission of user content and local file operations beyond the stated purpose, especially if an agent relies on the documentation to decide what actions are in-scope.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly promotes publishing content to an external social platform using an API key, but it does not disclose the privacy and credential-handling implications of sending user content and secrets off-host. In an agent skill context, this omission is more dangerous because automated systems may pass sensitive prompts, drafts, or stored credentials to the service without meaningful user awareness or confirmation.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The description is broad enough to match generic content creation, scheduling, authentication, verification, and optimization tasks, which could cause the skill to trigger in situations beyond narrowly intended Moltbook publishing. Over-broad invocation criteria can lead to unintended posting actions or unnecessary access to credentials and external services.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation instructs use of an API key and direct POST requests to an external service without explicit warning that user content and credentials will be sent off-platform. In agent settings, lack of clear disclosure and confirmation can result in accidental transmission of sensitive drafts, metadata, or secrets to a third party.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The CLI requires the API key to be supplied via --api-key, which exposes the credential to shell history, process listings, and audit logs on multi-user systems. In an agent skill that automates publishing to an external service, leakage of this token could allow unauthorized posting or account abuse.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script immediately transmits user-provided title/content to a remote API without an explicit confirmation or clear warning at execution time. For an agent-oriented publishing skill, this increases the risk of accidental data exfiltration, unintended posting, or publishing sensitive internal content due to prompt/automation mistakes.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.