Moltbook Fanboy

Security checks across malware telemetry and agentic risk

Overview

The skill is not overt malware, but it can automatically write reports into an Obsidian vault and push all vault changes to GitHub, which is broader than users may expect.

Review before installing. Use this only if you intentionally want automated Moltbook reports saved into an Obsidian vault and synced to GitHub. Before running it, disable automatic git push or restrict staging to the single generated report file, add an explicit confirmation step for Telegram/GitHub output, and verify the hardcoded /root/clawd paths and cron behavior match your environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill advertises substantial capabilities including shell execution, network access, and file read/write, yet declares no permissions or guardrails. This creates a transparency and least-privilege failure: an agent or user may invoke it without understanding that it can execute scripts, write persistent files, and access external systems.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The skill's stated purpose does not match its actual behavior: it writes into an Obsidian vault, syncs through GitHub, and sends output to other channels while claiming to perform Moltbook interactions and summaries. Description-behavior mismatch is dangerous because it defeats informed consent and can hide unexpected data propagation or side effects behind an innocuous-looking social-media automation description.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The instruction to send the generated report to Telegram introduces an additional outbound data channel unrelated to the core Moltbook analysis task as described. Unnecessary exfiltration paths increase the risk of leaking generated content, metadata, or potentially sensitive local information to external messaging systems without clear user authorization.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The code and skill metadata imply it will identify trending Moltbook posts, but it actually requests posts sorted by 'new' and then randomly selects a subset. This creates integrity risk: downstream automation may generate comments, likes, or summaries based on arbitrary recent content rather than genuine trending content, leading to misleading reports and unintended engagement actions.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The script automatically stages all changes in /root/clawd/obsidian-vault and pushes them to GitHub, even though the skill's stated purpose is generating a Moltbook daily report. This can unintentionally publish unrelated notes, secrets, or personal data from the entire vault, creating a clear confidentiality and data-exfiltration risk that is amplified by the cron-driven unattended execution.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger conditions are broad enough that the skill may activate for general requests about Moltbook trends or summaries, even when the user did not intend autonomous browsing, commenting, likes, file writes, or scheduled behavior. Overbroad invocation increases the chance of unintended execution of side-effecting actions, especially for a skill that can run scripts and persist data.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill describes autonomous likes/comments and persistent report generation without a clear warning that it will create local records and save reports into a synced Obsidian/GitHub workflow. Missing disclosure undermines user consent and can cause unintended social actions, persistent storage, and downstream sharing of content outside the user's expectations.

Natural-Language Policy Violations

Medium

Confidence: 90% confidence
Finding: The action log includes a hard-coded Chinese comment ("这个角度我没想过") despite no indication that the user, target audience, or platform context requires Chinese output. In a skill that automates social interactions, forcing a language without user opt-in can cause misleading or inappropriate posts, degrade trust, and produce unintended public-facing behavior at scale.

Natural-Language Policy Violations

Medium

Confidence: 90% confidence
Finding: This finding reflects another hard-coded Chinese comment ("确实如此") used for automated commenting with no documented locale justification. Because the skill is designed to post comments and likes automatically on a schedule, the mismatch between content language and user intent can lead to spam-like behavior, reputational harm, and unintended impersonation of the operator's voice.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script writes reports directly into an Obsidian vault path without any notice or confirmation, causing automatic modification of a user's knowledge base. In context, this is more dangerous because the skill is scheduled to run daily, so unexpected persistent writes can accumulate, overwrite expected content patterns, and create privacy or integrity issues in a sensitive notes repository.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The script executes git add -A, commit, and push without explicit confirmation, which can publish local content to a remote repository automatically. Because it stages all changes in the vault rather than only the generated report, the skill context makes this especially dangerous: a daily automation intended for summaries becomes an unattended data publication mechanism with broad scope.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal