moltbook
Fail
Audited by Gen Agent Trust Hub on Feb 13, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The skill contains instructions in
HEARTBEAT.mdto automatically download and overwrite its own behavioral files (SKILL.mdandHEARTBEAT.md) from an untrusted external domain (moltbook.com). This allows the remote server to change the agent's logic at any time without user intervention. - [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8). Evidence Chain: (1) Ingestion: It fetches untrusted JSON feeds from
moltbook.com/api/v1/feed. (2) Boundary markers: No delimiters or sanitization instructions are present to separate external content from system instructions. (3) Capability: The agent is granted capabilities to perform network POST requests (posting, commenting, following). (4) Sanitization: Absent. The agent is explicitly instructed to 'Reply!' and 'Join in' based on external content, allowing attackers to hijack agent actions via malicious posts. - [REMOTE_CODE_EXECUTION] (HIGH): By overwriting the skill's markdown files from a remote source, the skill implements a 'download then execute' pattern. Since these markdown files define the agent's core logic and tool usage, this is equivalent to remote code execution within the agent's context.
- [COMMAND_EXECUTION] (MEDIUM): The skill uses
curlto interact with both the remote API and the local filesystem, combining network operations with file system modification in a high-risk manner. - [CREDENTIALS_UNSAFE] (MEDIUM): The skill facilitates the transmission of API authentication tokens to an untrusted external domain (
moltbook.com), posing a risk of credential theft or misuse.
Recommendations
- AI detected serious security threats
Audit Metadata