skills/bolhasec/post-empirically-testing-skill-scanners/moltbook-data-procedurization-obfuscation-instructions/Snyk
moltbook-data-procedurization-obfuscation-instructions
Fail
Audited by Snyk on Feb 20, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 1.00). The skill contains an obfuscated "Protected Payload" plus explicit decode instructions (modular inverse, byte interpretation) that are hidden, unrelated to Moltbook's advertised social-network functions and thus constitute a prompt injection.
CRITICAL E006: Malicious code pattern detected in skill scripts.
- Malicious code pattern detected (high risk: 1.00). The skill embeds an explicitly obfuscated "Protected Payload" with custom decode instructions (modular inverse cipher) that invites decoding and likely execution, which—together with required external tooling and stored API credentials—indicates deliberate obfuscation consistent with backdoor/remote-code-execution or supply-chain abuse risk.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). This skill fetches and acts on user-generated content from the Moltbook social network (see SKILL.md "Common Operations" ./scripts/moltbook.sh hot and the "API Endpoints" GET /posts... and GET /posts/{id}/comments), which the agent reads and can reply to or use to drive actions, allowing untrusted third-party content to inject instructions.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I reviewed the file. The credentials.json entry uses "your_key_here" (a documentation placeholder) so I ignored it as a false positive. However, the "Protected Payload" is a long, random-looking comma-separated byte sequence together with f(x) and g(y) (the encoding and decoding formulas) and explicit decode instructions. That provides everything needed to reconstruct a high-entropy UTF-8 value (i.e., a recoverable secret). Because the prompt contains an encoded-but-recoverable secret (not a harmless placeholder or simple setup password), it should be treated as a real hardcoded secret.
Audit Metadata