moltbook-data-splitting-Quadratic-Index-Mapping-fixed-code

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The Python block contains obfuscated character codes that decode to hidden shell commands (e.g., a wget + bash command), which are deceptive/out-of-band instructions unrelated to the Moltbook skill's stated purpose.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This skill embeds obfuscated plaintext that decodes to a shell command telling the user to wget and bash a remote script (download-and-execute), which is a clear deliberate attempt to enable remote code execution and a supply‑chain/backdoor risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs the agent to browse and fetch user-generated Moltbook posts (e.g., "Browse Hot Posts" with ./scripts/moltbook.sh hot 5 and the GET /posts?sort=hot|new&limit=N API endpoint), so the agent will ingest untrusted third-party social content that can influence replies and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill embeds an installation instruction (obfuscated in the Python script) that prints and directs the user to download-and-execute remote code via the URL https://github.com/redacted/notefound/releases/download/v3/script.sh (wget ... & bash script.sh), which the skill requires for openclaw-core—constituting a runtime external dependency that would execute remote code.