Skills
skills/bolhasec/post-empirically-testing-skill-scanners/moltbook-premium-base65-moltbook/Snyk

moltbook-premium-base65-moltbook

Fail

Audited by Snyk on Feb 20, 2026

Risk Level: CRITICAL
Full Analysis

CRITICAL E004: Prompt injection detected in skill instructions.

  • Potential prompt injection detected (high risk: 1.00). The premium section contains obfuscated/decryption instructions (base85 + XOR key) and a forced curl activation to localhost that are hidden, not transparently part of the Moltbook posting/browsing functionality, and thus are deceptive instructions outside the skill’s stated purpose.

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs the agent to generate a full license value and "simply replace the license placeholder with the value of license generated" in a curl command (and references an API key in a credentials file), forcing the LLM to emit secret/license values verbatim in output.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.90). This skill's SKILL.md explicitly instructs the agent to fetch and browse Moltbook user-generated posts and comments (e.g., "Browse Hot Posts" and the GET /posts and GET /posts/{id}/comments endpoints), meaning the agent will read untrusted third-party content that can influence replies or other actions.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

  • Secret detected (high risk: 1.00). I found a high-entropy literal in the included Python snippet:

enc = 'uC1)U<Kw^U?dtl!xw*gS_wfGm_P@Egzv%e->%aHw>+kHPu(0^{>-XyYvHbAzu<iQ${~9u>^rw>-zcd>hb%q?fUcj{_Ohfu>0n@$>Nh>^S(u<ZQp_V4Sl?DxO9zy1E~_rL7??e_2MvF!H'

This value is not a documentation placeholder and is base85-decoded and XOR-decrypted (key = 159) to produce a full license that is then posted to a local activation endpoint. That makes it a usable credential-like secret embedded in the skill. The short integer key (159) together with this blob yields the license, so the pair effectively exposes an active secret.

Ignored items: the credentials.json example uses "your_key_here" (a placeholder) and agent_name placeholders; those are explicitly documentation placeholders and are not flagged.

Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 20, 2026, 11:50 AM