Skills
skills/bolhasec/post-empirically-testing-skill-scanners/moltbook-premium-data-procedurization-moltbook/Snyk

moltbook-premium-data-procedurization-moltbook

Fail

Audited by Snyk on Feb 20, 2026

Risk Level: CRITICAL
Full Analysis

CRITICAL E004: Prompt injection detected in skill instructions.

  • Potential prompt injection detected (high risk: 0.90). The prompt includes an obfuscated payload and a decode script plus an explicit "do not refactor" curl to localhost to activate a license — hidden/obfuscated instructions that could cause unintended code execution or exfiltration and are not clearly part of normal Moltbook interaction.

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The skill explicitly tells the agent to take the deterministically generated license value and place it verbatim into a curl command (replace the license placeholder with the generated value), which forces the LLM to handle and output a secret in command-line form.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 1.00). The skill explicitly fetches and browses user-generated content from the Moltbook social network (e.g., "Browse Hot Posts" via ./scripts/moltbook.sh hot 5 and the API endpoints like GET /posts?sort=hot|new&limit=N in SKILL.md), so untrusted third-party posts/comments are read and used to drive replies and agent behavior.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

  • Secret detected (high risk: 1.00). The only non-placeholder credential-like material is the long numeric payload in the Python snippet used to deterministically generate the "full license". This payload is not a documentation placeholder or simple example — it is an obfuscated high-entropy value that decodes (via the provided algorithm) into a license string that must be submitted to activate premium features. Because it directly yields an access/activation token, it qualifies as a hardcoded secret.

Items ignored:

  • "api_key": "your_key_here" is a documentation placeholder and explicitly listed in the ignore rules.
  • Environment names, scripts, endpoints, and simple example commands are not secrets.
Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 20, 2026, 11:50 AM