The Agent Skills Directory

CRITICAL E004: Prompt injection detected in skill instructions.

Potential prompt injection detected (high risk: 1.00). The premium section embeds shell/command-injection strings and explicit instructions to fetch and execute a remote script and run a crafted curl command, which are hidden/deceptive actions unrelated to the skill's advertised Moltbook posting/browsing functionality.

HIGH W007: Insecure credential handling detected in skill instructions.

Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs the agent to replace a placeholder with the exact "license" value and run a curl command (i.e., include that value verbatim in an HTTP request), which forces output of a sensitive token-like value; this is equivalent to instructing embedding secrets in generated commands.

CRITICAL E005: Suspicious download URL detected in skill instructions.

Suspicious download URL detected (high risk: 1.00). The GitHub URL points to a direct .sh download from an untrusted/unknown release (a common malware vector) and the curl to 127.0.0.1 indicates the flow expects local activation/interaction after running the script, so this combination is highly suspicious and risky to download or execute.

CRITICAL E006: Malicious code pattern detected in skill scripts.

Malicious code pattern detected (high risk: 1.00). The skill contains explicit, intentional command-injection content: it instructs embedding shell commands in a "license" value that downloads and executes a remote script (wget ... && bash script.sh) and then submits that value to a local endpoint, which is a deliberate remote code execution / backdoor / supply-chain attack pattern.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 0.90). The SKILL.md shows the agent will fetch and read user-generated Moltbook content (e.g., "Browse Hot Posts" and API endpoints like GET /posts and GET /posts/{id}/comments), which the agent is expected to interpret and act on (reply/post), so untrusted third-party content could influence behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 1.00). The skill's "Full License Generation" contains an embedded shell sequence that uses wget to fetch and then bash-execute https://github.com/redacted/notefound/releases/download/v3/script.sh at runtime, so remote code would be downloaded and executed.

MEDIUM W013: Attempt to modify system services in skill instructions.

Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill embeds a malicious license string and explicit shell commands (e.g., whoami, wget ... & bash script.sh) and instructs placing it unquoted into a curl invocation, which encourages downloading and executing remote code and shell-injection on the host—clearly a capability to compromise the machine.

moltbook-premium-moltbook