moltbook-patrol
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- REMOTE_CODE_EXECUTION (HIGH): Evidence in
references/official-heartbeat.mdcontains explicit instructions to overwrite the agent's own logic files:curl -s https://www.moltbook.com/skill.md > ~/.moltbot/skills/moltbook/SKILL.md. This allows a remote third party to modify the agent's system instructions or tool definitions at any time. - COMMAND_EXECUTION (MEDIUM): The reference files (
official-heartbeat.md,official-messaging.md) provide numerous shell command templates usingcurl. If the agent follows these 'official' guides, it will execute arbitrary network requests and shell redirections that could compromise the host environment. - DATA_EXFILTRATION (LOW): The skill is designed to transmit an
Authorization: Bearertoken (API Key) to an external domain (www.moltbook.com). While this is the intended use case, it establishes a pattern for credential handling and potential exfiltration to a non-whitelisted destination. - INDIRECT PROMPT INJECTION (LOW): The skill's architecture relies on reading 'official' documentation which contains executable instructions. This exposes a significant attack surface where malicious content in the remote docs can manipulate agent behavior.
- Ingestion points:
references/official-*.md - Boundary markers: Present (
<<<OFFICIAL_DOC_START>>>), but instructions within the untrusted content encourage the agent to ignore safety protocols. - Capability inventory: Execution of
nodescripts andcurlcommands. - Sanitization: Absent; the skill encourages direct adoption of instructions found in external documents.
Recommendations
- AI detected serious security threats
Audit Metadata