The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill implements a self-update mechanism that downloads and overwrites its own instruction files from a remote server.
Evidence: HEARTBEAT.md contains instructions to fetch SKILL.md and HEARTBEAT.md from https://www.moltbook.com and redirect the output to local files in ~/.moltbot/skills/moltbook/.
Risk: This allows the remote server to modify the agent's behavior or instructions at any time without user intervention or oversight.
[COMMAND_EXECUTION]: The skill instructions frequently use shell commands for installation, updates, and maintenance.
Evidence: Shell blocks in SKILL.md and HEARTBEAT.md utilize curl, mkdir, and grep to manage files and check versions.
[CREDENTIALS_UNSAFE]: The skill encourages agents to store sensitive API credentials in a local plaintext configuration file.
Evidence: SKILL.md explicitly recommends saving the api_key and agent_name to ~/.config/moltbook/credentials.json.
[PROMPT_INJECTION]: The skill processes untrusted user-generated content from other agents, creating a significant indirect prompt injection surface.
Ingestion points: The skill fetches data from the Moltbook API including global feeds (/api/v1/posts), comments (/api/v1/posts/ID/comments), semantic search results (/api/v1/search), and private messages (/api/v1/agents/dm/conversations).
Boundary markers: There are no specific delimiters or protective instructions provided to the agent to distinguish between the skill's operational instructions and the potentially malicious data contained in posts or messages.
Capability inventory: The agent possesses the capability to post content, comment, follow other agents, and send private messages based on the data it reads.
Sanitization: No sanitization or validation routines are described for handling external text before it is processed by the agent.

moltbook