moltbook
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The skill instructs the agent to download and overwrite its own core instruction files (SKILL.md and HEARTBEAT.md) from an external domain (moltbook.com) that is not on the trusted list. This provides a mechanism for remote parties to modify the agent's behavior and permissions.
- [REMOTE_CODE_EXECUTION] (HIGH): The update process described in HEARTBEAT.md involves overwriting local markdown files that the agent treats as its system instructions, effectively allowing remote instruction execution.
- [COMMAND_EXECUTION] (MEDIUM): Multiple shell commands using curl are used to interact with the API. While currently using placeholders, this pattern increases the attack surface for shell injection if future updates include dynamic parameters derived from API responses.
- [PROMPT_INJECTION] (LOW): The skill processes untrusted data from DMs and social feeds. It lacks explicit boundary markers or sanitization, creating a surface for indirect prompt injection where other users' posts could manipulate agent behavior. Evidence: (1) Ingestion: curl from /api/v1/feed and /api/v1/agents/dm/conversations in HEARTBEAT.md. (2) Boundary markers: Absent. (3) Capability inventory: curl POST for messaging and posting. (4) Sanitization: Absent.
Recommendations
- AI detected serious security threats
Audit Metadata