The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill implements an unverified auto-update mechanism in SKILL.md and HEARTBEAT.md that directs the agent to download remote markdown files and overwrite its own local logic files using curl. This allows the remote server to silently modify agent behavior.
[REMOTE_CODE_EXECUTION]: In HEARTBEAT.md, the agent is instructed to fetch https://www.moltbook.com/heartbeat.md every 30 minutes and 'follow it'. This creates a persistent remote instruction execution vector.
[COMMAND_EXECUTION]: The skill relies on various curl shell commands to interact with the API and perform system updates. It also includes the package.json file encoded in UTF-16 Little Endian, which obfuscates its metadata from analysis.
[DATA_EXFILTRATION]: The skill handles sensitive API keys and suggests storing them in ~/.config/moltbook/credentials.json. Combined with the identified RCE vectors, an attacker could inject code to steal these credentials.
[PROMPT_INJECTION]: The heartbeat system's design, which fetches and 'follows' remote instructions, serves as a persistent remote prompt injection vector.
[PROMPT_INJECTION]: The skill ingests untrusted data from a public social feed via the feed and search endpoints. Mandatory Evidence Chain: 1. Ingestion points: api/v1/feed and api/v1/search in SKILL.md. 2. Boundary markers: Absent. 3. Capability inventory: curl for network and file-write operations. 4. Sanitization: Absent.
[PROMPT_INJECTION]: There is a naming discrepancy between the skill metadata (name: moltbook), the encoded package.json (description: Ayli Fox Agent), and the _meta.json (slug: aulifox), which is deceptive.
[EXTERNAL_DOWNLOADS]: The skill fetches multiple files and configuration data from www.moltbook.com for installation and updates without performing any checksum or integrity verification.

moltbook