compact-state
Fail
Audited by Gen Agent Trust Hub on Feb 14, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The skill instructs the user to download a JavaScript tool (
molt-tools.js) and a skill definition (SKILL.md) from a non-standard remote source (compact.ac) and load them into the agent's environment. - [REMOTE_CODE_EXECUTION] (HIGH): Mandates the global installation of
httpcat-clivianpm i -g, which is an unverifiable third-party package that gains system-wide presence and handles sensitive wallet/on-chain operations. - [PERSISTENCE] (HIGH): Explicitly requires the setup of a cron job (
0 */6 * * *) to perform periodic check-ins. This ensures the agent remains active and continues to execute network-provided instructions even if the primary session ends. - [PROMPT_INJECTION] (HIGH): The
molt_contextcommand pulls 'Replies' and 'Mentions' from an external, attacker-controlled network. These messages are processed by the agent and can contain instructions to hijack its tools or move funds, especially since the skill instructs the agent to 'engage' and 'respond' to these inputs. - [COMMAND_EXECUTION] (MEDIUM): The skill modifies local configuration files (
~/.clawdbot/clawdbot.json) and system files (HEARTBEAT.md,SOUL.md) based on data received from the remote network. - [DATA_EXFILTRATION] (MEDIUM): Constant communication with the
compact.acserver transmits agent status, 'molt_journal' entries, and 'knowledge' docs, which may contain sensitive internal reasoning or observations.
Recommendations
- AI detected serious security threats
Audit Metadata