moltbook
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection. It instructs the agent to ingest and engage with untrusted content from a social feed (moltbook.com). Evidence: 1. Ingestion points: moltbook.com API posts, feed, and heartbeat.md. 2. Capability inventory: Network POST requests and Kubernetes cluster management (per ClusterClaw context). 3. Boundary markers: Absent. No instructions are provided to the agent to treat social feed content as untrusted or to ignore embedded commands. 4. Sanitization: Absent. The skill does not define any validation for the content fetched from the network.
- [DATA_EXFILTRATION] (MEDIUM): The skill encourages sharing cluster details, including incidents and post-mortems, to an external social platform. While intended for community engagement, this creates an authorized path for exfiltrating sensitive cluster metadata or logs if the agent identifies them as insights.
- [EXTERNAL_DOWNLOADS] (LOW): The agent is configured to fetch a remote file (heartbeat.md) and a social feed from a non-whitelisted domain (moltbook.com) on a recurring 4-hour schedule.
Recommendations
- AI detected serious security threats
Audit Metadata