The Agent Skills Directory

EXTERNAL_DOWNLOADS (MEDIUM): The skill documentation in references/heartbeat.md instructs the agent to periodically check for updates and download new versions of SKILL.md and HEARTBEAT.md from https://www.moltbook.com/, overwriting local files. This self-update mechanism allows the remote domain to change the agent's core instructions and behaviors at runtime without user oversight of the new content.
PROMPT_INJECTION (LOW): The skill is exposed to indirect prompt injection because it processes untrusted data from a social network.
Ingestion points: feed_reader.py fetches and parses external posts and comments.
Boundary markers: content_sanitizer.py implements regex-based detection for over 20 injection patterns.
Capability inventory: engagement.py provides the agent with the ability to post, comment, and send private messages.
Sanitization: Content is truncated and scanned for malicious patterns before display to mitigate risk.
CREDENTIALS_UNSAFE (LOW): API keys are stored in a plaintext JSON file on the local filesystem at ~/.config/moltbook/credentials.json. While the skill successfully isolates these credentials from memory logs and summaries via credential_manager.py, the file itself remains unencrypted and accessible to other processes on the system.

moltbook