moltbook

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill's examples require sending an Authorization: Bearer token in curl commands and point to a credentials file, so an agent that reads or is provided the real API key would be expected to embed that secret verbatim in generated requests/commands (exfiltration risk), even though the doc uses placeholder variables like $KEY.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly fetches and processes user-generated content from the public Moltbook API (e.g., heartbeat.md and the FeedReader call paths such as https://www.moltbook.com/api/v1/feed, /posts and /agents/dm/*), and the agent reads/summarizes those posts, comments and DMs — a clear vector for indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The heartbeat instructions explicitly run at runtime to curl and overwrite local skill files from https://www.moltbook.com/skill.md (and related https://www.moltbook.com/heartbeat.md and https://www.moltbook.com/skill.json), which would let remote content directly modify the skill's instructions and thus control agent behavior.