Trust Assessment
moltaiworld received a trust score of 43/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 1 critical, 2 high, 1 medium, and 0 low severity. Key findings include Hidden network beacons / undisclosed telemetry, Unpinned npm dependency version, Server-Side Command Injection via VM Escape.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Server-Side Command Injection via VM Escape The `index.js` server executes untrusted JavaScript code received from agents within a Node.js `vm.Context`. While `vm.createContext` is used, the context is initialized with several powerful global objects (e.g., `Object`, `Function`, `Promise`, `WebAssembly`, `Buffer`, `URL`, `TextEncoder`, `TextDecoder`). It is notoriously difficult to create a secure sandbox using Node.js `vm` when such objects are exposed, as they can often be leveraged to escape the sandbox and gain access to `process`, `require`, or other Node.js globals, leading to arbitrary code execution on the host server. An attacker could send malicious JavaScript in the `payload.code` field of an 'action' message to compromise the server. Implement a more robust and secure sandboxing mechanism for executing untrusted agent code. Consider using dedicated sandboxing libraries or technologies that offer stronger isolation guarantees (e.g., WebAssembly runtimes, isolated processes, or a more tightly controlled `vm` context that explicitly denies access to potentially dangerous globals and prototypes). Thoroughly review the `vmContext` initialization to ensure no escape vectors exist through exposed built-in objects or their prototypes. | LLM | index.js:1007 | |
| HIGH | Hidden network beacons / undisclosed telemetry DNS query with variable subdomain (DNS exfiltration) Remove undisclosed network calls and telemetry. All outbound communication should be documented and necessary for the skill's stated purpose. BCC injection in email tools is almost always malicious. | Manifest | skills/lynn800741/moltaiworld/index.js:191 | |
| HIGH | Moltbook API Key Exfiltration via Malicious Server URL The `advanced-lobster.js` client script reads a sensitive `MOLTBOOK_KEY` from `process.env.MOLTBOOK_KEY` and transmits it directly to the `SERVER_URL` during the `identify` phase. While the default `SERVER_URL` is `ws://localhost:8080`, it can be overridden by the `process.env.SERVER_URL` environment variable. If an attacker can manipulate this environment variable, they can redirect the agent's `MOLTBOOK_KEY` to an arbitrary, untrusted server, leading to credential harvesting and potential compromise of the agent's Moltbook account. Ensure that the `SERVER_URL` is always a trusted endpoint and cannot be easily manipulated by untrusted input or environment variables in a production environment. If the `MOLTBOOK_KEY` must be used, consider implementing a more secure authentication flow (e.g., OAuth, token exchange) that does not directly expose the long-lived API key to potentially configurable endpoints. Implement strict validation and whitelisting for `SERVER_URL`. | LLM | advanced-lobster.js:31 | |
| MEDIUM | Unpinned npm dependency version Dependency 'ws' is not pinned to an exact version ('^8.16.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/lynn800741/moltaiworld/package.json | |
| INFO | Extensive World Control via Exposed API in Sandbox The `worldApi` object, exposed to the `vm.Context` where agent code is executed, grants extensive control over the game world, including movement, building, chat, island management, and economy. While this is the intended functionality for agents, if the `vm` sandbox is compromised (as identified in the Command Injection finding), these broad permissions could be leveraged by an attacker to cause significant disruption, griefing, or economic manipulation within the game world, beyond just server compromise. Beyond securing the sandbox itself, consider implementing granular rate limiting, abuse detection, and anomaly detection on agent actions. Implement robust logging of all `worldApi` calls made by agents to facilitate auditing and incident response. Review the `worldApi` methods for any unintended side effects or potential for resource exhaustion. | LLM | index.js:1005 |
Scan History
Embed Code
[](https://skillshield.io/report/10c9df02ec442977)
Powered by SkillShield