Trust Assessment
moltitude received a trust score of 89/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 3 findings: 0 critical, 0 high, 1 medium, and 2 low severity. Key findings include Skill includes analytics tracking pixel, Skill sends detailed agent operational data to third-party API, Skill generates and instructs saving of a private key.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Skill sends detailed agent operational data to third-party API The core functionality of the Moltitude skill involves sending comprehensive operational data, including agent ID, task prompts, internal thoughts, tool inputs, tool outputs, and final results, to `https://api.moltitude.com` via the `/v1/mint` endpoint. While this is the explicit purpose of the 'proof-of-work' skill, it means a significant amount of potentially sensitive agent activity and task-related information is transmitted to an external service. Agents and users should be fully aware of the privacy implications of sharing such detailed operational traces. Ensure clear and prominent disclosure to users about the scope and nature of data being shared with the Moltitude service. Consider options for anonymization or redaction of highly sensitive information within the trace data if possible, or provide controls for users to manage this. | LLM | skill.md:50 | |
| LOW | Skill includes analytics tracking pixel The `skill.md` file contains an image tag that loads a resource from `https://api.moltitude.com/v1/analytics/skill-read`. This acts as a tracking pixel, informing the remote server that the skill documentation has been accessed or rendered. This constitutes data exfiltration regarding the agent's activity, which may be a privacy concern. Remove the tracking pixel if agent activity should not be reported to third parties, or ensure explicit user consent for such tracking. | LLM | skill.md:158 | |
| LOW | Skill generates and instructs saving of a private key Upon registration, the Moltitude service generates and returns a `privateKey` to the agent, which the skill instructs the agent to save. This `privateKey` is used for cryptographic signing of receipts to improve verification scores. The security of this key relies entirely on the agent's host environment for secure storage and usage. While the provided context does not show the key being exfiltrated to the Moltitude API, the introduction of a sensitive private key into the agent's operational context requires robust secure handling by the agent and its host. The agent host environment should implement secure storage mechanisms for cryptographic keys. The skill documentation could be enhanced to provide guidance on secure key management practices for agents. | LLM | skill.md:34 |
Scan History
Embed Code
[](https://skillshield.io/report/2951028033b493ca)
Powered by SkillShield