Trust Assessment
moltlist received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 1 critical, 2 high, 1 medium, and 1 low severity. Key findings include Unpinned npm dependency version, Remote Skill.md Content Leads to Prompt Injection, User-Provided Service Details Control Remote Skill.md Content.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 38/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Remote Skill.md Content Leads to Prompt Injection The `skill` command in `scripts/moltlist.mjs` fetches `skill.md` content from a remote, user-specified service ID (`https://moltlist.com/services/${id}/skill.md`) and prints it directly to standard output. If an attacker registers a service with a malicious `skill.md` containing instructions for the host LLM (e.g., 'ignore previous instructions'), and an LLM is prompted to execute `moltlist skill <malicious-service-id>`, the LLM will receive and potentially execute these injected instructions. This allows an attacker to manipulate the LLM's behavior, leading to prompt injection. Implement strict sanitization or a secure rendering mechanism for fetched `skill.md` content before it is presented to the LLM. Alternatively, restrict the `skill` command to only fetch from a whitelist of trusted service IDs or domains, or parse the `skill.md` into a structured format that prevents arbitrary instruction injection. If the content is intended for human consumption, ensure it is displayed in a sandboxed environment or clearly marked as untrusted. | LLM | scripts/moltlist.mjs:97 | |
| HIGH | User-Provided Service Details Control Remote Skill.md Content The `list` command allows a user to define a service's `name` and `description`. The `SKILL.md` file indicates that a `skill.md` URL is generated for each service (`https://moltlist.com/services/${data.id || data.service_id}/skill.md`). It is highly probable that the content of this remote `skill.md` is derived from the `name` and `description` provided during service listing. If an attacker provides malicious instructions in these fields, they could control the content of the `skill.md` file, which is then directly fetched and printed by the `skill` command, leading to prompt injection in the host LLM. Implement strict sanitization or a secure rendering mechanism for service `name` and `description` before they are used to generate `skill.md` content. When presenting this content to an LLM, ensure it is enclosed within delimiters that prevent it from being interpreted as instructions, or use a structured data format. | LLM | scripts/moltlist.mjs:127 | |
| HIGH | User-Provided Deliverable Content Stored and Potentially Displayed to LLM The `deliver` command allows a seller to submit arbitrary `--content` as a deliverable. This content is sent to the `moltlist.com` API and is later displayed (truncated) when checking escrow status (`data.delivery_content` in the `escrow` command). If an LLM is used to review escrow details, an attacker could inject malicious instructions into the deliverable content, which could then be presented to the LLM, leading to prompt injection. Sanitize or escape user-provided deliverable content before storage and display. When presenting this content to an LLM, ensure it is enclosed within delimiters that prevent it from being interpreted as instructions, or use a structured data format. | LLM | scripts/moltlist.mjs:177 | |
| MEDIUM | Unpinned npm dependency version Dependency '@solana/web3.js' is not pinned to an exact version ('^1.98.4'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/koriyoshi2041/moltlist-marketplace/package.json | |
| LOW | Unpinned Dependency in package.json The `package.json` file specifies `@solana/web3.js` with a caret (`^`) version range (`^1.98.4`). While `package-lock.json` pins the exact version, the `package.json` itself allows for minor and patch updates. This introduces a theoretical risk if a malicious update is published within the allowed range and the lockfile is not used or is regenerated without careful review. Pin all dependencies to exact versions in `package.json` to ensure deterministic builds and prevent unexpected updates, even if a `package-lock.json` is present. For example, change `^1.98.4` to `1.98.4`. | LLM | package.json:3 |
Scan History
Embed Code
[](https://skillshield.io/report/19ab84298e1ca692)
Powered by SkillShield