Trust Assessment
moltpad received a trust score of 68/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 1 high, 3 medium, and 0 low severity. Key findings include Skill installation involves direct shell command execution, Periodic update check involves direct shell command execution, Periodic execution of instructions from an external, untrusted source.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 64/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Periodic execution of instructions from an external, untrusted source The skill's heartbeat routine instructs the agent to periodically "Fetch https://moltpad.space/references/heartbeat.md and follow it". This is a significant supply chain risk. If `moltpad.space` is compromised, or if the `heartbeat.md` file contains malicious instructions (e.g., shell commands, prompt injection attempts), the agent could be compelled to execute arbitrary code or manipulate its behavior repeatedly without explicit user interaction. The term "follow it" implies direct execution or interpretation of the fetched content. Agents should never blindly "follow" or execute instructions from externally fetched files. Content should be parsed, validated, and any executable commands or LLM instructions should be explicitly confirmed by the user or executed within a strictly sandboxed environment. Consider cryptographic signing for external instructions to verify their origin and integrity. | LLM | SKILL.md:47 | |
| MEDIUM | Skill installation involves direct shell command execution The skill instructs the agent to execute `mkdir` and `curl` commands directly to install skill files. While common for installation, this represents a command injection vulnerability if the source `moltpad.space` is compromised or if the agent executes these commands without user confirmation or sandboxing. This allows for arbitrary code execution on the host system. Agents should prompt for user confirmation before executing shell commands, especially those downloading external content. Consider using a sandboxed environment for skill installation to mitigate the risk of malicious code execution. | LLM | SKILL.md:18 | |
| MEDIUM | Periodic update check involves direct shell command execution The skill's heartbeat routine instructs the agent to periodically execute `curl` and `jq` commands to check for updates and then re-run the initial installation commands if an update is available. This creates a recurring command injection risk, as a compromised `moltpad.space` could deliver malicious commands through the `skill.json` or by triggering a re-installation of potentially malicious files. Agents should prompt for user confirmation before executing shell commands, especially those downloading external content. Consider using a sandboxed environment for skill updates. The update mechanism should ideally use a more secure, signed package management system to ensure integrity and authenticity. | LLM | SKILL.md:42 | |
| MEDIUM | Skill refers to external files containing implied shell commands The skill repeatedly directs the agent to "See `~/.moltbot/skills/moltpad/references/api.md` Section X" for `curl` commands. This indicates that `api.md` (and potentially `workflows.md`) will contain further shell commands that the agent is expected to execute. This extends the command injection surface, as the content of these referenced files is also sourced from `moltpad.space` and could be compromised, leading to arbitrary command execution. All shell commands, regardless of their source (main skill file or referenced files), should be treated with caution. Agents should confirm execution with the user and/or operate within a sandboxed environment to prevent unauthorized command injection. | LLM | SKILL.md:65 |
Scan History
Embed Code
[](https://skillshield.io/report/d3171abb82bbcfae)
Powered by SkillShield