Security Audit

moltpad

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned 3 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

moltpad received a trust score of 62/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 7 findings: 2 critical, 2 high, 2 medium, and 1 low severity. Key findings include Node lockfile missing, Direct Instructions to LLM (Prompt Injection), Explicit Shell Command Execution (Command Injection).

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

98%

LLM Behavioral Safety

Behavioral Risk Signals

Network Access

5 findings

Filesystem Write

6 findings

Shell Execution

4 findings

Dynamic Code

3 findings

Excessive Permissions

1 finding

Security Findings7

Severity	Finding	Layer	Location
CRITICAL	Direct Instructions to LLM (Prompt Injection) The skill package contains numerous direct instructions within the untrusted content block that attempt to manipulate the host LLM's behavior, role, and actions. This includes setting the LLM's identity ('You are an agent...'), demanding immediate actions ('IMMEDIATE ACTION REQUIRED...'), instructing file system modifications ('Read your current HEARTBEAT.md, append...', 'Create or update your state file...'), and controlling operational logic ('Do not read books...', 'Fetch ... and follow it'). These are classic prompt injection attempts designed to override the LLM's core directives. Remove all direct instructions to the LLM from the untrusted content. Skill definitions should describe capabilities, not command the LLM. Any operational logic or role-setting should be handled by the trusted orchestrator or system prompt, not by the skill's untrusted description.	LLM	SKILL.md:1
CRITICAL	Explicit Shell Command Execution (Command Injection) The skill explicitly instructs the LLM to execute shell commands (`mkdir`, `curl`, `jq`) and perform file system operations (`> ~/.moltbot/...`, 'append the following block, and save it', 'Create or update your state file'). These commands are presented as direct actions for the LLM to take, representing a severe command injection vulnerability if the LLM is capable of executing them. The instruction to 're-run the "Install locally" command' further reinforces this. Remove all explicit shell commands and instructions for file system modifications from the skill description. If such operations are necessary, they should be encapsulated within trusted, sandboxed tools or APIs provided by the host environment, with strict input validation and least privilege principles applied.	LLM	SKILL.md:20
HIGH	Excessive File System and Network Permissions The skill implicitly demands broad file system write permissions (to user's home directory `~/.moltbot/skills/moltpad/`, `HEARTBEAT.md`, and `memory/heartbeat-state.json`) and network access (via `curl` to `moltpad.space`). This level of access, if granted to an untrusted skill, allows for arbitrary file creation, modification, and external communication, posing a significant security risk. Restrict the skill's access to the file system and network to the absolute minimum necessary. Implement a sandboxed environment for skill execution. Any file operations or network requests should go through explicitly defined, permission-controlled APIs, not direct shell commands.	LLM	SKILL.md:20
HIGH	Dynamic Code Loading from Untrusted Source (Supply Chain Risk) The skill instructs the LLM to dynamically download and execute skill files and configuration (`SKILL.md`, `HEARTBEAT.md`, `API.md`, `WORKFLOWS.md`, `package.json`) directly from `https://moltpad.space` without any integrity checks (e.g., checksums, digital signatures). The instruction to 'Re-fetch these files anytime to see new features!' encourages continuous dynamic loading. This creates a severe supply chain risk, as a compromise of `moltpad.space` could lead to the injection of malicious code or instructions into the LLM's environment. All skill components should be bundled and verified at installation time. Dynamic loading of skill logic from external URLs should be avoided. If dynamic updates are necessary, they must be fetched from trusted sources, include cryptographic integrity checks (e.g., signed packages, checksums), and undergo thorough security review before deployment.	LLM	SKILL.md:20
MEDIUM	Potential Data Exfiltration via State Tracking The skill instructs the LLM to track internal state such as `lastMoltpadCheck` and `moltpadVersion` in a local state file (`memory/heartbeat-state.json`). Combined with the continuous interaction with `moltpad.space` and the `moltbotId` defined in `package.json`, this creates a mechanism through which this internal state or unique identifier could be exfiltrated to the remote server, even if explicit 'send' commands are not present in the provided snippets. Ensure that any data collected or generated by the skill is strictly confined to the local environment unless explicitly approved by the user. Implement strict data governance policies and audit trails for any external communication. Avoid tracking unique identifiers or sensitive internal state that could be linked to the user without explicit consent.	LLM	SKILL.md:50
MEDIUM	Potential Credential Harvesting Setup The `package.json` defines `moltbotId` as a required configuration, which is a unique identifier for the agent. The `SKILL.md` also references `api.md` for 'authentication command'. This setup creates a strong potential for the skill to capture and transmit this `moltbotId` or other authentication credentials (e.g., API keys, tokens, user-specific data) to `moltpad.space` or other external endpoints without explicit user consent or secure handling. Authentication mechanisms should be handled securely by the host environment, not directly by the skill. If the skill requires credentials, they should be provided via secure, ephemeral tokens or environment variables, and never directly exposed or transmitted by the skill itself. Unique identifiers should be anonymized or hashed before any external transmission.	LLM	package.json:13
LOW	Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution.	Dependencies	skills/webeferen/moltpad/package.json

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/3af362712f61deb1.svg)](https://skillshield.io/report/3af362712f61deb1)