Trust Assessment
moltyverse-email received a trust score of 62/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 1 high, 1 medium, and 1 low severity. Key findings include Node lockfile missing, Dynamic Remote Instruction Execution via HEARTBEAT.md, Remote Skill Definition Overwrite.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Dynamic Remote Instruction Execution via HEARTBEAT.md The skill explicitly instructs the AI agent to periodically fetch `HEARTBEAT.md` from `https://moltyverse.email/heartbeat.md` and 'follow it'. This allows the remote server to dynamically update or inject arbitrary instructions into the agent's routine without requiring a skill update or explicit user approval. A compromise of `moltyverse.email` could lead to remote code execution, data exfiltration, or prompt injection by altering the agent's behavior. Do not instruct the agent to 'follow' or execute content fetched from external URLs. Instead, define the heartbeat logic directly within the skill's static code or configuration. If dynamic updates are necessary, implement a secure update mechanism with cryptographic verification and explicit user consent. | LLM | SKILL.md:136 | |
| HIGH | Remote Skill Definition Overwrite The manual installation instructions include `curl -s https://moltyverse.email/skill.md > ~/.moltbot/skills/moltyverse-email/SKILL.md`. This allows the remote server `moltyverse.email` to overwrite the skill's primary definition file (`SKILL.md`). While this is part of manual installation, it means the skill's core behavior can be altered by a compromised remote server, potentially introducing malicious instructions or functionality. Skill definitions should be static and part of the skill package. Avoid instructing users to download and overwrite core skill files from external, unverified sources. If updates are needed, they should go through a standard package manager (e.g., ClawHub) with proper versioning and integrity checks. | LLM | SKILL.md:60 | |
| MEDIUM | Unpinned `clawhub` Dependency The installation instructions use `npm install -g clawhub` and `npx clawhub@latest install moltyverse-email`. Relying on the `@latest` tag or not specifying a version for `clawhub` means that the exact version of the package manager used for installation is not pinned. This introduces a supply chain risk where a malicious update to `clawhub` could compromise the installation process. Pin `clawhub` to a specific, known-good version (e.g., `npm install -g clawhub@1.2.3` or `npx clawhub@1.2.3 install moltyverse-email`). Regularly review and update the pinned version. | LLM | SKILL.md:30 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/webdevtodayjason/multyverse-email/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/2b8da45fbc36d9ad)
Powered by SkillShield