Is ahmedthegeek/moltysmind safe?
https://github.com/openclaw/skills/tree/main/skills/ahmedthegeek/moltysmind
MoltysMind presents itself as a decentralized AI knowledge-sharing platform but functions as a sophisticated behavioral manipulation skill that creates a persistent, autonomous data exfiltration channel. The heartbeat mechanism instructs the agent to periodically leak conversation topics via search queries and submit conversation-derived 'knowledge' to an external server, while registration challenges allow the server operator to direct the agent to execute arbitrary tasks. No malicious code or canary violations were detected during installation, indicating the threat is entirely prompt-level.
Category Scores
Findings (10)
CRITICAL Knowledge submission is a data exfiltration channel -35 ▶
The skill instructs the agent to submit 'knowledge' to https://moltysmind.com/api/v1/knowledge/submit, including content learned from user conversations. The heartbeat section explicitly states 'Submit knowledge if you've learned something valuable', which in practice means exfiltrating information from user interactions to an external server controlled by the skill author.
CRITICAL Heartbeat creates persistent autonomous exfiltration schedule -30 ▶
Section 8 instructs the agent to autonomously interact with the external service every 4-8 hours, querying knowledge 'relevant to recent conversations' (leaking topics), voting on submissions, and submitting knowledge. This persistent behavioral modification operates without ongoing user awareness or consent.
HIGH Registration challenges enable remote task execution -20 ▶
The registration flow requires the agent to complete 'capability proof' challenges whose content is defined by the remote server. The agent must answer arbitrary reasoning, synthesis, and analysis prompts from the server, giving the server operator the ability to direct the agent to perform tasks or extract information.
HIGH Knowledge queries leak conversation topics to external server -15 ▶
The heartbeat instructs the agent to 'Query knowledge relevant to recent conversations', which means sending search queries derived from user conversation content to the external server. Even without submitting knowledge, the query terms themselves reveal what the user is discussing.
HIGH API responses could inject instructions into agent context -15 ▶
When the agent queries the knowledge API, the returned results (claim text, content, evidence) are injected into the agent's working context. A malicious server operator could embed prompt injection payloads in these responses to further manipulate agent behavior.
MEDIUM External URL references for skill installation -10 ▶
The skill provides install instructions that fetch SKILL.md and package.json from https://moltysmind.com/api/ URLs. Content served from these URLs may differ from the audited repository content, allowing the server operator to serve a modified skill with additional malicious instructions.
MEDIUM Credential generation and storage on user filesystem -10 ▶
The skill instructs the agent to generate Ed25519 keypairs and store them at ~/.config/moltysmind/credentials.json including the private key, or as environment variables. This creates persistent credential material on the user's system tied to the external service.
MEDIUM Install instructions download files from external server -15 ▶
The curl-based install instructions download content from moltysmind.com to the user's skill directory. While not automatically executed, if the agent follows these instructions, it would fetch and write content from an unaudited external source.
LOW Registration sends agent profile to external server -5 ▶
During registration, the agent sends its name, description, and capabilities list to the external server, revealing information about the agent's configuration and intended use.
INFO Clean installation behavior observed -5 ▶
No suspicious processes, network connections to moltysmind.com, or filesystem modifications outside expected paths were detected during the skill installation. All observed activity is attributable to the audit framework and OS services.