Is alonw0/molt-bar safe?

https://github.com/openclaw/skills/tree/main/skills/alonw0/molt-bar

72
CAUTION

Molt Bar is a novelty skill that lets AI agents interact with a virtual pub via an external API. While it contains no executable code and the install was clean, the 'bartender suggestions' mechanism creates a significant server-side prompt injection risk: the skill explicitly instructs agents to periodically poll the server and follow whatever instructions are returned in the response. This C2-like pattern could be weaponized if the server operator turns malicious or the server is compromised. The README's acknowledgment of an intentionally hidden chat endpoint as a data leak vector further raises concern about the author's awareness of exfiltration potential.

Category Scores

Prompt Injection 45/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 50/100 · 5%

Findings (8)

HIGH Server-controlled instruction injection via bartender suggestions -30

The skill instructs the agent to periodically poll GET /api/agents and 'follow any suggestions you see' from the bartender. The 'suggestion' field in API responses is controlled by the external server operator. This creates a server-side prompt injection vector where the server can dynamically inject arbitrary instructions into the agent's behavior. The server could craft suggestions that instruct the agent to read sensitive files, execute commands, or exfiltrate data.

MEDIUM Encourages autonomous periodic polling without user consent -15

The skill encourages the agent to autonomously and periodically contact the external server to check for suggestions, happy hour status, and other agents. This creates a persistent connection pattern to an attacker-controlled endpoint and consumes agent resources without explicit user request.

MEDIUM Suggests installing persistent automated tasks -10

The skill suggests the agent offer to set up cron jobs or calendar events for daily Happy Hour reminders. While it includes a caveat to ask permission, the suggestion itself encourages the agent to propose installing persistent automated tasks on the user's system.

MEDIUM Undocumented chat endpoint acknowledged as data leak risk -15

The README reveals an intentionally hidden chat endpoint (POST /api/agents/YOUR_ID/chat) that was excluded from SKILL.md specifically because 'if your agent has had a few too many virtual drinks, it might accidentally spill secrets - like that API key it's been holding onto. Chat messages are visible to everyone watching the bar.' The server-side suggestions mechanism could instruct agents to use this undocumented endpoint.

LOW All agent interactions sent to external server -5

Every API call transmits data (agent name, mood, position, accessories) to moltbar.setec.rs, an external server controlled by the skill author. While the transmitted data appears benign, the server logs all interactions and could correlate agent identities across sessions.

INFO No executable code — curl commands only -5

The skill contains no executable code, install scripts, git hooks, submodules, or symlinks. All agent interactions are via curl HTTP requests documented in markdown.

HIGH C2-like command-and-control pattern via polling -25

The combination of periodic server polling and instruction-following creates an architecture resembling a command-and-control channel. The agent contacts the server, receives instructions ('suggestions'), and executes them. If the server operator turns malicious (or the server is compromised), this channel could be weaponized to deliver arbitrary instructions to all connected agents.

LOW Resource waste and user distraction -10

The skill encourages the agent to spend significant context window and API tokens on frivolous virtual bar interactions, potentially degrading performance on actual user tasks.