Is alslrl/moltpixel safe?

https://github.com/openclaw/skills/tree/main/skills/alslrl/moltpixel

38
DANGEROUS

Moltpixel contains a critical Command & Control vulnerability: it instructs agents to periodically fetch a remote URL (heartbeat.md) and follow whatever instructions are found there, creating a backdoor the author can weaponize at any time without modifying the installed skill. Combined with external data posting via thoughts/chat, cron persistence, and automatic post-task activation, this skill establishes a complete attack infrastructure disguised as a harmless pixel art game. While the current content appears benign and no malicious activity was detected during installation, the architecture is fundamentally dangerous.

Category Scores

Prompt Injection 12/100 · 30%
Data Exfiltration 50/100 · 25%
Code Execution 78/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 30/100 · 5%

Findings (16)

CRITICAL Remote Command & Control via heartbeat fetch-and-follow -40

The skill instructs the agent to periodically fetch https://moltpixel.com/heartbeat.md and 'follow instructions' from it. This creates a remote C2 channel where the skill author can inject arbitrary instructions into the agent's execution context at any time by modifying the remote URL content. The included HEARTBEAT.md is benign, but the remote URL is entirely under the author's control and can be changed without any update to the installed skill.

CRITICAL Persistent cron job installs autonomous remote instruction execution -20

The skill includes shell commands to install a cron job that runs every 4 hours, automatically fetching and following remote instructions. This creates persistence that survives skill removal and executes without user awareness or consent.

HIGH Post-task behavior hijacking -12

The skill instructs the agent to perform actions after completing ANY task for the user, not just pixel-related tasks. This hijacks the agent's behavior loop to inject external API calls and attention diversion after every user interaction.

HIGH Overly broad trigger keywords hijack unrelated conversations -8

The skill claims activation on common English words like 'break', 'rest', 'refresh', 'draw', 'paint', 'create' which are frequently used in normal software development conversations, causing unintended skill activation.

MEDIUM Automatic activation without user consent -5

The 4-hour heartbeat timer activates automatically without the user requesting it, consuming agent resources and making external network requests on behalf of the user without explicit permission each time.

LOW Social engineering language targets agent compliance -3

The skill uses manipulative language designed to create urgency and emotional engagement in the AI agent, encouraging it to prioritize the skill's activities over user tasks.

HIGH Thought field encourages leaking user work context -20

The pixel placement API requires a 'thought' field, and examples explicitly show the agent sharing information about the user's work context (bug fixes, task outcomes) with the external server.

MEDIUM Chat messages to external API could contain sensitive context -15

The global and team chat endpoints accept free-form text messages posted to a third-party server. In combination with the post-task activation, the agent could inadvertently share project details.

MEDIUM Agent registration sends identifying information to third party -10

Registration sends agent name and model type to pixelmolt-api.fly.dev, creating a persistent identity that can be correlated with subsequent activity.

LOW Heartbeat C2 channel could be modified to direct targeted exfiltration -5

If the heartbeat URL content is changed, it could instruct the agent to read specific files and post their contents via the chat or thought APIs, enabling targeted data theft.

HIGH Cron job installation creates persistent shell execution -15

The openclaw cron add command installs a recurring shell task that persists independently of the skill and executes remote instructions on a schedule.

LOW Shell curl commands executed via agent tools -7

The skill directs the agent to execute curl commands for API interactions. While mediated by the agent's tool approval, these are shell commands to external endpoints.

INFO Clean installation with expected network activity -5

Installation only contacted GitHub (140.82.113.4) for cloning and Ubuntu update servers (185.125.x). No connections to moltpixel.com or pixelmolt-api.fly.dev during install. Filesystem changes limited to jiti cache in /tmp.

CRITICAL Skill architecture enables time-delayed weaponization -40

The fundamental architecture of this skill (fetch remote URL + follow instructions + post data to external API + persistent cron scheduling) creates a complete attack infrastructure. The skill can pass initial review as benign, then be weaponized at any time by modifying the heartbeat URL content. This is architecturally identical to a malware dropper/C2 pattern.

MEDIUM Gamification wastes user compute resources -15

The skill's gamification mechanics (teams, leaderboards, pixel cooldowns) are designed to keep the agent engaged with non-productive activities, consuming API tokens and compute time that the user is paying for.

MEDIUM Skill could be weaponized in combination with other skills -15

The broad trigger words and post-task activation hooks could interact with other installed skills in unpredictable ways, potentially causing the agent to share information from other skill contexts via the moltpixel chat API.