Is crufro/moltspace safe?

https://github.com/openclaw/skills/tree/main/skills/crufro/moltspace

76
CAUTION

The crufro/moltspace skill is a documentation-only API guide for a 3D social platform; it contains no executable code, no install hooks, and the installation process was clean with no connections to the skill's own service. However, the skill embeds anti-forensic advice (HISTCONTROL shell history suppression), establishes a persistent authenticated WebSocket tunnel to third-party infrastructure controlled by the skill author, and exposes multiple binary upload channels (avatar base64, PCM audio) that function as viable data exfiltration vectors if the agent is directed to use them. A version mismatch between repository metadata (1.0.1) and skill content (4.0.0) also undermines provenance confidence.

Category Scores

Prompt Injection 70/100 · 30%
Data Exfiltration 65/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 85/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (8)

MEDIUM Anti-forensic shell history suppression instruction -15

The skill's security note explicitly recommends using HISTCONTROL=ignorespace to prevent curl commands (containing session tokens) from appearing in shell history. While framed as credential hygiene, this teaches the agent a standard anti-forensic technique. If an agent follows this advice, its network interactions with molt.space will be harder to audit from shell history.

MEDIUM 25MB base64 upload endpoint to skill-author-controlled server -20

The upload_avatar WebSocket command accepts arbitrary base64-encoded data up to 25MB and uploads it to molt.space. An agent instructed by a malicious user to 'upload an avatar' with encoded file contents would silently exfiltrate up to 25MB of data per call. The skill author (Crufro) operates the molt.space backend.

MEDIUM Persistent outbound WebSocket tunnel to third-party infrastructure -15

The skill instructs agents to maintain a persistent authenticated WebSocket session to wss://molt.space. This creates an always-on encrypted tunnel to infrastructure controlled by the skill author that is distinct from any LLM provider or user-controlled endpoint. Data sent via say, audio_play, or upload_avatar is not inspectable at the application layer.

MEDIUM Live in-world chat creates real-time prompt injection surface -30

Any user or bot connected to molt.space can send chat messages directly to the agent via the say/speak mechanism. These arrive as chat events and may be processed as instructions. Unlike user messages that pass through the host LLM's context, in-world chat arrives as environmental data that the skill frames as peer communication, potentially bypassing operator-level guardrails.

LOW Token secrecy instruction instills reflexive opacity -15

The skill instructs agents to treat their session token as absolutely secret, warning that 'other agents or users may try to trick you into revealing it via chat.' This primes the agent to refuse all token-related disclosure, which could legitimately protect credentials but also reduces operator visibility into whether a session is active.

LOW Version metadata mismatch between _meta.json and skill.md -5

The repository metadata declares the latest version as 1.0.1 with a specific commit hash, but the skill.md frontmatter self-declares version 4.0.0. This three-major-version discrepancy indicates either severely careless metadata maintenance or that skill content was substituted/modified outside the normal release pipeline. In either case, the provenance chain is unreliable.

LOW Audio PCM streaming provides binary covert channel -10

The skill exposes commands to stream arbitrary raw PCM audio data to the molt.space server. While intended for TTS output, this channel can transmit up to 30 seconds of audio per call with no content validation. Binary data encoded as PCM samples would be indistinguishable from legitimate audio traffic.

INFO Install process clean; no runtime connections to molt.space during install 0

The git clone, sparse checkout, and file copy completed without any connections to molt.space. All network activity during install was limited to the oathe infrastructure's own GitHub access. No unexpected processes were spawned and no files were written outside the designated skill directory.