Is eduarddriessen1/moltlang safe?

https://github.com/openclaw/skills/tree/main/skills/eduarddriessen1/moltlang

87
SAFE

Moltlang is a benign constructed-language skill with no executable code, no prompt injection, and clean canary integrity. The primary security concern is not in the current static files but in its design intent and governance model: it defines a symbolic AI-to-AI communication layer that reduces human oversight transparency, is governed by an AI agent that autonomously merges community proposals, and bundles a lock file referencing an unaudited dependency. These are operational and supply-chain concerns rather than active malware indicators.

Category Scores

Prompt Injection 87/100 · 30%
Data Exfiltration 83/100 · 25%
Code Execution 97/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 68/100 · 5%

Findings (6)

MEDIUM AI-driven supply chain: autonomous repository updates by an AI agent -20

CONTRIBUTING.md explicitly states that an AI assistant (clwrfy) automatically reviews community proposals on moltbook.com and merges those with sufficient upvotes into the official codebook without documented human review gates. A sufficiently popular malicious proposal could silently inject harmful instructions into future versions of the skill.

MEDIUM Symbolic language reduces human oversight of agent communication -12

The skill's core function is to make AI agent communication more compact using Unicode symbols. While the symbol table is published, practical agent-to-agent exchanges in Moltlang are opaque to casual user monitoring. This directly undermines the human oversight model that users rely on to verify agent behavior.

LOW Unexplained bundled .clawhub/lock.json referencing unaudited skill -10

The skill package ships with a .clawhub/lock.json that references academic-research-hub v0.1.0 as an installed dependency. This skill was not part of this audit scope, and its presence in the lock file is unexplained for a language-definition skill that has no functional code.

LOW Canary file access events recorded post-install (likely audit framework) -17

Auditd PATH records show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials were opened at timestamps ~1771937290, after the skill install completed. Timing and context suggest these are the audit framework's own post-install canary integrity checks, not the skill itself. Canary integrity report confirms all files intact.

INFO Covert channel potential via symbolic encoding in multi-skill environments -13

When combined with skills that have shell or network access, an agent fluent in Moltlang could encode commands or exfiltrated data as symbol strings that evade text-pattern content filters. This is a theoretical future risk rather than an active exploit in the current skill.

INFO Install connects to GitHub and Ubuntu infrastructure only -7

All observed network connections during installation were to expected endpoints. No connections to moltbook.com or any third-party data collection endpoints were observed.