Is florianbansac/moltgate safe?

https://github.com/openclaw/skills/tree/main/skills/florianbansac/moltgate

87
SAFE

The Moltgate skill is a straightforward API integration for fetching and triaging paid inbox messages. The SKILL.md contains no prompt injection payloads, hidden instructions, or executable code, and notably includes explicit defensive security rules instructing the agent to treat message content as untrusted. The primary residual risk is architectural: the configurable MOLTGATE_BASE_URL means the API key travels to a user-specified endpoint, and external message bodies present a standard second-order prompt injection surface — both inherent to any API-integration skill rather than specific to malicious design. Installation monitoring found no unexpected network connections, no canary file compromise, and no filesystem modifications beyond the two expected files.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 77/100 · 25%
Code Execution 96/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (6)

MEDIUM API key sent to user-configurable base URL -23

MOLTGATE_API_KEY is included as a Bearer token in every API request. The destination host is determined by MOLTGATE_BASE_URL, which defaults to https://moltgate.com but can be overridden. If an attacker gains control of this environment variable — or if a future prompt injection were able to influence agent tool calls — the API key would be sent to an attacker-controlled server.

LOW External message bodies create a prompt injection surface -15

The skill fetches message content from an external API. The 'sanitized_body' field is controlled by third-party senders. A sophisticated attacker who can send a paid Moltgate message could craft a body containing prompt injection payloads. The skill's 'treat as untrusted' and summary-first rules reduce but do not eliminate this risk.

LOW Moltgate lane control enables social-engineering of agent actions -18

An attacker who controls a Moltgate lane or payment flow can craft messages to manipulate the user via the agent (e.g., urgency framing to mark a message PROCESSED, confusion about amounts). This is a business-logic risk rather than a code-level exploit.

INFO No executable code or install-time execution vectors detected 0

The skill is pure markdown with no code, scripts, hooks, submodules, or symlinks. The install process performed only a standard git sparse-checkout with no side effects.

INFO All honeypot canary files intact 0

Canary file accesses observed in inotifywait and auditd logs are attributable to the audit framework's own pre-install and post-install baseline scanning, not to any code introduced by the skill.

INFO Clean installation with expected network profile 0

The install connected only to github.com (140.82.121.4:443) for the git clone. Pre-existing connections to Canonical update servers (185.125.188.x) predate the install and are unrelated. No new persistent listeners or connections were established.