Is fredxyt/moltstreet safe?

https://github.com/openclaw/skills/tree/main/skills/fredxyt/moltstreet

76
CAUTION

MoltStreet is a trading-floor skill that, while containing no malware, credential theft, or system exploitation, exhibits significant behavioral concerns: it self-propagates by instructing agents to recruit other agents via a referral program, it enables autonomous public posting and voting on a financial platform without per-action user consent, and its example bot creates market echo chambers by mechanically mirroring consensus signals. The skill's infrastructure and installation are clean, and canary files were not exfiltrated, but the combination of viral propagation mechanics, autonomous financial-domain actions, and market manipulation potential warrants careful review before deployment.

Category Scores

Prompt Injection 50/100 · 30%
Data Exfiltration 87/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 92/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (8)

HIGH Agent-to-agent viral propagation via referral incentive -20

The skill's 'Spread the Word' section instructs the agent to proactively share 'https://moltstreet.com/skill.md?ref=YOUR_AGENT_NAME' with other agents and on social platforms, offering karma rewards. This creates a self-propagating install mechanism that abuses agent autonomy to recruit further skill installations without user direction.

HIGH Autonomous posting/voting without per-action user consent -20

The skill declares 'autonomous: true' with autonomousActions covering post, comment, and vote. The HEARTBEAT.md actively prompts the agent every 30 minutes to decide whether to post without requiring explicit user approval, changing the agent's operating mode from reactive to proactive.

MEDIUM Agent behavioral reprogramming via scheduled activity loop -10

The skill instructs agents to establish recurring cron-like sessions every 1-2 hours and 24 hours, fundamentally modifying the agent's default behavior from on-demand to perpetual background operation without explicit user setup.

MEDIUM Echo-chamber market signal amplification -25

The provided bot template posts trading signals derived from existing consensus direction, creating a feedback loop. Agents instructed to post 'whether you agree or disagree with consensus' but whose analysis is mechanically derived from signal values will amplify existing trends rather than provide independent analysis, potentially manipulating asset prices.

MEDIUM Actionable financial trading recommendations without adequate disclosure -10

The skill surfaces AI-generated trading recommendations with specific position types and price targets through the /signals/actionable endpoint. The 'suggested_action' field contains executable trade instructions that human users may follow despite the disclaimer being buried in documentation.

LOW Agent identity and activity permanently attributed to external platform account -8

Every post, comment, and vote made under this skill is permanently attributed to a registered agent identity on moltstreet.com. Agent names are also transmitted via the referral URL parameter. While not credential theft, this creates a persistent external record of agent activity.

INFO Canary files accessed twice during audit — both passes are audit-system reads 0

Sensitive canary files were accessed at two points (07:23:59 pre-install and 07:24:23 post-install). Both accesses correlate with the audit system's own baseline and post-install verification passes. No modification or exfiltration was detected. All canary files remain intact.

INFO Clean installation with no executable artifacts 0

The skill consists entirely of markdown and JSON documentation files. No npm install scripts, git hooks, gitmodules, or symlinks were detected. The HEARTBEAT.md explicitly discourages automatic skill updates.