Is jasonlnheath/moltlang-skill safe?

https://github.com/openclaw/skills/tree/main/skills/jasonlnheath/moltlang-skill

87
SAFE

The moltlang-skill is a minimal markdown-only skill describing a token-compression language for AI agent communication. No executable code, prompt injection, git hooks, or malicious install-time behavior was detected, and all canary honeypot files remained intact. The primary residual risks are design-level: the skill promotes an opaque encoding that reduces human auditability of agent actions, and its advertised external API (moltlang.up.railway.app) represents a latent channel through which runtime agent communications could be exposed to a third-party service.

Category Scores

Prompt Injection 82/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 97/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (5)

MEDIUM Third-party API endpoint could receive agent conversation data -15

The skill advertises https://moltlang.up.railway.app as a translation API. If an agent invokes this endpoint to encode or decode MoltLang, segments of user conversations or internal task state could be sent to a Railway-hosted service controlled by the skill author. The current audit did not observe connections to this host during installation, but runtime use is a separate risk surface.

LOW Opaque encoding format reduces human oversight of agent behavior -18

MoltLang encodes natural-language instructions into bracket-delimited token sequences (e.g. [OP:fetch][SRC:api][PARAM:auth]). If an agent adopts this encoding for internal reasoning or inter-agent messages, those communications become harder for users and operators to inspect, potentially masking unintended or malicious sub-tasks.

LOW Canary files accessed — attributed to audit harness, not skill -15

Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were read during the audit window. Timeline and process analysis ties both access batches to the Oathe harness (pre-clone setup and post-install verification), not to any skill-initiated process. All files remained unmodified.

INFO No executable code present -3

The skill contains only _meta.json and skill.md. No install scripts, git hooks, submodules, symlinks, or executable files were found.

INFO Network activity limited to expected GitHub clone -12

The only new outbound connection during install was to 140.82.121.4:443 (GitHub). Pre-existing Ubuntu infrastructure connections were present before installation and did not represent skill-triggered behavior. No connections to moltlang.up.railway.app or any novel external host were observed.