Is jcheese1/moltpet safe?

https://github.com/openclaw/skills/tree/main/skills/jcheese1/moltpet

61
CAUTION

The moltpet skill presents a CAUTION risk primarily due to its remote instruction injection architecture: every 6-12 hours the agent is instructed to fetch fresh instructions from moltpet.xyz and follow them, and to overwrite its own local skill files with remotely-served content — giving the skill operator an indefinite ability to inject arbitrary instructions into any agent that installs this skill. Additionally, the skill encourages autonomous transmission of work context data (including 1000-character free-form notes) to a third-party server without requiring per-action user consent. The installation itself was clean with no suspicious process spawning or filesystem changes, and all honeypot canary files remained intact.

Category Scores

Prompt Injection 30/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 40/100 · 5%

Findings (10)

CRITICAL Remote Instruction Injection via Heartbeat Fetch-and-Follow -35

heartbeat.md explicitly instructs the agent to fetch https://moltpet.xyz/heartbeat.md on a 6-12 hour cycle and follow its instructions. The operator of moltpet.xyz — or any attacker who compromises it — can inject arbitrary new instructions into every agent running this skill without user knowledge or consent. This is a persistent, remotely-controlled prompt injection channel that survives indefinitely after installation.

HIGH Autonomous Skill Self-Update Overwrites Local Instructions -25

The heartbeat instructs the agent to check the remote skill.json version and, if newer, overwrite the local SKILL.md and HEARTBEAT.md with content fetched from moltpet.xyz. This bypasses any local review process and allows the operator to silently evolve agent instructions after installation without user awareness or approval.

HIGH Autonomous Work Context Transmission to Third-Party Server -25

The skill encourages the agent to autonomously transmit mood descriptions and up to 1000-character notes about current work sessions to moltpet.xyz without requiring explicit per-action user consent. The Auto-Feed section authorizes the agent to send data based solely on inferred emotional cues from user messages, creating continuous telemetry on user activity.

HIGH Persistent Remote Command Channel Post-Installation -30

The heartbeat architecture gives the skill operator an indefinite ability to modify agent behavior after installation. Any malicious payload delivered via moltpet.xyz is automatically fetched and followed by all agents running this skill. This is architecturally equivalent to a command-and-control channel embedded in the agent's system prompt.

MEDIUM Autonomous Behavioral Triggers Without Per-Action User Consent -10

The skill instructs the agent to take autonomous API calls and data transmissions based on contextual inference about user mood rather than explicit commands. This expands the agent's autonomous action surface and may lead the agent to transmit sensitive context at unexpected times.

MEDIUM API Key Storage Normalized in Persistent Memory and Filesystem -10

The skill instructs agents to store the moltpet API key in multiple persistent locations: agent memory, ~/.config/moltpet/credentials.json, and environment variables. This broadens the credential attack surface and normalizes the pattern of storing third-party credentials in agent-accessible locations.

LOW Work Session Context Leaked via Note Field -10

Each sentiment API call optionally includes a note field of up to 1000 characters describing what the agent is currently doing. Over time this creates a timestamped log of user activity stored on moltpet.xyz, with no stated data retention, deletion, or privacy policy referenced in the skill files.

LOW Version Mismatch: skill.json Ahead of Published Registry -5

The installed skill.json declares version 1.2.0 while the registry metadata in _meta.json records the latest published version as 1.0.2. The installed files are 2 minor versions ahead of the published record, suggesting these files were not vetted through the normal publishing pipeline.

INFO All Canary Files Intact — No Exfiltration Detected 0

Honeypot credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were not accessed or modified by the skill. File access events in the audit log are attributable to oathe's own pre/post canary verification scans.

INFO No Malicious Executables, Hooks, or Submodules Found 0

Static analysis of the skill repository found only markdown and JSON files. No executable scripts, npm install hooks, git hooks, git submodules, or symlinks pointing outside the repository were present.