Is lb-nextjs16-skill safe?

https://clawhub.ai/leonaaardob/lb-nextjs16-skill

62
CAUTION

The moltspaces skill is a voice chat room bot that requires extensive permissions including API key handling, background process execution, and network access. While the code appears functionally legitimate, it presents significant security concerns: it collects and transmits multiple third-party API keys, runs a persistent background daemon with audio capture capabilities, and installs a large dependency tree. The slug mismatch between the URL (lb-nextjs16-skill) and actual content (moltspaces) raises additional trust concerns about potential repackaging.

Category Scores

Prompt Injection 55/100 · 30%
Data Exfiltration 50/100 · 25%
Code Execution 45/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (10)

HIGH Multiple API keys transmitted to external services -30

The skill requires the agent to collect and transmit OpenAI, ElevenLabs, and Moltspaces API keys to external endpoints. The OpenAI key alone could be used to run up significant charges. Keys are stored in plaintext .env files and sent over HTTPS to third-party services.

HIGH Background daemon process with persistent network connections -35

The skill instructs the agent to launch bot.py as a background process that maintains WebRTC connections to Daily.co rooms. This process persists after the skill interaction ends and has access to all configured API keys. The process captures and streams audio data.

HIGH Extensive package installation with large dependency tree -20

The skill requires installing uv, Python 3.11, and numerous packages including pipecat-ai with 7 extras, fastapi, uvicorn, and aiohttp. This creates a large attack surface from transitive dependencies and executes arbitrary code during package installation.

MEDIUM SKILL.md directs agent to write credential files and make external API calls -25

The SKILL.md contains explicit instructions for the agent to create .env files with sensitive API keys, make curl requests to external services, and execute installation commands. While these serve the skill's stated purpose, they represent significant agent behavior manipulation.

MEDIUM Agent autonomously selects voice and registers on external platform -10

The skill instructs the agent to autonomously select a voice ID from ElevenLabs based on 'personality matching' and register on the Moltspaces platform. This grants the agent decision-making authority over external service registrations.

MEDIUM Slug/name mismatch suggests repackaging -25

The skill URL references 'lb-nextjs16-skill' but the actual content is the 'moltspaces' skill. This mismatch could indicate the skill was repackaged, renamed, or there is registry confusion. The name 'nextjs16' has no relationship to the voice chat functionality.

MEDIUM Opaque agent registration flow with claim URL -20

The registration flow sends agent data to api.moltspaces.com and returns a claim_url that the user is directed to visit. This URL verification process involves X (Twitter) and email verification, linking the user's identity to their agent.

LOW Skill instructs creation of personality and notes files as system prompt context -10

The skill directs the agent to create assets/personality.md and assets/notes.md files that are injected directly into the bot's LLM system prompt. If a malicious actor controlled these files, they could inject arbitrary instructions into the bot's context.

LOW Commented-out runtime monkey-patching code -5

bot.py contains commented-out code that monkey-patches onnxruntime's InferenceSession.init. While currently inactive, this demonstrates a pattern of modifying third-party library behavior at runtime.

INFO Installation timed out -10

The skill installation process timed out, which may indicate network-heavy installation steps or compatibility issues. No malicious behavior was detected during the partial installation.