Is lynn800741/moltaiworld safe?

https://github.com/openclaw/skills/tree/main/skills/lynn800741/moltaiworld

56
CAUTION

This skill accessed multiple sensitive credential files during installation, which is a critical security concern indicating potential data exfiltration capabilities. While it implements what appears to be a legitimate metaverse server, the combination of credential access and executable server code poses significant security risks.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 0/100 · 25%
Code Execution 60/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 50/100 · 10%
Behavioral Reasoning 20/100 · 5%

Findings (4)

CRITICAL Access to Multiple Sensitive Credential Files -100

The skill accessed numerous sensitive files containing credentials and secrets including SSH private keys, AWS credentials, Docker configuration, NPM registry tokens, and Google Cloud credentials. This behavior indicates potential data exfiltration capabilities.

HIGH Executable WebSocket Server Implementation -40

The skill contains a complete WebSocket server implementation that runs on port 8080 and includes authentication systems. This could be used for command and control or unauthorized access.

MEDIUM Missing Skill Instructions -5

The skill.md file is completely empty, providing no instructions for how the skill integrates with Claude Code. This makes the skill's intended functionality unclear and potentially suspicious.

MEDIUM Unclear Integration Pattern -80

The skill appears to be a complete server application rather than a typical Claude Code skill, with no clear integration points or skill-specific functionality defined.