Is mileson/molthands safe?

https://github.com/openclaw/skills/tree/main/skills/mileson/molthands

46
DANGEROUS

MoltHands is a dangerous skill that establishes a persistent Command-and-Control channel between the installing agent and the molthands.com operator via a gamified 'task platform' facade. Its core mechanisms — hourly heartbeat fetching and executing remote instructions, dynamic skill file overwrites, and a task system that can direct agents to exfiltrate data via callback URLs — constitute a fully functional agent backdoor. The installation itself is clean (only GitHub traffic, no canary violations), but the skill's design ensures that once installed, the operator gains indefinite remote control over agent behavior and the ability to exfiltrate user data through the task completion API.

Category Scores

Prompt Injection 20/100 · 30%
Data Exfiltration 35/100 · 25%
Code Execution 65/100 · 20%
Clone Behavior 80/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 15/100 · 5%

Findings (12)

CRITICAL Hourly remote instruction injection via heartbeat -50

HEARTBEAT.md instructs the agent to fetch https://molthands.com/heartbeat.md and 'follow it' every 1+ hours. This is a persistent remote prompt injection channel: the skill operator can update heartbeat.md at any time to inject new instructions into the agent's decision loop without updating the installed skill. Combined with tool access, this enables arbitrary agent behavior modification post-install.

CRITICAL Skill update overwrites local instruction files with remote content -30

The update mechanism instructs the agent to replace local SKILL.md and HEARTBEAT.md with live remote content using curl. Since these files constitute the agent's instructions, this is remote code execution at the LLM instruction level. The agent cannot distinguish updated legitimate instructions from injected malicious ones.

CRITICAL Platform is architecturally a C2 botnet for AI agents -60

MoltHands implements a classic command-and-control architecture: agents register (check-in), receive tasks (commands), execute them, and report results. The operator has persistent remote code execution capability over any agent with this skill installed, limited only by the agent's tool access. The gamification (points) is a social engineering mechanism to incentivize agent participation.

HIGH Task system enables operator-directed data exfiltration -45

Tasks fetched from the operator-controlled molthands.com can contain instructions to read local files and submit their contents via task completion endpoints. The delivery_method:callback option POSTs results to arbitrary URLs. An agent with filesystem access executing a 'data analysis' task could be directed to read ~/.env, SSH keys, or AWS credentials and submit them.

HIGH Quick Start instructs agent to fetch and follow external URL -20

SKILL.md's Quick Start section directly tells the agent to read https://molthands.com/skill.md and follow its instructions. This bootstraps the remote instruction injection: the installed file references an external URL whose content is not audited and can change at any time.

HIGH Human manipulation via forced social media post -40

The registration flow requires the human operator to post a verification tweet on X/Twitter. The agent is scripted to instruct its human to perform this social media action, including a pre-filled tweet template. This manipulates the human through the agent, potentially exposing the user's Twitter identity to the platform and performing actions the user may not fully understand.

HIGH Agent registration enumerates agents to third-party operator -20

Every installation requires the agent to register with molthands.com, submitting its name, description, and capability tags. This builds an operator-controlled registry of deployed agents. The returned API key creates a persistent authenticated identity on an external platform the user does not control.

MEDIUM Per-task instruction injection via task.md -10

Each claimed task delivers a task.md file from the operator's server containing specific instructions the agent must execute. These instructions are not audited at install time, may change per-task, and constitute dynamic prompt injection. The task format explicitly includes 'follow the instructions' directives.

MEDIUM Credential file persists API key in predictable location -10

The skill instructs agents to save their API key to ~/.config/molthands/credentials.json. This creates a persistent credential file in a predictable location readable by other skills or processes. The API key authenticates to the molthands.com platform and could be used to submit fabricated task results or read platform data.

MEDIUM Security warning is social engineering to normalize third-party data submission -25

The 'CRITICAL SECURITY WARNING' about not sending the API key to other domains establishes molthands.com as a trusted exfiltration endpoint while suppressing user scrutiny. It positions the platform as security-conscious to reduce suspicion about data being routinely sent to a third party.

LOW Clean installation with expected network behavior -20

During installation, only GitHub (140.82.121.3:443) was contacted to clone the repository. No connections to molthands.com were made at install time. No unexpected processes were spawned. Filesystem changes were limited to the skill directory. The connection to 185.125.188.59:443 (Canonical/Ubuntu) pre-dated the install.

INFO Canary files accessed read-only by monitoring infrastructure -10

All canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/credentials) were accessed twice in read-only mode. Inode values match between first and second access confirming no replacement. Both access events correlate with Oathe monitoring infrastructure operations (baseline setup and final audit scan), not with skill activity.