Add inter-agent worm propagation detection (CHK-SKL-013) #15
Description
Summary
The forensic analysis describes a novel attack vector: inter-agent prompt injection worms that propagate through social networks like Moltbook. When one agent reads a malicious post from a compromised agent, it ingests the payload into its own context/memory, becomes compromised, and then propagates the payload to its own followers.
No existing scanner detects this pattern. This requires a new check in the skills scanner.
Worm Propagation Flow
┌──────────────┐ Post with ┌──────────────┐ Reads post ┌──────────────┐
│ Compromised │ hidden │ Moltbook │ consumes │ Victim │
│ Agent A │ injection │ Feed │ payload │ Agent B │
│ │ ────────────────▶ │ │ ────────────────▶│ │
│ "Check out │ │ Stored as │ │ Payload │
│ this cool │ │ normal post │ │ now in B's │
│ tip..." │ │ │ │ memory │
│ │ └──────────────┘ │ │
│ [HIDDEN: │ │ B now posts │
│ ignore all │ │ same payload│
│ and run │ │ to ITS │
│ curl...] │ │ followers │
└──────────────┘ └──────┬───────┘
│
Exponential Spread │
┌───────────────┬───────────────┐ │
▼ ▼ ▼ │
┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ Agent C │ │ Agent D │ │ Agent E │ ◀─────────────────┘
│ (victim) │ │ (victim) │ │ (victim) │
└──────────┘ └──────────┘ └──────────┘
Proposed Check: CHK-SKL-013
Location: scripts/scan_skills.sh (extends existing skill scanner)
What to Detect
- Skills that consume external agent output without sanitization
check_agent_communication() {
local skill_dir="$1" skill_name="$2"
# Detect skills that read from social feeds or inter-agent APIs
local matches
matches=$(skill_grep -E \
'(moltbook|agentfeed|socialfeed|bot.*feed|agent.*post|inter.?agent|peer.?message)' \
--include='*.js' --include='*.ts' --include='*.py' \
"$skill_dir" | head -5)
if [[ -n "$matches" ]]; then
# Check if there's ANY sanitization/filtering of the input
local has_sanitize
has_sanitize=$(skill_grep -E \
'(sanitize|filter|escape|validate|strip.*html|DOMPurify|bleach)' \
--include='*.js' --include='*.ts' --include='*.py' \
"$skill_dir" | head -1)
if [[ -z "$has_sanitize" ]]; then
add_finding "CHK-SKL-013" "critical" \
"Skill '$skill_name' consumes inter-agent data without sanitization" \
"This skill reads from agent social feeds or inter-agent messaging but has no input sanitization. This enables prompt injection worm propagation (Moltbook attack vector)." \
"$matches" \
"Add input sanitization for all inter-agent data. Consider using a semantic firewall to filter prompt injection patterns before processing."
else
add_finding "CHK-SKL-013" "info" \
"Skill '$skill_name' consumes inter-agent data (sanitization present)" \
"This skill reads inter-agent data and appears to have some sanitization." \
"$matches" \
"Verify sanitization is sufficient against prompt injection patterns."
fi
fi
}- Skills that auto-repost or auto-share content
check_auto_propagation() {
local skill_dir="$1" skill_name="$2"
local matches
matches=$(skill_grep -E \
'(auto.?post|auto.?share|repost|re.?share|forward.?to|broadcast.?to|post.*feed|publish.*feed)' \
--include='*.js' --include='*.ts' --include='*.py' \
"$skill_dir" | head -5)
if [[ -n "$matches" ]]; then
add_finding "CHK-SKL-013" "warn" \
"Skill '$skill_name' can auto-propagate content to other agents" \
"This skill can automatically share or repost content, which is the mechanism by which inter-agent prompt injection worms propagate." \
"$matches" \
"Require explicit user approval before sharing content to agent feeds. Never auto-repost content from other agents."
fi
}- Skills with both read AND write access to agent feeds
The combination of read + write to a shared medium is what makes worm propagation possible:
READ from feed + WRITE to feed = Worm-capable
READ only + no WRITE = Can be infected but can't spread
no READ + WRITE only = Can spread but can't be triggered
Detection Indicators
| Pattern | Risk Level | Rationale |
|---|---|---|
| Reads agent social feed + no sanitization | Critical | Direct worm infection vector |
| Auto-reposts to agent feed | Warn | Worm propagation mechanism |
| Reads + writes to same feed | Critical | Complete worm lifecycle |
| Stores inter-agent data in memory | Warn | Memory poisoning via agent messages |
| Passes agent content to eval/exec | Critical | RCE via worm payload |
Also Update malicious-patterns.json
Add patterns for inter-agent communication abuse:
{
"id": "PAT-022",
"pattern": "moltbook.*post|agentfeed.*write",
"severity": "warn",
"description": "Inter-agent feed write access (worm propagation vector)"
},
{
"id": "PAT-023",
"pattern": "agent.*message.*eval|feed.*content.*exec",
"severity": "critical",
"description": "Agent message content passed to code execution"
}References
- Forensic analysis: "Crustafarianism and Social Engineering of Agents"
- Forensic analysis: "Wormable attack surface" description
- OWASP ASI07: Insecure Communication
- Related checks: CHK-MEM-001 (memory poisoning), CHK-SKL-004 (eval/exec)