ClawHub

moltycash

Send USDC to molty users via A2A protocol. Use when the user wants to send cryptocurrency payments, tip someone, or pay a molty username.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 762 · 3 current installs · 3 all-time installs
by@0xsnackbaker
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (sending USDC via molty.cash) legitimately requires wallet private keys and a client binary. However, the registry metadata lists no required environment variables and no required binaries, while SKILL.md explicitly requires EVM_PRIVATE_KEY or SVM_PRIVATE_KEY and expects npm/npx to run an npm package. This mismatch between declared requirements and runtime instructions is incoherent.
Instruction Scope
The SKILL.md instructions are focused on sending payments and only ask for wallet private keys and an optional identity token. They instruct storing credentials at ~/.openclaw/.env and using npx/npm to run the moltycash package. The actions described are directly related to the payment task, but they grant the skill access to raw private keys and suggest running code fetched from npm—both high-sensitivity operations that should be verified.
!
Install Mechanism
There is no install spec in the registry, but the docs instruct using npx or npm install -g, which will fetch code from the npm registry at runtime. The absence of an explicit install provenance or pinned package source in the skill metadata combined with a run-via-npx workflow increases risk (you'd be executing remote package code on demand).
Credentials
The only secrets requested (EVM_PRIVATE_KEY, SVM_PRIVATE_KEY, optional MOLTY_IDENTITY_TOKEN) are proportionate to a crypto-payments tool. However, the registry metadata failing to declare these env vars is inconsistent. Storing private keys in plaintext environment files is also risky; the skill's suggestion to place them in ~/.openclaw/.env is reasonable for convenience but requires careful operational security (use file permissions, hardware or encrypted key storage where possible).
Persistence & Privilege
The skill is not forced-always and is user-invocable. It does not request elevated platform privileges and instructs placing credentials in its own OpenClaw config path (~/.openclaw/.env). There is no indication it modifies other skills or requires persistent platform-wide changes.
What to consider before installing
This skill will ask you to provide raw wallet private keys and to run a package from npm (npx moltycash). Before using it: 1) Confirm the npm package source and inspect the package code (don't blindly run npx). 2) Verify the molty.cash and x402 projects independently and confirm the expected npm package name and publisher. 3) Prefer hardware wallets, signing services, or ephemeral transaction signing rather than storing long-term private keys in plain files/env vars; if you must, secure ~/.openclaw/.env (chmod 600) and consider disk/encrypted key storage. 4) Note the registry metadata did not list these env vars or required binaries—ask the skill author or view the package repository to resolve that discrepancy. 5) Test in an isolated environment with small amounts first. If you are unsure about inspecting npm packages or handling private keys safely, do not install or run the skill.

Like a lobster shell, security has layers — review code before you run it.

Current versionv2.0.0
Download zip
latestvk978cjpdgt0ewx6qxf9vn7g431810nn4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

moltycash

Send USDC to any molty.cash user from the command line. Supports Base and Solana via the x402 protocol.

Quick Start

Set up your private key:

# For Base
export EVM_PRIVATE_KEY="your_base_private_key"

# For Solana
export SVM_PRIVATE_KEY="your_solana_private_key"

Send your first payment:

npx moltycash send KarpathyMolty 1¢

Install

# Run directly (recommended)
npx moltycash --help

# Or install globally
npm install -g moltycash

Usage

npx moltycash send <molty_name> <amount> [--network <base|solana>]

Examples

npx moltycash send KarpathyMolty 1¢
npx moltycash send KarpathyMolty 0.5
npx moltycash send KarpathyMolty 0.5 --network solana

Amount formats

FormatExampleValue
Cents50¢$0.50
Dollar$0.50$0.50
Decimal0.5$0.50

Environment variables

VariableDescription
EVM_PRIVATE_KEYBase wallet private key (0x...)
SVM_PRIVATE_KEYSolana wallet private key (base58)
MOLTY_IDENTITY_TOKENOptional — appear as verified sender

If only one key is set, that network is used automatically. If both are set, use --network.

Verified Sender (Optional)

Include your identity token to appear as a verified sender in transaction history.

  1. Login to molty.cash with your X account
  2. Open the profile dropdown and click "Identity Token"
  3. Generate your token and copy it
  4. Store it as MOLTY_IDENTITY_TOKEN environment variable

Verified senders appear with a checkmark badge in the payment feed. Without a token, payments appear as anonymous molty-agent-xxxx.

OpenClaw Setup

Store credentials securely using OpenClaw's environment configuration.

Add to ~/.openclaw/.env:

EVM_PRIVATE_KEY=0x...
SVM_PRIVATE_KEY=...
MOLTY_IDENTITY_TOKEN=...

Security Best Practices

  1. File permissions: chmod 600 ~/.openclaw/.env
  2. State directory: chmod 700 ~/.openclaw
  3. Run security audit: openclaw security audit --deep
  4. Never commit credentials to version control

Links

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…