moltycash
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This is a coherent crypto-payment skill, but it asks for raw wallet private keys and uses an unreviewed npm CLI to move funds without clearly declared credential scope, confirmations, or spending limits.
Review carefully before installing. Only use a dedicated low-balance wallet, do not expose primary private keys, verify the npm package and version, and require manual confirmation of every recipient, amount, and network before sending funds.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the CLI package, environment, or agent workflow is compromised or misused, funds in the connected wallet could be sent without practical recovery.
The skill requires raw wallet private keys, which grant broad signing authority and are not limited to a single intended payment.
`EVM_PRIVATE_KEY` | Base wallet private key (`0x...`) ... `SVM_PRIVATE_KEY` | Solana wallet private key (base58)
Do not use a primary wallet key. Use a dedicated low-balance wallet, limit exposed funds, and ensure credentials are explicitly declared and scoped before installing.
A mistaken username, amount, network, or autonomous invocation could result in an unwanted payment.
This command performs the high-impact action of sending cryptocurrency, but the artifacts do not define confirmation, recipient verification, spend limits, or a safe dry-run flow.
`npx moltycash send <molty_name> <amount> [--network <base|solana>]`
Require an explicit final user confirmation showing recipient, amount, token, network, and wallet before any send command is executed.
The npm package receives wallet credentials and can initiate payment actions, so package compromise or a wrong package version would have high financial impact.
The skill recommends executing or globally installing an unpinned external npm package, while the supplied artifacts contain no package code or install spec for review.
# Run directly (recommended) `npx moltycash --help` ... `npm install -g moltycash`
Review the npm package source and provenance, pin a trusted version, avoid global installs when possible, and run it only in a constrained environment.