Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Moltpay (XiaoDing)
v1.0.3AI Agent's crypto wallet manager - generate wallets, manage transactions, and claim ORA token rewards.
⭐ 0· 114·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name and description (wallet manager, generate wallets, claim ORA) align with the included code snippets for creating BTC/ETH/SOL keys and querying moltpay.net APIs. However, the skill directs users to use an external service (moltpay.net) to 'manage transactions' without explaining whether the service is custodial or how signing is performed; that gap is disproportionate to the claimed capability and leaves ambiguity about whether private keys must ever be disclosed to the service.
Instruction Scope
The SKILL.md instructs generating private keys locally and saving them unencrypted to ~/.config/moltpay/wallets.json (which is insecure). It also instructs calling moltpay.net endpoints to register addresses, check balances, and post transactions. The doc claims 'MoltPay never receives your private keys' but does not document how on-chain transactions are signed or whether any client-side signing occurs before sending data to the external API. The truncated heartbeat section raises concern that the skill might read local wallet files and interact with the external API automatically—this is not explicit in the visible instructions.
Install Mechanism
No install spec or bundled code is provided (instruction-only skill). The SKILL.md suggests pip-installing libraries (eth-account, bitcoinlib, solders) which is reasonable for the demonstrated snippets; nothing in the repo attempts to download or execute remote code during install.
Credentials
The skill declares no required env vars or credentials, which is good. However, it instructs storing high-value secrets (private keys and mnemonics) in plaintext in a predictable local path. That request for persistent local secret storage is disproportionate without guidance on encryption, hardware wallets, or minimum-security practices. The external APIs accept only addresses in examples, but the documentation lacks guarantees that private keys will never be transmitted—this is a red flag given the potential impact.
Persistence & Privilege
The skill does not request 'always' presence and has no install-time persistence. There is no evidence it modifies other skills or system-wide settings. The only persistence described is writing the wallet file to ~/.config/moltpay, which is local and within the skill's stated scope, but insecure as noted.
What to consider before installing
Proceed with caution. This skill shows how to generate wallets locally and how to call an external API (moltpay.net), but it also (1) tells you to save private keys and mnemonics unencrypted to ~/.config/moltpay/wallets.json, (2) relies on an unknown remote service with no source code or privacy/custody explanation, and (3) advertises a token reward that is gated behind a large withdrawal minimum—common patterns in questionable services. Before installing or using: do not use real/mainnet funds or primary keys; test with ephemeral/testnet wallets only; never upload or paste private keys to third-party services; prefer hardware wallets or encrypted key stores; ask for the skill's source code and a clear custody/security/privacy statement from the publisher; verify the moltpay.net domain reputation and TLS cert; and request the full SKILL.md (including the truncated heartbeat code) to confirm whether local wallet files are ever transmitted. If you don't get satisfactory answers, avoid integrating this skill with any real assets.Like a lobster shell, security has layers — review code before you run it.
latestvk978bmqzq7zmv589cz2mgx49c583eega
License
MIT-0
Free to use, modify, and redistribute. No attribution required.