MoltMoon Crypto Launcher
Security checks across malware telemetry and agentic risk
Overview
This skill is a crypto trading and token-launch workflow that asks an agent to use a wallet private key and run live Base mainnet transactions, with limited scoping and under-declared credential requirements.
Review this carefully before installing. Only use it with a dedicated wallet you can afford to risk, pin and verify the @moltmoon/sdk package version, and require explicit confirmation before any live launch, approval, buy, sell, claim, or migration transaction.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with a funded wallet, the agent or external SDK could sign irreversible blockchain transactions.
The skill requires a wallet private key for actions that can spend funds or sign transactions, while the supplied metadata declares no primary credential or required env vars.
`MOLTMOON_PRIVATE_KEY=0x...` ... `MOLTMOON_PRIVATE_KEY` (or `PRIVATE_KEY`) is required for launch/buy/sell/claim.
Use only a dedicated low-balance wallet, avoid passing private keys directly when possible, and require explicit user approval for every signing action.
A mistaken or over-eager invocation could approve token spending, buy or sell assets, launch a public token, claim rewards, or migrate tokens on-chain.
The documented workflows combine approval and transaction execution for token launches, trades, claims, and migration, but the skill does not clearly bound when the agent may execute them or require confirmation for each live transaction.
`launchToken(params)` -> executes approve + create ... `buy(marketAddress, usdcIn, slippageBps?)` - Approve USDC + buy ... `sell(...)` - Approve token + sell ... `migrate(v1Amount)` - Approve V1 + migrate to V2
Treat all non-dry-run commands as high-risk financial actions and require manual review of wallet, market address, token address, amount, slippage, and network before execution.
The package version resolved at runtime could differ from what the skill author expected, and that package may receive wallet keys or execute transaction logic.
The skill directs the agent to install or run an unpinned external package, and the supplied artifacts include no install spec, lockfile, or package code for review.
`npm install @moltmoon/sdk` ... `npx -y @moltmoon/sdk moltlaunch --help`
Pin and verify the SDK version, review the package provenance, and avoid using it with valuable wallets until the dependency is trusted.
The SDK CLI will execute locally with the environment variables and permissions available to the agent.
Running a CLI package is expected for this SDK-focused skill, but it is still local code execution initiated by the agent.
`npx -y @moltmoon/sdk mltl launch ...`
Run it in a restricted environment and pass only the minimum required wallet and configuration values.