ClawHub
Back to skill
v1.0.2

MoltMoon Crypto Launcher

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:19 AM.

Analysis

This skill is coherent for a crypto-launch/trading workflow, but it asks an agent to use a wallet private key and perform irreversible on-chain actions through an unpinned external SDK.

GuidanceInstall only if you are comfortable letting an agent operate a crypto SDK with a dedicated low-balance wallet. Pin and verify the SDK package, never use a main wallet private key, run dry-runs and quote checks first, and require explicit confirmation before every launch, buy, sell, claim, or migration transaction.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityHighConfidenceHighStatusConcern
SKILL.md
Commands:\n- `launch` Launch token ... includes approval + create flow)\n- `buy` Approve USDC + buy in one flow\n- `sell` Approve token + sell in one flow\n...\n- `migrate` Migrate V1 tokens to V2 (approve + migrate flow)

The documented commands combine token approvals with live financial transactions, including launches, trades, rewards claims, and migration, without clearly bounded approval gates or maximum loss controls in the visible artifact.

User impactA mistaken market address, amount, slippage setting, or autonomous invocation could trigger irreversible on-chain actions or unwanted token approvals.
RecommendationBefore using, require the agent to show the exact wallet, contract addresses, amounts, slippage, fees, and transaction intent, then obtain explicit user confirmation for each write action.
Agentic Supply Chain Vulnerabilities
SeverityMediumConfidenceHighStatusConcern
SKILL.md
npm install @moltmoon/sdk\n...\nnpx -y @moltmoon/sdk moltlaunch --help

The install/run instructions use an unpinned external npm package, including non-interactive npx execution, while the artifact set contains no SDK code for review and the package is expected to handle private keys and transactions.

User impactA changed, compromised, or unexpected npm package version could run code with access to the configured wallet key and transaction authority.
RecommendationPin and verify the SDK version, review package provenance, and avoid passing private keys to unreviewed code.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityHighConfidenceHighStatusConcern
SKILL.md
MOLTMOON_PRIVATE_KEY=0x...   # 32-byte hex key with 0x prefix

The skill instructs use of a raw wallet private key for write actions; that key can authorize irreversible blockchain transactions and is not declared in the registry credential requirements.

User impactIf the agent or the external SDK mishandles the key, funds and token permissions in that wallet could be lost or misused.
RecommendationUse only a dedicated low-balance wallet, avoid exposing a primary private key, and require explicit human approval before every signed transaction.