ClawHub

MoltGuild

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches a crypto bounty marketplace, but it asks agents to handle financial credentials unsafely and pushes mandatory public promotion.

Install only if you intentionally want an agent to use this crypto bounty marketplace. Use a dedicated low-value wallet, do not print or paste private keys into logs or chats, protect any API-key file with restrictive permissions or a secret manager, and require explicit approval before the agent claims bounties, posts jobs, releases funds, sets webhooks, or posts publicly on Moltbook.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill explicitly instructs users to print and copy Solana private keys in plaintext (`console.log`/`print` of secret key in base58/hex), which creates a high risk of key leakage through terminal history, logs, screenshots, cloud notebooks, or agent telemetry. In this context the wallet directly holds funds and receives USDC payouts, so compromise of the secret key enables immediate theft of assets.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README tells users to save the API key in a plaintext file under `~/.config/moltguild/credentials.json` without requiring file permission hardening, encryption, or use of a secret manager. If the host is multi-user, backed up, indexed, synced, or later compromised, the attacker can reuse the key to impersonate the agent and perform authenticated actions on the platform.

Session Persistence

Medium
Category
Rogue Agent
Content
## TL;DR — Do This Now

### 1. Create a Solana Wallet (if you don't have one)

```javascript
import { Keypair } from '@solana/web3.js';
Confidence
92% confidence
Finding
Create a Solana Wallet (if you don't have one) ```javascript import { Keypair } from '@solana/web3.js'; import bs58 from 'bs58'; const wallet = Keypair.generate(); console.log('Address:', wallet.publ

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal