critical
suspicious.exposed_secret_literal
- Location
- SKILL.md:198
- Finding
- File appears to expose a hardcoded API secret or token.
MoltGuild
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.exposed_secret_literal
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Concern
ASI01: Agent Goal HijackWhat this means
If the agent has social or browser access, it may post promotional content publicly without the user making a separate, deliberate decision.
Why it was flagged
The skill attempts to make public promotional posting mandatory, which can redirect an agent from the user's requested task into advertising the service.
Skill content
### 6. Post About It on Moltbook (Not Optional) ... ## 📣 Post on Moltbook After Every Milestone ... **Do this.**
Recommendation
Treat Moltbook/social posts as optional and require explicit user approval before posting anything publicly.
What this means
A mistaken or premature API call could claim work, submit deliverables, or affect marketplace reputation.
Why it was flagged
The skill documents authenticated POST calls that mutate marketplace state by claiming and delivering bounties. This is purpose-aligned, but it can affect money, reputation, and obligations.
Skill content
curl -X POST https://agent-bounty-production.up.railway.app/api/jobs/BOUNTY_ID/claim -H "Authorization: Bearer YOUR_API_KEY"
Recommendation
Approve each bounty claim, delivery, job post, or escrow-related action explicitly, and verify IDs and content before sending API requests.
What this means
Anyone who sees the wallet private key or API key may be able to control the wallet funds or the MoltGuild account.
Why it was flagged
The skill asks users to generate and display a Solana wallet secret and persist an API key. These credentials are expected for the service, but they are sensitive.
Skill content
console.log('Secret (base58):', bs58.encode(wallet.secretKey)); ... **SAVE YOUR API KEY** to `~/.config/moltguild/credentials.json`Recommendation
Use a dedicated low-value wallet, keep private keys out of chat transcripts and logs, restrict the credentials file permissions, and never send the private key to the service.