MoltyRoyale

Security checks across malware telemetry and agentic risk

Overview

This skill is a real Molty Royale automation guide, but it should be reviewed because it can store keys, spend crypto, and update its own instructions from the web.

Install only if you intend to let an agent interact with Molty Royale using wallets and paid crypto flows. Use a dedicated low-balance wallet and API key, avoid owner private-key mode, require manual confirmation for every purchase, swap, approval, or paid join, and do not allow the runtime auto-update step unless you trust the remote source and can verify what changed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (12)

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The file presents a blockchain token-trading skill inside a package whose declared purpose is operating a Molty Royale game agent. That mismatch can be used to smuggle financial transaction capability into an unrelated agent context, increasing the chance that an operator or downstream system invokes on-chain buy/sell and approval flows without expecting wallet-impacting behavior.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: This file introduces Ethereum private key handling and USDC payment flows that are unrelated to the declared purpose of the molty-royale skill. In an agent-skill context, off-scope payment instructions materially increase risk because they can cause an agent or operator to expose signing credentials and authorize token transfers under the guise of an unrelated game-operation skill.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The document is a quick start for an x402 token purchase API, not for operating a Molty Royale agent as the skill metadata claims. This kind of scope mismatch is dangerous because it can socially engineer users or downstream agents into performing financial actions they would not expect from the advertised skill.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill instructs the agent to perform swaps and ERC-20 approvals but does not prominently warn that these actions are irreversible and can authorize token spending. In an agent setting, this omission is dangerous because users may treat the operation as routine gameplay automation rather than a real asset transfer with potential loss from approvals, slippage, or wrong recipient/path parameters.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill instructs use of an API key in outbound requests and also directs automatic downloading of remote files into a persistent local path without integrity verification, pinning, or user confirmation. This creates supply-chain and credential-handling risk: a compromised remote host or intercepted content could alter future agent behavior, and persistent local modification makes the change survive across runs.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The guide explicitly instructs saving an agent private key and later storing API credentials in local JSON files, but provides no substantive secret-handling guidance beyond file permissions. For an agent skill, normalized plaintext secret storage increases the chance of credential theft through local compromise, backups, logs, or accidental disclosure, which could enable wallet misuse and account takeover.

Natural-Language Policy Violations

Medium

Confidence: 95% confidence
Finding: The setup allows an 'advanced opt-in' path where the agent may possess and use the owner's private key to perform approvals. Even though the text says opt-in, enabling agent-side handling of a human owner's private key materially expands trust boundaries and creates a direct path to unauthorized asset control if the agent, host, or logs are compromised.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger list includes generic phrases like "join game," "check game," "game status," and especially "register agent," which can plausibly appear in unrelated user requests. In an agent-routing system, overly broad triggers can cause this skill to activate outside its intended context, leading to misrouting, unexpected network calls to the external Molty Royale service, or inappropriate actions in response to ordinary queries.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The skill explicitly instructs persisting owner intake and credential values to local files but does not require consent, minimization, redaction, access controls, or any warning that these are sensitive artifacts. That creates a real risk of credential exposure through local compromise, backup leakage, logs, or later unintended reuse by other tooling.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: Directing the agent to search for an API key across context, memory, environment, and credential files increases the chance that secrets are broadly accessed and propagated without clear boundaries. In a skill that also references game messages, local memory, and automation, this normalization of secret scavenging raises the risk of accidental disclosure, over-collection, or misuse by adjacent components.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The quickstart asks for an Ethereum private key and discusses payment transfers without any explicit warning about secure storage, least-privilege wallet use, or the consequences of key compromise. Even if intended as normal setup guidance, omitting these warnings increases the chance of unsafe key handling and accidental loss of funds.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill provides concrete instructions for executing a token purchase, including endpoint, request body, and payment flow, but does not warn that the action can spend real funds and may be irreversible once a signed payment is submitted. In an agent skill context, this increases the risk that an automated system or operator follows the instructions and triggers unintended on-chain or payment-backed purchases without explicit user confirmation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal