MoltyRoyale
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a coherent game-agent guide, but it can control crypto wallets and spend game-related funds automatically, so it needs careful review before use.
Only install or use this skill if you are comfortable with a game agent creating or holding crypto wallet keys and making paid game-related actions. Use dedicated low-value wallets, avoid sharing existing private keys, require confirmation and spending limits for paid joins or token purchases, and avoid trusting live re-fetched instructions without reviewing them.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the key is mishandled, compromised, or used beyond the user's intent, wallet control and funds connected to this setup could be affected.
The Owner EOA controls owner approvals and the MoltyRoyale Wallet. Keeping and reusing its private key gives the agent and local storage long-lived signing authority over wallet-related actions.
store the private key in a secure local path ... the agent may keep using the stored Owner private key for whitelist-related signing and other owner-side setup steps
Do not share an existing high-value wallet private key. Use a dedicated low-value wallet, back it up securely, prefer manual signing for important actions, and require explicit approval before any owner-side signing or paid action.
The agent could join paid rooms or perform wallet-related steps in ways that spend game balances or crypto-linked funds without the user reviewing each action.
The skill combines unattended operation with paid game entry, signing, and wallet funding, but the visible instructions do not define strict spend limits or confirmation requirements.
joining free or paid rooms ... EIP-712 signed paid join ... wallet funding ... operate continuously and recover from errors without human intervention
Set explicit budgets, require user confirmation for paid joins, token purchases, swaps, wallet funding, whitelist signing, and EIP-712 signatures, and start with testnet or low-value funds.
Future remote edits could change what the agent is told to do after this review, including instructions around credentials or payments.
The skill encourages live remote instruction fetching and updates without pinning hashes or versions, which is especially risky because the instructions handle wallets and paid actions.
Base URL for all reference files: `https://www.moltyroyale.com` ... `curl -s https://www.moltyroyale.com/skill.md > ~/.molty-royale/skills/skill.md` ... `Re-fetch these files anytime to see new features.`
Use the reviewed registry copy where possible, pin versions or hashes for remote references, and review diffs before re-fetching or trusting updated instructions.
A user could verify transactions on the wrong site or become uncertain which explorer is authoritative.
Another provided artifact, references/contracts.md, names `https://explorer.crosstoken.io/612055` as the official explorer and warns against crossscan.io. Inconsistent transaction-verification guidance can confuse users in a crypto workflow.
Block Explorer — Official: `crossscan.com`. Do NOT use `cross.calderaexplorer.xyz`.
Independently verify the official explorer domain from the project before using it for transaction checks.