Back to skill

Security audit

MoltyRoyale

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Molty Royale game-agent skill, but it can store wallet/API credentials, perform paid crypto actions, and replace local skill instructions from the web without enough user control.

Install only if you intentionally want an autonomous Molty Royale agent with wallet and payment capabilities. Use a dedicated low-balance wallet and limited API key, keep credential files out of repos, backups, logs, and shared workspaces, require explicit approval for paid joins, swaps, approvals, and x402 purchases, and manually review or disable remote skill updates before allowing downloaded instructions to replace local files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (14)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The heartbeat instructs the agent to fetch remote markdown files and overwrite local skill files at runtime based on a server-controlled version field. This creates an unverified self-update channel: anyone who can modify the remote content, CDN path, or version signal can change future agent behavior without local review, making this a supply-chain and remote-instruction injection risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The trading flow tells an agent/user exactly how to execute buys, sells, and approvals, but does not clearly warn that blockchain transactions are irreversible and that token approvals grant spending authority to the router. In a skill intended to operate a trading agent, that omission increases the chance of accidental asset loss, mistaken approvals, or unsafe automated execution.

Missing User Warnings

High
Confidence
98% confidence
Finding
The examples instruct use of '--private-key <PRIVATE_KEY>' directly in shell commands without any safety warning, which encourages handling raw private keys in terminal history, process lists, logs, scripts, or shared environments. In a trading skill that performs live on-chain transactions, exposure of a private key can immediately lead to complete wallet compromise and theft of funds.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The skill directs authenticated requests with an API key to remote services but gives no user-facing warning that credentials and account state are being transmitted. In a security review this is a real risk because operators may not realize the skill performs privileged external actions tied to their game account.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The instructions download remote files directly into the local skill directory, silently overwriting existing behavior. Even apart from the self-update issue, modifying local files without explicit warning or approval is dangerous because it changes trusted local state and can persist attacker-controlled instructions across runs.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documentation demonstrates use of a live-style API key in request headers and websocket authentication without any guidance on secure handling, storage, or redaction. In an agent skill context, operators may copy these examples directly into scripts, logs, or prompts, increasing the chance of credential leakage, unauthorized API use, and downstream account abuse.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to sign EIP-712 data with the agent wallet private key but provides no guardrails about key isolation, hardware/secure signing, signature verification, or never exposing/exporting the key. In an agent skill context, this can normalize unsafe secret handling and lead to private key disclosure or blind signing of attacker-controlled typed data, resulting in wallet compromise or unauthorized paid joins/transactions.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The websocket instructions tell the agent to connect using an X-API-Key only, without warning that the API key is a sensitive credential that must not be exposed in logs, prompts, screenshots, telemetry, or error messages. In an autonomous agent workflow, such omissions increase the chance of credential leakage, enabling unauthorized access to the account/session and abuse of game actions tied to that key.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The setup guide instructs the agent to write a raw blockchain private key to a predictable local file path in plaintext. Because this key controls an on-chain identity and potentially rewards-related assets, compromise of the host, backups, logs, or other local users could result in irreversible wallet takeover and theft.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The example credentials file normalizes storing multiple sensitive values together, including API credentials and wallet identifiers, and implies they should be persisted locally without strong security guidance. Consolidating these secrets increases blast radius: if the file is exposed, an attacker may gain both API access and enough wallet metadata to target account operations or social-engineer follow-on compromise.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list includes generic phrases such as "join game," "find game," "check game," and "game status," which are likely to overlap with unrelated user requests. In an agent ecosystem, overly broad triggers can cause accidental skill invocation, leading users into external network interactions or game actions they did not intend.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill instructs the agent to persist owner intake and credential material to local files automatically, but it does not require an explicit user-facing disclosure or consent about local storage, retention, or file protections. In an agent environment, silently writing API keys and identity data to disk increases the risk of inadvertent exposure through other tools, logs, backups, workspace sharing, or later compromise of the host.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The examples initiate a real token purchase flow and require a private key, but they do not prominently warn that the operation can spend funds or that private keys must be handled as highly sensitive secrets. In an agent-skill context, this is more dangerous because users or downstream agents may copy the sample directly into automation and accidentally expose credentials or authorize unintended purchases.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill provides concrete purchase steps for a payment-bearing x402 flow but does not clearly warn that repeating the request with a PAYMENT-SIGNATURE authorizes an on-chain USDC payment. In an agent-skill context, this omission is risky because an operator or autonomous agent could treat the call as a normal API request and unintentionally spend funds.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
references/matchmaking.md:35

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
references/setup.md:84