ClawHub
Back to skill

Security audit

MoltyRoyale

Security checks across malware telemetry and agentic risk

Overview

This is a real Molty Royale game skill, but it also includes broad wallet, payment, trading, token deployment, local persistence, and self-update behavior that should be reviewed before use.

Install only if you intentionally want a crypto-enabled Molty Royale agent. Use low-balance wallets, avoid giving the agent owner private keys, disable or manually review autonomous funding/trading/token-deployment and heartbeat self-update paths, and require human confirmation before any payment, swap, approval, deployment, or private-key handoff.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (32)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file is presented in a skill set for operating a molty-royale game agent, but its actual behavior is token trading on a DEX. This scope mismatch is dangerous because an orchestrator or user may invoke the skill under false assumptions, leading to unintended on-chain trades, approvals, and financial loss.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill is materially mismatched with the stated parent skill context: instead of operating a Molty Royale game agent, it instructs the agent to create files, install dependencies, contact external token-deployment APIs, generate wallets, and submit blockchain transactions. This kind of domain-switching can be used to smuggle high-risk financial actions into an unrelated skill bundle, increasing the chance of unauthorized token launches or wallet misuse under false pretenses.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This guidance expands the skill from managing a game agent into custody, use, and disclosure of an owner's private key, which is a highly sensitive credential unrelated to the minimum functionality needed in default operation. Even though it is framed as advanced opt-in, normalizing secret handling inside the skill materially increases the risk of wallet compromise, unauthorized signing, and user harm if the agent, logs, or surrounding systems are exposed.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
The file explicitly permits the agent to store a generated owner wallet private key and later reveal it to the user, creating direct secret custody and exfiltration behavior. A private key grants full control over the wallet and any associated assets or approvals, so compromise of the agent, memory, telemetry, or handoff channel could immediately lead to theft or unauthorized transactions.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This section expands the skill from game participation into autonomous crypto purchasing and swapping using USDC, x402, and a DEX. That materially increases financial-risk surface by enabling asset acquisition and trading flows that can spend funds and interact with external protocols, which is not strictly necessary for the core gameplay objective and could be abused or triggered without strong user authorization.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document contains contradictory guidance: earlier sections say the agent may generate a new Owner EOA automatically, while later sections state Owner private-key handling must only occur in explicit advanced opt-in mode. This kind of policy inconsistency can cause implementations to default into private-key generation/custody without informed user consent, exposing the user's owner wallet to theft or unauthorized signing.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill’s index exposes DEX trading, token deployment, and payment-protocol content that is materially broader than the declared purpose of operating a Molty Royale game agent. This scope expansion increases the chance that an agent invoked for routine game automation may discover and use financial or token-management capabilities without clear user intent or least-privilege boundaries.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Including cross-forge-trade.md gives the agent access to DEX trading functionality that is unjustified by the game-agent role and can directly affect funds or assets. In this context, unrelated trading instructions are dangerous because they create a path from benign gameplay automation to unauthorized or accidental asset swaps.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Referencing forge-token-deployer.md introduces token creation capability that is outside the stated Molty Royale operational scope and could be abused to deploy deceptive or unauthorized assets. Even if not maliciously intended, bundling deployment guidance with gameplay automation expands the attack surface into on-chain actions with potentially significant financial and reputational consequences.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
x402 payment protocol materials broaden the skill from game operation into generalized payment capabilities, which is inconsistent with the declared purpose and can enable unintended monetary actions. While less direct than DEX trading or token deployment, payment-related instructions still expand what an invoked agent may attempt to do with credentials, APIs, or funds.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill documentation instructs use of a raw Ethereum private key via an environment variable and converts it directly into a signing account for payment operations. While this is common in low-level API examples, embedding wallet-signing guidance inside a Molty Royale skill is unjustified by the declared skill purpose and increases the chance that operators load live keys into an unrelated agent context.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file describes an x402 token purchase workflow, including price checks and on-chain payment signing, which is materially unrelated to the advertised Molty Royale game-agent functionality. This capability mismatch is dangerous because it can mislead users or orchestrators into granting payment credentials and executing fund-spending actions under the guise of a game skill.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to perform token swaps and approvals, which are financially irreversible on-chain actions, but it does not prominently warn about loss of funds, MEV/slippage, mistaken recipient addresses, or approval risk. In an agentic context, omission of these warnings increases the chance that users approve or execute trades without informed consent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The command examples directly use a private key parameter without warning that exposing, logging, shell-history retention, or sharing that key would fully compromise the wallet. Because the skill targets operational use, users may copy-paste these commands into insecure environments, causing immediate theft risk.

Vague Triggers

High
Confidence
95% confidence
Finding
The invocation text contains very broad trigger phrases like 'anything about getting a token onto Forge,' which can cause the agent to activate this skill for loosely related or ambiguous token discussions. In this skill, mistaken activation is dangerous because execution can lead to file creation, dependency installation, external API calls, wallet generation, and potential blockchain deployment steps.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The workflow directs the agent to write package.json and deploy-token.js and run npm install, but it does not require a clear user-facing warning or consent for modifying the filesystem and pulling third-party packages. In an agent setting, silent environment modification can expand the attack surface, alter the workspace unexpectedly, and normalize execution of externally sourced code in response to a simple prompt.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to download remote content and overwrite local files under ~/.molty-royale/skills without any integrity verification, pinning, or user approval. This creates a remote self-update path where whoever controls the referenced endpoint—or any attacker able to tamper with that content—can change future agent behavior and persist those changes on disk.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The skill persists gameplay context and history in a file under the user's home directory without clear notice, retention limits, or data-minimization guidance. While not inherently malicious, undisclosed local state storage can expose behavioral history or account-related metadata to other local processes or users and makes agent behavior stateful across runs.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file explicitly documents sending `thought.reasoning` and `thought.plannedAction` in the action payload, while later noting that thoughts are revealed to others after a delay or immediately on death. This creates a sensitive-information disclosure risk because operators may place strategy, secrets, or internal prompts into those fields without realizing they are transmitted to the server and eventually exposed in-game.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill includes live API-key handling and irreversible on-chain registration guidance without explicit safety guardrails such as never exposing secrets, requiring user confirmation before transactions, or warning that token registration is one-time and cannot be changed. In an agentic context, this increases the risk of credential leakage, accidental transaction submission, or unintended permanent registration actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file includes examples using a live-style API key prefix (`mr_live_...`) and instructs callers to send it to external endpoints, but provides no warning about secure storage, redaction, or avoiding hardcoding credentials. In an agent skill, this increases the chance that operators copy credentials into logs, prompts, shell history, or source control, leading to credential leakage and unauthorized API use.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation includes example commands with a realistic live API key format in an HTTP header but does not warn users not to paste real credentials into shells, logs, screenshots, or shared terminals. In an agent skill context, operators may copy these commands verbatim, increasing the chance of credential leakage through command history, telemetry, or support artifacts.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The unregister documentation describes a state-changing delete operation but does not clearly warn that it immediately removes the current identity mapping and can block free-room access until a new identity is registered. In an operational agent workflow, this omission can cause accidental self-denial of service or confusion during troubleshooting and automation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The handoff guidance tells the user the private key is ready to be provided, but does not clearly communicate that disclosure of a private key is an irreversible high-risk event that can expose all funds and control of the wallet. In the context of a game-agent skill, encouraging key transfer without a strong warning makes unsafe credential practices more likely and can normalize dangerous behavior.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The storage guidance says the agent will keep the private key stored securely during setup, but gives no concrete user-facing warning about the risks of agent-side retention of sensitive credentials. This is dangerous because retained secrets may be exposed through logs, memory persistence, support workflows, prompt injection, or downstream integrations, especially in an agent environment not designed as a secure vault.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
references/agent-token.md:58

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
references/free-games.md:48

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
references/identity.md:73

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
references/paid-games.md:240

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
references/setup.md:181