Back to skill

Security audit

MoltyRoyale

Security checks across malware telemetry and agentic risk

Overview

This game skill is not clearly malicious, but it asks the agent to hold wallet private keys and can perform crypto spending or swaps, so it needs careful review before installation.

Review before installing. Use only low-balance, dedicated wallets; do not paste an existing wallet private key into the agent; prefer website or wallet-based signing; verify all contract addresses and remote files; and require explicit confirmation before any purchase, swap, approval, withdrawal, token deployment, or paid-room transaction.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (30)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This guidance authorizes the agent to generate, store, and use an owner wallet private key, which greatly exceeds ordinary gameplay assistance and turns the skill into a custodian of blockchain credentials. A compromise of the agent, local storage, logs, or prompt flow could expose the private key and allow irreversible theft of funds, impersonation, and unauthorized signing.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Instructing the agent to hand off a stored private key on request normalizes secret exfiltration through chat and increases the chance of disclosure to the wrong party, transcript leakage, or accidental exposure in logs. Even if intended for the legitimate owner, chat channels are not an appropriate mechanism for transmitting long-lived wallet secrets.

Context-Inappropriate Capability

High
Confidence
100% confidence
Finding
The whitelist workflow explicitly tells the user to provide their owner private key or lets the agent use it for signing, which is a direct request for highly sensitive wallet credentials. If followed, the agent gains full control over the owner's wallet, enabling unauthorized transactions, approvals, and identity takeover beyond the narrow whitelist action.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The document explicitly authorizes a fully autonomous flow to buy CROSS with USDC and then swap into Moltz for paid-room entry. That expands the agent from gameplay orchestration into discretionary use of external crypto assets, creating real financial-loss risk if the agent spends funds without explicit, transaction-specific user approval or if the swap path is manipulated or misconfigured.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill gives executable instructions for swaps and ERC-20 approvals, including direct `cast send` examples with private-key usage, but it does not prominently warn that these actions spend real funds, are irreversible, and may grant spending authority to the router. In an agent skill context, this increases the chance that an operator or automated system executes value-moving transactions without adequate confirmation or understanding of allowance risk.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The trigger description is unusually broad, matching generic phrases like 'token launch', 'create a token', or 'anything about getting a token onto Forge'. In an agent system, this can cause the skill to activate in contexts the user did not intend, leading to unreviewed execution of file creation, dependency installation, API calls, and blockchain-related actions with real financial consequences.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file instructs users to persist a live API key in a plaintext credentials file under the home directory without any warning about file permissions, secret handling, or alternatives. This increases the chance of credential theft from local compromise, backups, logs, or accidental sharing, which could let an attacker control the account or abuse the API under the user's identity.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The update flow tells users to overwrite local skill files directly from remote URLs with curl, with no signature verification, checksum validation, pinning, or review step. That creates a supply-chain risk: if the remote host, CDN, DNS, or TLS trust path is compromised, an attacker can push modified instructions into the local automation workflow.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document includes an API call example containing a live-style API key header and does so without an explicit warning that the credential is secret and must never be exposed, logged, or copied into user-visible channels. In an agent skill context, this can normalize unsafe handling of credentials and increase the chance of leakage through prompts, logs, screenshots, or misrouted requests.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document includes an example request with a live-style API key format in a header but provides no warning about secure credential handling, storage, redaction, or least-privilege use. In an agent skill context, this is more dangerous because downstream tooling or users may copy the pattern directly into logs, prompts, scripts, or shared transcripts, causing accidental credential exposure and unauthorized API actions.

Missing User Warnings

High
Confidence
97% confidence
Finding
The document explicitly instructs the agent to store a generated Owner EOA private key in secure local storage during setup, but this creates a persistent secret-handling behavior for a user-controlled wallet. Retaining a user's private key on the agent side materially increases the blast radius of compromise, insider misuse, logging mistakes, or filesystem exposure, especially because this skill operates wallets and paid game actions.

Missing User Warnings

High
Confidence
98% confidence
Finding
The file recommends storing a generated owner private key locally but does not present a strong warning that agent-held credentials are a major security risk and create a single point of compromise. In the context of a game-management skill, local secret storage materially expands the blast radius of any host, agent, or log exposure.

Missing User Warnings

Critical
Confidence
100% confidence
Finding
Suggesting that users may share their existing owner private key with the agent without a strong, explicit warning is unsafe because it encourages transmission of the highest-value credential in the system. In a blockchain context, exposure of a private key can lead to immediate, irreversible asset loss and full compromise of owner privileges.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill permits the agent to retain and use an agent-generated Owner EOA private key for ongoing signing during setup, but does not require strong user disclosure, secure storage guarantees, or least-privilege handling. Persisting owner private keys inside an agent system materially increases the chance of credential theft, misuse, or unintended signing on behalf of the owner.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The autonomous purchase-and-swap flow instructs the agent to spend user-controlled crypto assets without an upfront, prominent warning that real funds will be consumed and exposed to price, routing, and execution risks. In a wallet-enabled agent, this can directly translate into unauthorized or poorly understood financial actions.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
The guide explicitly tells the agent to ask the user to provide the Owner private key so the agent can continue owner-side signing. Requesting or handling a user's private key is highly unsafe because it transfers full wallet control to the agent runtime, enabling theft, unauthorized transactions, or later compromise if logs, memory, or local files are exposed.

Missing User Warnings

High
Confidence
97% confidence
Finding
This section instructs the agent to generate an Owner EOA, store the private key locally, and continue using it for owner-side actions, but it does not provide a strong user-facing warning that this key controls assets and can be irreversibly compromised if exposed. In the context of a game agent that later handles funding, whitelisting, and withdrawals, normalizing agent custody of a user wallet materially increases the risk of asset loss and account takeover.

Missing User Warnings

High
Confidence
99% confidence
Finding
The guide tells the agent to provide the generated Owner private key to the user on request, without a prominent warning that revealing the raw private key is an irreversible credential exposure event. Once disclosed in chat or logs, the key may be retained by platforms, copied accidentally, or intercepted, which can permanently compromise the wallet and any assets associated with it.

Vague Triggers

Medium
Confidence
94% confidence
Finding
Several triggers such as 'join game', 'check game', 'register agent', and especially 'moltz' are broad enough to activate the skill for unrelated user requests, causing unintended invocation of a high-action skill. In this context, that is more dangerous because the skill is described as able to manage gameplay, onboarding, paid-room flows, wallet funding guidance, and EIP-712 signing prerequisites, so accidental routing could expose users to risky operational steps or external interactions they did not intend.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill explicitly instructs the agent to generate a new Owner EOA, store its private key locally, and continue using that key for owner-side signing. That creates custodial key handling by the agent without an up-front, explicit consent and risk disclosure, increasing the chance of wallet compromise, unintended signing, or loss of user control over funds and identity.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The install instructions download remote content directly into fixed local paths using shell redirection, which can overwrite existing files and persist unreviewed updates to disk. In a skill system, this is risky because the same document also encourages re-fetching updates, so compromised upstream content could replace local operational instructions without integrity checks or user warning.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide explicitly requires an Ethereum private key and shows workflows that use it, but it does not include any warning or guardrails about secret handling, least-privilege wallets, or avoiding reuse of high-value keys. In an agent skill context, this is more dangerous because users may provide real keys to automation that can sign transactions, increasing the chance of wallet compromise or accidental fund loss.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill provides concrete instructions and code for executing token purchases with a signing wallet but does not include an explicit warning that these actions can spend real USDC and may be irreversible once signed and submitted. In an agent-skill context, this increases the risk of unintended autonomous purchases or user confusion about financial consequences, especially because the same document also points to production endpoints.

Ssd 3

High
Confidence
99% confidence
Finding
These instructions normalize agent-side retention of the owner's private key and delayed handoff later on request, meaning the system is designed to hold a credential that can fully control assets and owner actions. In the context of a game agent that manages wallets, whitelist setup, funding, and EIP-712 signed paid joins, this is especially dangerous because theft or misuse of the key could enable unauthorized transfers, impersonation, and irreversible loss of funds or account control.

Ssd 3

High
Confidence
99% confidence
Finding
The guidance makes long-term retention the default by telling the agent to keep the owner's private key unless the user later asks for deletion. Default secret retention is unsafe because it converts a transient setup secret into an ongoing high-value target, increasing exposure to host compromise, backups, operator access, and accidental disclosure over time.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
references/agent-token.md:52

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
references/free-games.md:30

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
references/paid-games.md:252

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
references/setup.md:84