Molt Sift

Security checks across malware telemetry and agentic risk

Overview

Molt Sift appears to be a legitimate validation tool, but its bounty and payment features are overstated and under-scoped for a financial-style workflow.

Use the validation features as prototype-quality tooling. Treat bounty and payment behavior as simulated until proven otherwise, and do not expose the API publicly or connect real PayAClaw, x402, Solana, wallet, or secret credentials without adding authentication, approval gates, spend limits, logging, rate limits, and clear test-vs-production separation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (25)

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The document markets the package as production-ready while explicitly noting that critical PayAClaw and Solana payment integrations are still stubbed or mock implementations. This can mislead users into deploying or relying on unfinished financial functionality, creating operational, trust, and potential payment-handling risks.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The document states the system is production-ready and describes USDC payments via Solana/x402 as if they are real, but later admits the PayAClaw and Solana payment components are mocks. This can mislead operators or users into believing real settlement, security properties, or financial controls exist when they do not, creating unsafe deployment and trust decisions around money-moving functionality.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The API example returns fields such as 'payment_status: initiated' and a transaction identifier in a way that implies actual payment execution, while later sections state payment handling is mocked. This kind of misleading operational documentation can cause users to rely on nonexistent payment guarantees, mis-handle funds workflows, or deploy the service under false assumptions.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: This report presents the system as 'production ready' while simultaneously listing missing security and operational controls such as real API integration, authentication, persistence, monitoring, and deployment hardening. That mismatch can cause operators to deploy an unsafe service based on misleading documentation, increasing the likelihood of unauthorized use, fraud, or service abuse.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The document claims the system is ready for immediate deployment even though it explicitly says API authentication still needs to be added. For an HTTP bounty-posting and payment-triggering service, lack of authentication can allow unauthorized parties to create jobs, trigger processing, abuse payment flows, or interfere with agent operations.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The module and method documentation strongly imply real Solana/x402 USDC payment execution, but the code only fabricates transaction signatures, stores local records, and returns explorer URLs for nonexistent transactions. In a payment or bounty workflow, this can cause operators or downstream automation to believe funds were sent when no on-chain transfer occurred, leading to financial loss, reconciliation failures, and abuse of payout logic.

Intent-Code Divergence

Low

Confidence: 96% confidence
Finding: The balance API claims to retrieve a wallet's USDC balance but always returns fixed mock values. If this method is used for treasury checks, payment eligibility, or operational decision-making, it can mislead users and automation into approving or relying on funds that do not exist.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The guide provides commands for posting jobs and claiming bounties involving network/API use and payment addresses, but does not warn users that data may be transmitted or that actions may have financial consequences. In an agent-skill ecosystem, such omissions increase the chance that users or automated systems invoke the commands without informed consent or adequate review.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The guide explicitly instructs users to run `molt-sift bounty claim --auto`, which performs automated external actions tied to a payout address, but it does not clearly warn that this may continuously monitor, submit claims, and potentially trigger financial or account-affecting activity. In a deployment guide, operational commands are likely to be copied verbatim, so missing safety notice and confirmation guidance materially increases the risk of unintended automated transactions or policy violations.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The cron example schedules automated bounty claiming every 5 minutes, creating unattended recurring execution against an external service without any warning about financial, compliance, quota, or operational consequences. Because cron jobs persist and run silently, users may enable long-lived automation that continuously interacts with third-party systems and payouts without adequate review or safeguards.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation promotes autonomous watching, claiming, result submission, and payment triggering without prominently warning that the agent can interact with external services and affect funds. In agent-skill context, this is risky because users may invoke or package the skill without understanding that it can perform unattended external actions with financial consequences.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The bounty posting example accepts raw data and payout details and shows a direct POST flow without warning users that submitted data may be transmitted, stored, or used to trigger downstream payment processing. In an agent ecosystem, this omission increases the chance of accidental exposure of sensitive data or unintended financial actions through copy-pasted usage.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The markdown advertises autonomous bounty claiming and USDC payment behavior without clear warnings, operator consent requirements, or safeguards around automated financial actions. In this skill context, that is riskier because the capability directly involves claiming work and moving funds, so users may enable automation without understanding payment exposure or unintended transactions.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README explicitly encourages automated bounty claiming and submission of results to an external platform, but provides no warning about the fact that these commands can trigger real network actions, consume external jobs, and direct payouts to a specified wallet. In an agent-skill context, documentation that normalizes unattended external actions increases the risk of accidental execution with financial or operational consequences.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README instructs users to start an HTTP API that accepts arbitrary posted data and payment details, but gives no guidance about authentication, localhost-only binding, exposure risks, or handling of sensitive request fields. In a skill intended for agents, this omission can lead operators to expose an unauthenticated service that accepts externally supplied work and payment metadata.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly promotes autonomous bounty claiming, processing, result submission, and payment initiation, but provides no warning, confirmation step, scope restriction, or safety guard around those external and financial actions. In an agent setting, this can cause unintended interaction with third-party systems and automatic movement of value, especially if an agent follows the documented workflow blindly.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The API documentation shows users posting raw data and payout details to an HTTP endpoint and describes downstream interaction with bounty and payment systems, but it does not warn about data disclosure, transport security, or third-party sharing. This creates a real risk that sensitive input data or financial metadata could be transmitted insecurely or exposed beyond the local environment users may assume.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The manifest explicitly advertises auto-claiming bounty jobs, Solana micro-payments, escrow, and a REST API, yet provides no user-facing warning, approval model, or safety constraints around financial and external-system actions. In an agent setting, this can enable unintended autonomous transactions, external claims, or payout actions with real monetary consequences if invoked implicitly or misconfigured.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The /bounty endpoint immediately sends a payment after validation using attacker-supplied amount and payout_address, with no authentication, authorization, rate limiting, approval workflow, or idempotency protection visible in this file. In practice this means any external caller can likely trigger unauthorized payouts and drain funds, making the risk more severe than a mere missing user warning.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The agent is explicitly designed to watch for jobs, auto-claim them, and optionally auto-confirm payments without any human approval step. In a system that interacts with external job sources and a payment handler, this creates unsafe autonomous financial behavior: malformed, malicious, or unintended jobs can be processed and funds can be moved or confirmed automatically.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The test simulates an API flow that calls send_payment directly after validation, with no explicit approval, interactive confirmation, or safety gating at the call site. Even though this is framed as a test, it models and normalizes automatic fund disbursement from input-driven workflow logic, which can become dangerous if reused in production or pointed at real wallets or payment rails.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: self.claimed_jobs = {} self.completed_jobs = [] def watch_and_claim(self, check_interval: int = 30, auto_confirm_payments: bool = True) -> None: """ Watch PayAClaw for bounty jobs and auto-claim.
Confidence: 90% confidence
Finding: auto_confirm

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: Args: check_interval: Seconds between checks auto_confirm_payments: Whether to auto-confirm payments """ print(f"[BountyAgent] [SIFT] Starting bounty agent (watching PayAClaw)...") print(f"[BountyAgent] Agent ID: {self.agent_id}")
Confidence: 88% confidence
Finding: auto_confirm

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: Args: check_interval: Seconds between checks auto_confirm_payments: Whether to auto-confirm payments """ print(f"[BountyAgent] [SIFT] Starting bounty agent (watching PayAClaw)...") print(f"[BountyAgent] Agent ID: {self.agent_id}")
Confidence: 88% confidence
Finding: auto-confirm

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: self._process_pending_jobs() # Confirm payments if needed if auto_confirm_payments: self._confirm_pending_payments() print(f"[BountyAgent] Waiting {check_interval}s until next check...\n")
Confidence: 94% confidence
Finding: auto_confirm

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal