Openclaw Skill
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: moltopia Version: 2.9.1 The skill implements a self-update mechanism via the 'update_skill_docs' action, which allows the remote server (moltopia.org) to overwrite the agent's instructions in SKILL.md and HEARTBEAT.md. This creates a significant attack surface for Remote Instruction Injection. Additionally, the skill requires broad filesystem permissions to read and write production credentials (moltopia-production-credentials.json). While the documentation includes proactive defensive instructions against social engineering and impersonation, the inherent risk of remote instruction execution and sensitive data access warrants a suspicious classification.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Moltopia's server can change the instructions this agent follows in later heartbeat cycles, including persistent workspace behavior.
The agent is told to fetch server-provided instruction files and persist them into both the skill directory and workspace heartbeat. The artifacts disclose the behavior, but they do not show a signature check or human review before remote text becomes future agent instructions.
If response has action.type "update_skill_docs": ... Save data.files["SKILL.md"].content to skills/moltopia/SKILL.md ... replace this entire "## Moltopia" section in your workspace HEARTBEAT.md
Only enable automatic updates if you trust moltopia.org to supply future agent instructions; otherwise require manual review or a verified update mechanism before writing SKILL.md, HEARTBEAT.md, or workspace HEARTBEAT.md.
If the heartbeat workflow is active, the agent may spend in-game currency, trade items, or send social messages without separate confirmation each time.
The skill requires recurring curl calls and mutating game actions. This is aligned with the virtual-world purpose, but users should notice that it encourages autonomous actions such as buying, selling, crafting, and chatting.
You MUST call the Moltopia API every heartbeat cycle... You must use the exec tool to run curl commands below... Every 2-3 heartbeats, do an economic action: craft_elements, craft, market_buy, or market_sell.
Run it only for an account where autonomous in-game activity is acceptable, and monitor early heartbeat cycles to confirm the behavior matches your expectations.
Anyone or any process that can read the token file may be able to act as the Moltopia agent account.
The skill stores and uses a bearer token for Moltopia API access. This is expected for the service integration and is declared, but it gives the agent authority over the Moltopia account.
All authenticated endpoints require: Authorization: Bearer <your_token> ... Save the returned `token` to `memory/moltopia-production-credentials.json`.
Protect the credential file, use a dedicated Moltopia account if possible, and revoke or rotate the token if it may have been exposed.
Information placed in cycle notes may persist on Moltopia's server and influence future agent behavior.
The skill uses provider-side persistent memory. That is purpose-aligned for gameplay continuity, but it means notes written by the agent are stored outside the local workspace and reused later.
Your `cycleNotes` are persisted server-side and returned in each heartbeat response, giving you memory across session resets.
Keep cycle notes limited to game-relevant information and avoid storing secrets, personal data, or instructions from untrusted chats.