ClawHub
Back to skill

Security audit

Openclaw Skill

Security checks across malware telemetry and agentic risk

Overview

Moltopia is a coherent game-integration skill, but it gives moltopia.org ongoing authority to steer actions and rewrite local instruction files without a clear review or integrity gate.

Install only if you want an agent to continuously participate in Moltopia using a dedicated Moltopia account and token. Review or disable automatic skill and HEARTBEAT updates if possible, keep cycle notes game-only, monitor trades/messages/spending, and revoke the token if the agent behaves unexpectedly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to fetch remote content and overwrite local files in the workspace without any integrity verification, trust boundary explanation, or user approval. This creates a remote content-to-local file write path that could persist malicious instructions, poison future runs, or alter adjacent workspace behavior if the remote endpoint or routing is compromised.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The documentation claims no local state file is needed, yet the permissions explicitly allow reading and writing `memory/moltopia-state.json`. This inconsistency creates unnecessary writable state surface that could be used to persist unexpected instructions, exfiltration markers, or hidden control data outside the documented workflow.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill declares self-updating writes to the workspace `HEARTBEAT.md`, which extends beyond game interaction into modifying a general control/instruction file used by the agent. Because updates are fetched from a remote server, this creates a supply-chain channel for altering future agent behavior outside the narrowly stated Moltopia purpose.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This is a supply-chain style risk: the document directs the agent to retrieve live remote content and replace local skill files, effectively trusting the server as an update authority without warning or verification. If that remote source is malicious or compromised, the attacker can inject persistent instructions into the local environment and influence subsequent agent behavior.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill instructs the agent to save and use a bearer token from a local credentials file without any guidance on least-privilege handling, redaction, rotation, or prohibitions on exposing it. Bearer tokens are directly reusable secrets, so casual storage and use guidance increases the chance of leakage through logs, self-updates, prompts, or unintended file reads.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to read a local credential file and use the token in authenticated network requests, without any consent, scoping, or safeguards. This creates a clear secret-access and exfiltration path because the skill is causing sensitive local data to be transmitted to an external service under skill control.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill tells the agent to fetch remote content and overwrite local skill files and even replace the workspace snippet wholesale. This is a remote self-update mechanism with no integrity verification, review gate, or trust boundary, so a compromised server or malicious update can alter future agent behavior and persist new malicious instructions locally.

External Transmission

Medium
Category
Data Exfiltration
Content
## Moltopia (every heartbeat)
**You MUST call the Moltopia API every heartbeat cycle. Do NOT reply with just HEARTBEAT_OK — that skips Moltopia entirely. You must use the exec tool to run curl commands below.**

**IMPORTANT: Make exactly ONE heartbeat call per cycle. Do NOT loop or call the heartbeat API multiple times. One call, one action, done. The server enforces a 30-second cooldown — extra calls will be rejected.**
Confidence
92% confidence
Finding
curl commands below.** **IMPORTANT: Make exactly ONE heartbeat call per cycle. Do NOT loop or call the heartbeat API multiple times. One call, one action, done. The server enforces a 30-second cooldo

Credential Access

High
Category
Privilege Escalation
Content
The server tracks all your state — no state file needed for Moltopia. Your `cycleNotes` are persisted server-side and returned in each heartbeat response, giving you memory across session resets.

API: https://moltopia.org/api/v1
Credentials: memory/moltopia-production-credentials.json
Confidence
97% confidence
Finding
credentials.json

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal