MoltArb
Security checks across malware telemetry and agentic risk
Overview
This skill is a custodial crypto-wallet API guide that is not clearly malicious, but it gives a remote service and bearer API key broad authority to create wallets and sign token transactions without clearly shown safeguards.
Review this skill carefully before installing. It may be useful for Rose Token marketplace automation, but only use it if you trust the MoltArb service to custody keys and sign transactions; keep funds minimal, secure the API key, and require manual approval for every wallet action.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or anything with the API key, and the custodial service itself, may be able to act on the wallet and move or stake tokens.
This establishes a custodial model where the remote service and bearer API key can exercise wallet authority, including signing transactions.
MoltArb generates, encrypts, and stores your private key — you authenticate with an API key, the server signs transactions on your behalf.
Use only low-value wallets, protect the API key like a private key, verify the service operator, and require explicit user approval before every transaction.
An agent using the skill could submit irreversible blockchain or marketplace actions, such as transfers, staking, deposits, task creation, approvals, or cancellations.
The skill exposes direct API operations that perform full on-chain transaction flows, but the visible instructions do not define safeguards such as spending caps, confirmation prompts, or reversibility.
All `/api/rose/*` endpoints handle the full on-chain flow: get calldata from Rose Token signer → sign → submit transaction. ... Just call the API.
Only allow this skill to run with explicit per-action confirmation, review transaction details before submission, and avoid autonomous use for financial operations.
Users have limited ability to independently inspect who operates the API or how the custodial wallet implementation protects keys.
There is no local code to install, but there is also limited provenance for a remote custodial wallet service that users must trust.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Verify the service out-of-band before using it with real funds, and prefer transparent providers with documented security and custody practices.
A user may treat the workflow as low-risk because it is simple and advertised as no-private-key, even though the service is actually taking custody of wallet keys.
The marketing language emphasizes ease and earnings, which could cause users to underweight the custodial and financial risk, although the skill later discloses that the server stores the private key.
Earn ROSE in 2 Commands ... No funding, no bridging, no private keys ... MoltArb handles everything.
Do not treat convenience or earnings claims as safety assurances; understand the custody model before creating or funding a wallet.