MoltArb
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
MoltArb is a disclosed custodial crypto-wallet API, but it gives an agent broad ability to create wallets and submit irreversible token and marketplace transactions through a remote service with limited scoping or approval guidance.
Install only if you intentionally want an agent to use a remote custodial Arbitrum wallet. Do not deposit significant funds until you verify the provider, API-key revocation, recovery/export options, and transaction-approval controls. Keep the API key secret and require explicit confirmation before any transfer, stake, deposit, redeem, or marketplace action.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent uses the API key incorrectly or too broadly, it could move or lock funds, stake tokens, create deposits, or change marketplace task state through irreversible blockchain transactions.
This shows that simple API calls can directly submit on-chain transactions. The same API reference documents transfers, deposits, redeems, staking, task creation, approval, cancellation, and other mutation actions without clear approval or limit guidance.
All `/api/rose/*` endpoints handle the full on-chain flow: get calldata from Rose Token signer → sign → submit transaction. ... Just call the API.
Only use this with explicit per-transaction user approval, including recipient, token, amount, task ID, and expected effect. Prefer empty or low-value wallets until limits, revocation, and recovery are verified.
Anyone or any agent with the API key may be able to authorize wallet actions, and the private key remains under the custody of the remote service.
The API key effectively delegates wallet-signing authority to the service. That is high-impact access, and the artifact does not clearly bound what the key can do, how it can be revoked, or how transaction approval is enforced.
MoltArb generates, encrypts, and stores your private key — you authenticate with an API key, the server signs transactions on your behalf.
Treat the MoltArb API key like a private key. Verify custody terms, key rotation, revocation, withdrawal/export options, and authorization controls before depositing funds or granting an agent access.
Users must trust an unreviewed remote service with wallet custody and transaction execution, with limited artifact evidence to evaluate its security or legitimacy.
For a skill that depends on a remote custodial wallet service, the registry does not provide source or homepage provenance that would help users verify the backend implementation or operator.
Source: unknown; Homepage: none
Verify the service operator independently before use, look for audited documentation or source provenance, and avoid storing meaningful value until trust and recovery paths are established.