critical
suspicious.exposed_secret_literal
- Location
- SKILL.md:21
- Finding
- File appears to expose a hardcoded API secret or token.
MoltArb
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.exposed_secret_literal
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
If an agent uses the API key incorrectly or too broadly, it could move or lock funds, stake tokens, create deposits, or change marketplace task state through irreversible blockchain transactions.
Why it was flagged
This shows that simple API calls can directly submit on-chain transactions. The same API reference documents transfers, deposits, redeems, staking, task creation, approval, cancellation, and other mutation actions without clear approval or limit guidance.
Skill content
All `/api/rose/*` endpoints handle the full on-chain flow: get calldata from Rose Token signer → sign → submit transaction. ... Just call the API.
Recommendation
Only use this with explicit per-transaction user approval, including recipient, token, amount, task ID, and expected effect. Prefer empty or low-value wallets until limits, revocation, and recovery are verified.
ConcernHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
Anyone or any agent with the API key may be able to authorize wallet actions, and the private key remains under the custody of the remote service.
Why it was flagged
The API key effectively delegates wallet-signing authority to the service. That is high-impact access, and the artifact does not clearly bound what the key can do, how it can be revoked, or how transaction approval is enforced.
Skill content
MoltArb generates, encrypts, and stores your private key — you authenticate with an API key, the server signs transactions on your behalf.
Recommendation
Treat the MoltArb API key like a private key. Verify custody terms, key rotation, revocation, withdrawal/export options, and authorization controls before depositing funds or granting an agent access.
ConcernHigh Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
Users must trust an unreviewed remote service with wallet custody and transaction execution, with limited artifact evidence to evaluate its security or legitimacy.
Why it was flagged
For a skill that depends on a remote custodial wallet service, the registry does not provide source or homepage provenance that would help users verify the backend implementation or operator.
Skill content
Source: unknown; Homepage: none
Recommendation
Verify the service operator independently before use, look for audited documentation or source provenance, and avoid storing meaningful value until trust and recovery paths are established.