ClawHub

Molt

Security checks across malware telemetry and agentic risk

Overview

The skill is a real crowdfunding app, but it bundles under-disclosed identity verification, blockchain monitoring, and production admin capabilities that should be reviewed before installation.

Install only if you are comfortable with a full crowdfunding application, not just a read-only advocacy helper. Review and separate the KYC, auth, blockchain polling, production deployment, and database maintenance pieces before running it, and do not deploy with passwordless sudo, default secrets, or unrestricted production database scripts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (74)

Lp3

Medium
Category
MCP Least Privilege
Confidence
81% confidence
Finding
The skill advertises only a documentation-style interface but appears to enable higher-risk capabilities such as network, shell, environment access, and file writing without declaring them. That creates a trust and review gap: an operator may approve or invoke the skill believing it is low risk while it can perform broader actions, including handling credentials and making external requests.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented purpose is limited to browsing and advocacy, but the detected behavior includes materially broader functions such as authentication, KYC handling, uploads, polling, notifications, and operational scripts. This mismatch is dangerous because reviewers and users may not realize the skill can process identity documents, credentials, and external data flows far beyond the stated use case.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The deployment guide explicitly documents storage of KYC identity documents under the application's persistent data directory, even though the stated skill purpose is crowdfunding browsing and advocacy. That mismatch increases privacy and compliance risk because highly sensitive identity data is being retained without justification, minimization, or any controls described.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The file exposes campaign creation, modification, deletion, image upload, and balance-refresh actions that materially exceed the skill's stated browsing/advocacy purpose. In an agent context, capability mismatch is dangerous because it can let prompts or tool misuse trigger state-changing operations users did not expect, increasing the risk of unauthorized or deceptive actions.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The refresh-balance endpoint can trigger external blockchain balance checks, price lookups, milestone notifications, and automatic campaign cancellation when a withdrawal is detected. In a skill advertised as browsing/advocacy, this is more dangerous because an agent could invoke a side-effectful financial workflow with real operational consequences, including status changes and notifications, outside the user's likely expectations.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The KYC submission flow immediately sets both the submission and the creator account to "approved" before any actual verification occurs. This defeats the core security purpose of KYC, allowing anyone to bypass identity checks and gain privileges reserved for verified users, which can enable fraud, abuse, and regulatory noncompliance.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
The service loads several third-party API credentials and RPC configuration for broad blockchain access that is not clearly required by the stated MoltFundMe browsing/advocacy use case. This expands the skill's capability surface and enables wallet intelligence collection across chains, increasing privacy, abuse, and secret-misuse risk if these methods are exposed through agent actions.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The file implements wallet balance and transaction lookups for BTC, ETH, SOL, and Base USDC, which goes well beyond campaign browsing and advocacy. In this skill context, that scope mismatch is dangerous because it enables cross-chain financial profiling of arbitrary addresses and undisclosed outbound data sharing to blockchain intelligence providers, contrary to user expectations.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This file implements general-purpose email delivery, including authentication and user notifications, which materially expands the skill beyond the declared MoltFundMe browsing/advocacy scope. Scope drift is dangerous because it introduces messaging and account-entry functionality that can be abused for spam, phishing-style workflows, or unauthorized user contact if exposed through agent actions.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Magic-link authentication email capability is especially sensitive because it initiates account access flows, yet it is not justified by the stated crowdfunding advocacy purpose. In a skill that users would not expect to handle authentication, this creates elevated risk of phishing, account-takeover assistance, or stealthy auth workflow abuse if an attacker can trigger emails or influence the frontend URL/token context.

Description-Behavior Mismatch

High
Confidence
86% confidence
Finding
This file implements authentication and session issuance logic, including magic-link verification, JWT creation, and logout behavior, which is materially broader than the skill’s stated crowdfunding advocacy purpose. In the skill context, hidden identity/account capabilities expand attack surface and can enable unauthorized access patterns, account creation, or persistence mechanisms not disclosed by the manifest.

Context-Inappropriate Capability

High
Confidence
91% confidence
Finding
The file implements API key generation, API key hashing/verification, magic-link token generation, and JWT creation/decoding, which is materially different from the stated skill purpose of browsing and advocating for crowdfunding campaigns. This mismatch is dangerous because hidden authentication capabilities expand the skill's privilege surface and may enable credential or session handling that users and reviewers would not expect from this skill context.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The declared behavior is campaign discovery and advocacy, but the code performs credential-token operations such as API key handling and JWT issuance/verification. In a mismatched skill, this is dangerous because it obscures sensitive functionality, impedes reviewer understanding, and can hide capabilities that facilitate unauthorized access or token abuse.

Intent-Code Divergence

Low
Confidence
95% confidence
Finding
The validator is named as if it enforces the presence of at least one wallet address, but it performs no validation and simply returns the input unchanged. In a crowdfunding/crypto-donation context, this can allow campaigns to be created without any valid payout destination, causing misconfiguration, failed donations, or fund-routing logic errors in downstream code that assumes at least one wallet exists.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This code does substantially more than the skill metadata claims: it autonomously polls wallets, updates campaign balances, and persists donation records into the database. In a skill described as browsing and advocacy, undisclosed state-changing financial tracking expands capability and trust boundaries, creating risk of unauthorized surveillance, incorrect financial records, and misuse of privileged backend access.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The service enumerates all active campaigns and queries multiple blockchains for each one, enabling broad wallet monitoring unrelated to a user-initiated browse/advocacy action. Even if campaign addresses are public, centralized mass surveillance and aggregation of donation activity can expose supporter behavior and create privacy, compliance, and abuse risks beyond the stated purpose of the skill.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This file implements direct blockchain wallet balance and transaction lookups across BTC, ETH, DOGE, and SOL, which exceeds the stated MoltFundMe skill purpose of campaign browsing and advocacy. Even without explicit fund transfer logic, this enables wallet intelligence gathering and user-address profiling unrelated to the declared feature set, increasing privacy and scope-creep risk.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The service reads third-party blockchain API credentials and uses them to query external wallet data, which is unrelated to the advertised campaign advocacy scope. In a skill that users would not expect to perform wallet intelligence, this creates an undisclosed data-access capability that can be abused for surveillance of donor or target addresses.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The seed script generates real agent API keys and immediately prints them to stdout, which can leak credentials into terminal scrollback, shell history capture tools, CI logs, container logs, and centralized log platforms. In this crowdfunding skill, those keys appear to authorize agent actions, so exposure could let an attacker impersonate agents, manipulate advocacy activity, or perform unauthorized API operations.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
This script performs production deployment, configuration mutation, service restart, and database backup operations that are unrelated to the skill's stated end-user purpose of browsing and advocating for crowdfunding campaigns. In an agent-skill context, bundling infrastructure-management capability materially increases the blast radius of compromise by giving the skill a path to alter live services and production state.

Intent-Code Divergence

Low
Confidence
83% confidence
Finding
The header comment describes the script as a generic production deploy helper, but the implementation also edits the production .env, backs up database state, pulls images, and restarts services. That mismatch can mislead reviewers about the script's true privilege and side effects, increasing the risk that dangerous operational capabilities are included in a user-facing skill without adequate scrutiny.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script exposes production maintenance capabilities such as backup, status inspection, direct database access, and destructive cleanup that are unrelated to the skill's declared crowdfunding advocacy purpose. In an agent skill context, bundling privileged operational tooling increases attack surface and creates a path for unauthorized production administration or data tampering if the skill can be invoked by an agent or user indirectly.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script provides both an interactive SQLite shell and arbitrary SQL execution directly against the production database. This is highly dangerous because it enables unrestricted reads and writes, including exfiltration of sensitive records, schema changes, or deletion/modification of campaign, donation, and KYC-related data, and it is unjustified for a crowdfunding advocacy skill.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The cleanup routine can permanently delete production campaign records based on a heuristic match of title, creator, and timestamp proximity. Even with a prompt and backup, this is destructive administrative functionality unrelated to the skill's stated purpose and could be misused or triggered incorrectly, causing data loss and integrity issues in a live fundraising platform.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The fixture automatically detects a KYC screen, fabricates image files, uploads them, and submits identity verification. Even in test code, this normalizes bypassing or simulating a regulated identity workflow that is unrelated to a crowdfunding browsing/advocacy skill and could be repurposed to automate sensitive verification flows against non-test environments if environment separation fails.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal