MoltRock
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is review-worthy because it asks agents to initiate USDC investment actions through an unspecified backend while promoting an undeployed/TBA vault and a hype token.
Before installing, do not connect a funded wallet or trusted local transaction service to this skill. Verify the vault contract address, backend operator, audits, and transaction details independently, and only allow contribution actions with explicit human confirmation.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If connected to a trusted or funded backend, an agent invocation could initiate a financial contribution request with real-money consequences.
The contribution command sends a chain, amount, asset, and address to a backend endpoint for a stated USDC deposit flow, but the artifacts do not show an approval gate, transaction preview, destination contract, spending cap, or other guardrails.
curl -sS -X POST "${MOLTROCK_API}/api/v1/contribute" ... -d "{\"chain\":\"${CHAIN}\",\"amount\":\"${AMOUNT}\",\"asset\":\"USDC\",\"agentAddress\":\"${3:-unknown}\"}"Make contribution commands dry-run by default and require explicit user approval showing chain, amount, asset, destination contract, fees, and final transaction hash before any financial action.
Users or agents cannot independently verify where funds would go or whether the vault implementation matches the advertised behavior.
The skill offers a deposit capability into a financial vault while the actual vault address is not provided, leaving the critical transaction destination and contract provenance unreviewable.
MROCK Vault Share (Base) ... Address | Deploying soon on Base ... `!moltrock contribute {"chain": "base", "amount": "1000000"}` — Deposit USDC, get vault sharesDo not use the contribution flow until the vault contract address, audited code, chain ID, backend provenance, and official documentation are published and verified.
A user or agent may treat the skill as a verified investment system even though the artifacts do not substantiate the live vault or yield mechanics.
The skill uses strong promotional investment language and claims real ownership/yield while the vault is not yet identified by address, which can cause misplaced trust in a high-impact financial action.
Pool USDC, earn compounding vault shares ... help the swarm surpass BlackRock's $14T AUM ... REAL vault ownership ... Yield YES ... Address: Deploying soon on Base
Treat the content as promotional until independently verified; avoid depositing or buying related tokens based on these instructions alone.