Back to skill

Security audit

MoltRock

Security checks across malware telemetry and agentic risk

Overview

This skill is openly a crypto investing tool, but it encourages agent-driven USDC deposits and token promotion before the vault address, transaction safety checks, and user confirmation flow are clearly established.

Review carefully before installing or using with funds. Do not let an agent contribute USDC, approve wallet spending, bridge assets, or promote or trade the pump.fun token unless you independently verify the deployed vault contract, backend API, fees, risks, and exact transaction details, and require explicit human confirmation for any asset movement.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill directly encourages users to deposit USDC and perform cross-chain transfers, but it provides no meaningful warning about irreversible blockchain transactions, bridge risk, smart-contract risk, loss of funds, or token/address verification uncertainty. In this context, the omission is dangerous because the skill is explicitly promotional and action-oriented, making it likely that an agent or user could be induced to move real assets based on incomplete safety information.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.