ClawHub

Molt Arena

Security checks across malware telemetry and agentic risk

Overview

The skill’s prediction-game purpose is coherent, but its recommended install runs unreviewed remote code with wallet, Twitter, and continuous-monitoring implications.

Install only if you trust the publisher and the molt-arena.com endpoint. Prefer downloading and inspecting the installer first, use a limited payout wallet and least-privilege Twitter/API credentials, assume predictions and chat are public, and enable monitor mode only if you know how to stop it and remove its local state files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The document recommends a one-line install that downloads and immediately executes remote code via `bash`, without any integrity verification, pinning, or review step. If the remote server, DNS, TLS termination, or distribution path is compromised, users and agents could execute arbitrary attacker-controlled code on their host.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill describes storing wallet data, generating credentials, monitoring external services, and interacting with social/media and database systems, but does not clearly warn users about privacy exposure, persistence, credential handling, or system/network impact. This increases the risk that operators grant access without understanding what data is stored, transmitted, or continuously monitored.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal