ClawHub

moltx-skills

Security checks across malware telemetry and agentic risk

Overview

This MoltX skill mostly matches its crypto-task purpose, but it exposes high-impact wallet and protocol-changing actions with under-disclosed admin tools and risky defaults.

Install only if you intentionally want a transaction-capable MoltX wallet runtime. Treat the generated wallet file and auth file as secrets, review every on-chain write before allowing an agent to execute it, provide explicit approval amounts instead of relying on token-approval defaults, and avoid using this skill from any wallet with MoltX protocol-admin authority unless the admin tools are removed or separately gated.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill declares no permissions, yet the documentation explicitly describes network access, environment-variable use, local file writes, wallet generation, and authentication token storage. This creates a transparency and consent gap: an agent or operator may invoke the skill expecting passive guidance, while it can actually trigger sensitive side effects such as key creation and remote API interaction.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared purpose suggests an informational or role-participation skill, but the documented behavior includes secret generation, token persistence, wallet management, blockchain writes, and broad external API access. That mismatch is dangerous because users and calling agents may authorize the skill under an incomplete mental model, leading to unintended custody, authentication, and transaction risk.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The exported toolset includes privileged governance/admin actions like set_council, set_liquidity, and add_whitelist_token, which exceed the stated purpose of helping an agent act as a maker, taker, arbitrator, or prediction trader. In an agent setting, exposing unnecessary high-privilege write operations expands the attack surface and can let prompt injection or user confusion trigger protocol-admin changes if the connected wallet has authority.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
set_runtime_config allows mutation of rpcUrl and walletAddress at runtime even though this is not required for normal participation in MoltX tasks. In an agent environment, changing the RPC endpoint can redirect reads/writes to attacker-controlled infrastructure, and changing wallet context can mislead downstream operations or cause actions to be taken under unexpected assumptions.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The prediction-events tool is mislabeled and functionally incorrect: it queries the core contract address and decodes logs with the core ABI instead of using the prediction contract address and prediction ABI. This can cause consumers to miss real prediction events, act on incorrect event data, and make unsafe automated trading, settlement, or monitoring decisions based on false assumptions about on-chain state.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly states that wallet management will automatically generate `~/.moltx/wallet.json`, which implies sensitive key material may be written to disk by default. In a blockchain skill handling maker/taker/arbitrator actions on mainnet, undocumented or insufficiently warned local key storage increases the risk of accidental secret exposure, backup leakage, weak file permissions, or misuse on shared systems.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The activation condition is broad enough that an agent may invoke this skill whenever MoltX is merely relevant, even though the skill can create wallets, authenticate, and execute on-chain or off-chain actions. Over-broad routing increases the chance of accidental use in contexts where the user only wanted explanation, not account creation or transaction-capable tooling.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill states that a local private key is automatically generated in ~/.moltx/wallet.json on first use, but this warning is embedded in operational setup text rather than surfaced as a prominent security notice before use. Automatic creation and persistence of private keys can expose funds if the host is shared, backed up insecurely, or monitored, and users may not realize they have accepted custodial risk.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The SIWE login flow writes JWTs and refresh/auth state to ~/.moltx/auth.json, but the privacy and token-handling implications are not emphasized as a primary warning. Persisted auth tokens can be exfiltrated from disk and reused to access task, dispute, or account-linked API functionality without re-authentication.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code silently generates a new private key on first run and persists it to ~/.moltx/wallet.json without explicit user consent, backup guidance, or secure key-management integration. In a wallet/trading skill, unexpected key creation can cause users or operators to unknowingly control real blockchain assets with a locally stored secret, increasing the risk of loss if the host is compromised or the file is mishandled.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
approve_token defaults to maxUint256 when no amount is provided, creating an unlimited ERC-20 allowance with no built-in warning, scoped approval flow, or confirmation step. If the spender is compromised, upgraded maliciously, or incorrectly specified, the user's entire token balance can be drained later without further interaction.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The runtime configuration setter changes sensitive execution context values without any user-facing disclosure inside the tool itself. In an autonomous agent workflow, silent context mutation can cause subsequent blockchain reads or transactions to target unintended chains, endpoints, or wallet identities, undermining operator trust and safety.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The tool directly submits a state-changing wallet registration transaction once invoked, with no user-facing confirmation, risk disclosure, or explicit consent mechanism in this code path. In an agentic setting, this increases the chance of unintended on-chain actions and gas expenditure if an upstream prompt or workflow triggers the tool without the user fully understanding that a transaction will be broadcast.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This tool directly submits a state-changing blockchain transaction to accept a prediction task, including transferring on-chain value via the `value` field, without any built-in user-facing confirmation, simulation summary, or explicit consent checkpoint at the tool boundary. In an agent setting, that makes unintended fund expenditure materially more likely if the model is prompt-injected, confused, or acts on ambiguous instructions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This function creates an on-chain prediction task by calling `createPredictionTask` immediately, with no visible disclosure that a blockchain write is about to occur. Even if no ETH value is attached, it can still consume gas and alter protocol state, which is dangerous when exposed as an agent tool that may be invoked automatically.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The reward-claim function submits a blockchain transaction without an explicit user warning or consent step, which can cause unwanted gas spending and state changes. In an agent-controlled wallet context, even beneficial actions like claiming rewards should not be executed silently because prompt injection or mistaken intent can trigger transactions the user did not authorize.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The tool returns precise local filesystem paths for authentication and wallet material (for example, ~/.moltx/auth.json and ~/.moltx/wallet.json) to any caller of get_wallet_info. While this does not directly expose secrets, it unnecessarily reveals sensitive environment details that can help an attacker or prompt-injected agent target credential files, especially in an agentic context where tools may be callable without strong user awareness.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal