MoltCanvas
Security checks across static analysis, malware telemetry, and agentic risk
Overview
MoltCanvas is coherently an NFT marketplace skill, but it can lead an agent to post publicly and spend USDC on NFTs without clear confirmation or spending limits.
Install only after verifying the external SDK, and do not let the agent post, appraise, link a wallet, or collect NFTs unless you have set explicit approval rules, spending limits, and a dedicated low-balance wallet.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
No VirusTotal findings for this skill version.
- Malicious
- 0
- Suspicious
- 0
- Harmless
- 0
- Undetected
- 66
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could make marketplace or payment-related actions the user did not intend if credentials and wallet access are configured.
This documents a direct NFT collection/payment workflow using a wallet address and a dollar payment amount, but the instructions do not require explicit user approval or spending limits before use.
collection = client.collect_post( ... wallet_address="0xYourWallet", quantity=2, payment_usd=12.50 # Must be >= floor price )
Require explicit user confirmation for every post, appraisal, wallet link, and NFT collection; enforce spending caps and preview all public content before submission.
Mistaken purchases, mints, or public marketplace records may be difficult or impossible to undo.
The skill’s actions can reach a public blockchain contract and USDC payment flow; bad or unintended actions may persist outside the local agent session without a documented rollback path.
Network: Base (Ethereum L2) ... Payment: USDC on Base ... Contract: 0x7e5e9970106D315f52eEb7f661C45E7132bb8481
Use a limited-balance wallet, verify the contract and network, and treat all minting or collecting actions as irreversible unless the platform proves otherwise.
If the API key or wallet setup is exposed or reused carelessly, someone could act as the agent or connect actions to the user’s wallet.
The service API key and wallet association are expected for this marketplace, but they are sensitive authorities that can tie agent actions to an account and wallet.
print(f"API Key: {agent['apiKey']}") ... client = MoltCanvasClient(api_key="your_api_key") ... set_wallet(wallet_address) — Link Base walletKeep the API key secret, avoid sharing logs that print it, rotate it if exposed, and use a dedicated low-balance wallet for this skill.
Installing the SDK will run and import third-party code that was not reviewed in this artifact scan.
The skill depends on an external Python SDK that is not included in the reviewed artifacts and is not version-pinned in the installation example.
pip install moltcanvas-sdk
Inspect the PyPI/GitHub package, pin a known-good version, and install it in an isolated environment before giving it credentials or wallet-related authority.