Security audit

MoltsPay Skill

Security checks across malware telemetry and agentic risk

Overview

This payment skill is not clearly malicious, but it can create a wallet and let an agent spend real funds with broad triggers and limited consent safeguards.

Install only if you intentionally want an agent-capable payment wallet on this machine. Review the global npm install, wallet location, provider URLs, and spending limits before use; keep balances low or use testnets, and require explicit confirmation before funding wallets, changing limits, or paying for any service.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (8)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The setup script performs `npm install -g moltspay`, which modifies the host globally rather than confining changes to the skill’s own environment. Global installation increases blast radius, can overwrite or shadow existing tools, and introduces supply-chain risk because a first-use skill setup is fetching and executing package-managed code with system-wide effect.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README explicitly promotes autonomous payments for AI services using crypto and Alipay, but it does not place a prominent warning near the top that real funds may be spent, prices may vary by provider, and service charges or settlement risks may apply. In an agent skill context, this increases the chance that users or downstream integrators enable paid actions without realizing prompts can trigger monetary transactions.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The example prompt 'Generate a video of a cat dancing' is presented as a simple natural-language action without warning that it may invoke a paid third-party service. In an agent environment, examples strongly shape behavior, so omitting a spending warning can normalize silent purchase flows and lead to unintended charges.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The top-level trigger is broad enough to activate on common requests involving video generation or paid services, which increases the chance the skill is invoked without clear user intent to use this specific payment mechanism. In a payment-capable skill, overbroad activation is dangerous because it can steer routine requests into wallet creation, service discovery, or spend flows with insufficient friction.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The natural-language trigger list includes generic phrases like generate video, discover services, and pay/buy/purchase plus AI service, which are common user intents not necessarily implying consent to invoke an external payment workflow. Because the skill can lead to real-money spending, broad matching materially raises the risk of accidental activation and unintended transactional actions.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The operational guidance walks the agent through funding and paying for services but does not require a prominent warning or explicit user confirmation immediately before actions that may spend real funds. In a skill designed for cross-chain and fiat payments, the absence of a strong pre-payment warning and consent gate creates a substantial risk of unintended charges.

Vague Triggers

High

Confidence: 96% confidence
Finding: The trigger list includes very broad terms such as "pay", "buy", "video", and especially "generate", which are common in ordinary conversations and can cause the skill to activate outside clearly payment-related contexts. Because this skill can initiate paid-service discovery and payment flows, accidental invocation could expose users to unwanted transactions, phishing-style service prompts, or routing to untrusted third-party services discovered from /.well-known/agent-services.json.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The setup script automatically initializes a wallet under the user's home directory and persists wallet material without any explicit user confirmation or warning about what will be created. Even if this is normal product behavior, silently creating sensitive financial state on a developer machine can expose users to unintended key storage, backups, or local compromise, especially because this skill is for paid services and handles real wallet funds.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical

Code: suspicious.dangerous_exec
Location: scripts/setup.js:16