中文 EN

Scan Report

Scan New Files

High Risk — Risk Score 68/100
Last scan:23 hr ago Rescan
68 /100
moltspay_skill
Pay for AI services via MoltsPay protocol using USDC on Base chain
The skill installs an unverified third-party npm package (`moltspay`) globally and executes wallet initialization code via a postinstall hook, with no declared shell or network permissions, creating a significant supply-chain and privilege-escalation risk.
Skill Namemoltspay_skill
Duration47.1s
Enginepi
Do not install this skill
Do not use this skill. It installs an untrusted npm package without version pinning, executes code on install via postinstall hook, and makes undeclared network requests. The entire `moltspay` package is a black box with no declared permissions.

Attack Chain 4 steps

Entry User installs skill; postinstall hook triggers scripts/setup.js automatically
package.json:14
Escalation setup.js executes 'npm install -g moltspay' installing untrusted package
scripts/setup.js:32
Escalation Wallet created at ~/.moltspay/wallet.json with private key material
scripts/setup.js:48
Impact moltspay package code is a black box — any malicious behavior in its runtime is invisible to analysis
node_modules/moltspay (uninspectable)

Findings 7 items

Severity Finding Location
High
Untrusted third-party npm package installed without pinning Supply Chain
setup.sh and setup.js both run 'npm install -g moltspay' from npmjs.com with no version constraint. The package is controlled by an unknown party (Yaqing2023/moltspay) and could be silently updated to a malicious version at any time.
npm install -g moltspay
→ Pin to a specific verified version: npm install -g [email protected], or better, audit the package source before recommending installation
 scripts/setup.sh:13
High
Postinstall hook executes arbitrary code on skill install Supply Chain
package.json contains 'postinstall': 'node scripts/setup.js' which means the setup script (including npm install -g moltspay and wallet initialization) runs automatically when the skill is installed, without user consent.
"postinstall": "node scripts/setup.js"
→ Remove the postinstall hook; require explicit user action to run setup
 package.json:14
High
SKILL.md completely omits the npm install step Doc Mismatch
SKILL.md describes a 'moltspay CLI' but never tells users that it will install a global npm package. Users have no opportunity to review or refuse the package installation before it happens.
The `moltspay` CLI provides these commands
→ SKILL.md must explicitly declare: 'This skill installs moltspay via npm install -g moltspay from npmjs.com'
 SKILL.md:1
Medium
Undeclared shell execution via execSync and bash Priv Escalation
Both setup.sh and setup.js execute shell commands (npm install -g, moltspay init, moltspay pay, moltspay status) but SKILL.md declares no shell permissions. The skill effectively escalates to shell:WRITE without documentation.
return execSync(cmd, { encoding: 'utf8', stdio: silent ? 'pipe' : 'inherit' })
→ Declare shell:WRITE permission in SKILL.md and explain all shell commands executed
 scripts/setup.js:17
Medium
Wallet file stored in user home directory Sensitive Access
The skill creates and reads ~/.moltspay/wallet.json which likely contains private keys or seed phrases for the user's crypto wallet. SKILL.md does not disclose this data collection or storage behavior.
const WALLET_PATH = path.join(os.homedir(), '.moltspay', 'wallet.json')
→ SKILL.md must explicitly disclose that private wallet data is stored locally in ~/.moltspay/
 scripts/setup.js:10
Medium
Undeclared network requests to external domains Priv Escalation
SKILL.md lists moltspay.com and juai8.com URLs but never formally declares network:READ permission. The actual HTTP calls made by the moltspay CLI to these endpoints are not documented.
GET https://moltspay.com/api/search?q=<keyword>
→ Declare network:READ in capabilityMap and enumerate all external endpoints
 SKILL.md:45
Low
npm package has no version lock Supply Chain
The npm package 'moltspay' is not pinned to a specific version, creating replay risk if the package is later modified.
"setup": "node scripts/setup.js"
→ Pin moltspay version in setup scripts: npm install -g [email protected]
 package.json:13
ResourceDeclaredInferredStatusEvidence
Filesystem NONE WRITE ✗ Violation setup.js:48 writes to ~/.moltspay/wallet.json
Network NONE READ ✗ Violation SKILL.md lines 45-52 list URLs but never declare network:READ
Shell NONE WRITE ✗ Violation setup.sh:13 'npm install -g moltspay'; setup.js:32 execSync('npm install -g molt…
Environment NONE READ ✓ Aligned setup.js reads os.homedir(); wallet.json likely contains private keys
Skill Invoke NONE WRITE ✓ Aligned postinstall hook in package.json auto-runs scripts/setup.js on skill install
7 findings
🔗
Medium External URL 外部 URL
https://juai8.com/zen7
README.md:29
🔗
Medium External URL 外部 URL
https://moltspay.com/docs
README.md:48
🔗
Medium External URL 外部 URL
https://moltspay.com/services
README.md:49
🔗
Medium External URL 外部 URL
https://discord.gg/QwCJgVBxVK
README.md:50
🔗
Medium External URL 外部 URL
https://moltspay.com/api/search?q=
SKILL.md:45
🔗
Medium External URL 外部 URL
https://moltspay.com/api/services
SKILL.md:46
🔗
Medium External URL 外部 URL
https://juai8.com/.well-known/agent-services.json
SKILL.md:52

File Tree

7 files · 9.9 KB · 364 lines
Markdown 2f · 175L Shell 3f · 87L JavaScript 1f · 66L JSON 1f · 36L
├─ 📁 scripts
│ ├─ 🔧 ensure-wallet.sh Shell 27L · 799 B
│ ├─ 🔧 pay-zen7-video.sh Shell 18L · 479 B
│ ├─ 📜 setup.js JavaScript 66L · 2.1 KB
│ └─ 🔧 setup.sh Shell 42L · 1.3 KB
├─ 📋 package.json JSON 36L · 691 B
├─ 📝 README.md Markdown 54L · 1.3 KB
└─ 📝 SKILL.md Markdown 121L · 3.2 KB

Dependencies 2 items

PackageVersionSourceKnown VulnsNotes
moltspay latest (unpinned) npm No Package from npmjs.com by Yaqing2023 — not audited, version not pinned, black box
jq * system (used in setup.sh) No System dependency assumed present

Security Positives

✓ No base64-encoded payloads or obfuscated code observed
✓ No hardcoded external IPs or C2 infrastructure
✓ No direct credential exfiltration to third parties observed in source scripts
✓ Wallet data stored locally rather than sent externally (based on visible scripts)