Skill Trust Decision

moltspay_skill

Name: moltspay_skill Trust Review Report
Item: moltspay_skill
Rating: 32
Author: ClawSafe

The skill installs an unverified third-party npm package (`moltspay`) globally and executes wallet initialization code via a postinstall hook, with no declared shell or network permissions, creating a significant supply-chain and privilege-escalation risk.

Install decision first Source: Manual upload Scanned: Apr 4, 2026

Files 7

Artifacts 7

Violations 3

Findings 7

Most direct threat evidence

User installs skill; postinstall hook triggers scripts/setup.js automatically Entry · package.json

setup.js executes 'npm install -g moltspay' installing untrusted package Escalation · scripts/setup.js

Wallet created at ~/.moltspay/wallet.json with private key material Persistence · scripts/setup.js

Why this conclusion was reached

2/4 dimensions flagged

Block

Declared vs actual capability

3 undeclared or violating capabilities were inferred.

Review

Hidden execution and egress

7 lower-risk artifacts were extracted and still need context.

Block

Attack chain and severe findings

The report includes 4 attack-chain steps and 3 severe findings.

Review

Dependencies and supply chain hygiene

2 dependency or supply-chain issues need attention.

Attack Chain

User installs skill; postinstall hook triggers scripts/setup.js automatically

Entry · package.json:14

setup.js executes 'npm install -g moltspay' installing untrusted package

Escalation · scripts/setup.js:32

Wallet created at ~/.moltspay/wallet.json with private key material

Persistence · scripts/setup.js:48

moltspay package code is a black box — any malicious behavior in its runtime is invisible to analysis

Impact · node_modules/moltspay (uninspectable)

What drove the risk score up

Undeclared npm install -g moltspay +20

SKILL.md never mentions npm install; skill runs 'npm install -g moltspay' (setup.sh:13, setup.js:32) without user disclosure

Postinstall hook auto-executes code +15

package.json has 'postinstall': 'node scripts/setup.js' which silently runs on npm install

No version pinning on moltspay package +12

npm install -g moltspay with no @version pins the package to latest; could be silently updated to a malicious version

Undeclared shell execution +10

execSync('npm install -g moltspay') and execSync('moltspay init') use shell:WRITE but SKILL.md declares no shell access

Undeclared network access +8

Queries moltspay.com and juai8.com APIs; SKILL.md lists URLs but never declares network:READ permission

Undeclared filesystem write +5

Writes wallet to ~/.moltspay/wallet.json; SKILL.md never mentions filesystem write access

Most important evidence

High Supply Chain

Untrusted third-party npm package installed without pinning

setup.sh and setup.js both run 'npm install -g moltspay' from npmjs.com with no version constraint. The package is controlled by an unknown party (Yaqing2023/moltspay) and could be silently updated to a malicious version at any time.

scripts/setup.sh:13

Pin to a specific verified version: npm install -g [email protected], or better, audit the package source before recommending installation

High Supply Chain

Postinstall hook executes arbitrary code on skill install

package.json contains 'postinstall': 'node scripts/setup.js' which means the setup script (including npm install -g moltspay and wallet initialization) runs automatically when the skill is installed, without user consent.

package.json:14

Remove the postinstall hook; require explicit user action to run setup

High Doc Mismatch

SKILL.md completely omits the npm install step

SKILL.md describes a 'moltspay CLI' but never tells users that it will install a global npm package. Users have no opportunity to review or refuse the package installation before it happens.

SKILL.md:1

SKILL.md must explicitly declare: 'This skill installs moltspay via npm install -g moltspay from npmjs.com'

Medium Priv Escalation

Undeclared shell execution via execSync and bash

Both setup.sh and setup.js execute shell commands (npm install -g, moltspay init, moltspay pay, moltspay status) but SKILL.md declares no shell permissions. The skill effectively escalates to shell:WRITE without documentation.

scripts/setup.js:17

Declare shell:WRITE permission in SKILL.md and explain all shell commands executed

Medium Sensitive Access

Wallet file stored in user home directory

The skill creates and reads ~/.moltspay/wallet.json which likely contains private keys or seed phrases for the user's crypto wallet. SKILL.md does not disclose this data collection or storage behavior.

scripts/setup.js:10

SKILL.md must explicitly disclose that private wallet data is stored locally in ~/.moltspay/

Medium Priv Escalation

Undeclared network requests to external domains

SKILL.md lists moltspay.com and juai8.com URLs but never formally declares network:READ permission. The actual HTTP calls made by the moltspay CLI to these endpoints are not documented.

SKILL.md:45

Declare network:READ in capabilityMap and enumerate all external endpoints

Low Supply Chain

npm package has no version lock

The npm package 'moltspay' is not pinned to a specific version, creating replay risk if the package is later modified.

package.json:13

Pin moltspay version in setup scripts: npm install -g [email protected]

Declared capability vs actual capability

Filesystem Block

Declared NONE

→

Inferred WRITE

setup.js:48 writes to ~/.moltspay/wallet.json

Network Block

Declared NONE

→

Inferred READ

SKILL.md lines 45-52 list URLs but never declare network:READ

Shell Block

Declared NONE

→

Inferred WRITE

setup.sh:13 'npm install -g moltspay'; setup.js:32 execSync('npm install -g moltspay')

Environment Pass

Declared NONE

→

Inferred READ

setup.js reads os.homedir(); wallet.json likely contains private keys

Skill Invoke Pass

Declared NONE

→

Inferred WRITE

postinstall hook in package.json auto-runs scripts/setup.js on skill install

Suspicious artifacts and egress

Medium External URL

https://juai8.com/zen7

README.md:29

Medium External URL

https://moltspay.com/docs

README.md:48

Medium External URL

https://moltspay.com/services

README.md:49

Medium External URL

https://discord.gg/QwCJgVBxVK

README.md:50

Medium External URL

https://moltspay.com/api/search?q=

SKILL.md:45

Medium External URL

https://moltspay.com/api/services

SKILL.md:46

Medium External URL

https://juai8.com/.well-known/agent-services.json

SKILL.md:52

Dependencies and supply chain

Package	Version	Source	Known vuln	Notes
moltspay	`latest (unpinned)`	npm	No	Package from npmjs.com by Yaqing2023 — not audited, version not pinned, black box
jq	`*`	system (used in setup.sh)	No	System dependency assumed present

File composition

7 files · 364 lines

Markdown 2 files · 175 linesShell 3 files · 87 linesJavaScript 1 files · 66 linesJSON 1 files · 36 lines

Files of concern · 5

SKILL.md Markdown · 121 lines

SKILL.md completely omits the npm install step · Undeclared network requests to external domains · https://moltspay.com/api/search?q= · https://moltspay.com/api/services · https://juai8.com/.well-known/agent-services.json

scripts/setup.js JavaScript · 66 lines

Undeclared shell execution via execSync and bash · Wallet file stored in user home directory

scripts/setup.sh Shell · 42 lines

Untrusted third-party npm package installed without pinning

README.md Markdown · 54 lines

https://juai8.com/zen7 · https://moltspay.com/docs · https://moltspay.com/services · https://discord.gg/QwCJgVBxVK

package.json JSON · 36 lines

Postinstall hook executes arbitrary code on skill install · npm package has no version lock

Other files · ensure-wallet.sh · pay-zen7-video.sh

Security positives

No base64-encoded payloads or obfuscated code observed

No hardcoded external IPs or C2 infrastructure

No direct credential exfiltration to third parties observed in source scripts

Wallet data stored locally rather than sent externally (based on visible scripts)