moltspay_skill 安全扫描报告 — 高风险 | ClawSafe

68 /100

moltspay_skill

Pay for AI services via MoltsPay protocol using USDC on Base chain

The skill installs an unverified third-party npm package (`moltspay`) globally and executes wallet initialization code via a postinstall hook, with no declared shell or network permissions, creating a significant supply-chain and privilege-escalation risk.

技能名称moltspay_skill

分析耗时47.1s

引擎pi

⛔

不要安装此技能

Do not use this skill. It installs an untrusted npm package without version pinning, executes code on install via postinstall hook, and makes undeclared network requests. The entire `moltspay` package is a black box with no declared permissions.

攻击链 4 步

◎

入口 User installs skill; postinstall hook triggers scripts/setup.js automatically

package.json:14

⬡

提权 setup.js executes 'npm install -g moltspay' installing untrusted package

scripts/setup.js:32

⬡

提权 Wallet created at ~/.moltspay/wallet.json with private key material

scripts/setup.js:48

◉

影响 moltspay package code is a black box — any malicious behavior in its runtime is invisible to analysis

node_modules/moltspay (uninspectable)

安全发现 7 项

严重性	安全发现	位置
高危	Untrusted third-party npm package installed without pinning 供应链 setup.sh and setup.js both run 'npm install -g moltspay' from npmjs.com with no version constraint. The package is controlled by an unknown party (Yaqing2023/moltspay) and could be silently updated to a malicious version at any time. `npm install -g moltspay` → Pin to a specific verified version: npm install -g [email protected], or better, audit the package source before recommending installation	`scripts/setup.sh:13`
高危	Postinstall hook executes arbitrary code on skill install 供应链 package.json contains 'postinstall': 'node scripts/setup.js' which means the setup script (including npm install -g moltspay and wallet initialization) runs automatically when the skill is installed, without user consent. `"postinstall": "node scripts/setup.js"` → Remove the postinstall hook; require explicit user action to run setup	`package.json:14`
高危	SKILL.md completely omits the npm install step 文档欺骗 SKILL.md describes a 'moltspay CLI' but never tells users that it will install a global npm package. Users have no opportunity to review or refuse the package installation before it happens. The `moltspay` CLI provides these commands → SKILL.md must explicitly declare: 'This skill installs moltspay via npm install -g moltspay from npmjs.com'	`SKILL.md:1`
中危	Undeclared shell execution via execSync and bash 权限提升 Both setup.sh and setup.js execute shell commands (npm install -g, moltspay init, moltspay pay, moltspay status) but SKILL.md declares no shell permissions. The skill effectively escalates to shell:WRITE without documentation. `return execSync(cmd, { encoding: 'utf8', stdio: silent ? 'pipe' : 'inherit' })` → Declare shell:WRITE permission in SKILL.md and explain all shell commands executed	`scripts/setup.js:17`
中危	Wallet file stored in user home directory 敏感访问 The skill creates and reads ~/.moltspay/wallet.json which likely contains private keys or seed phrases for the user's crypto wallet. SKILL.md does not disclose this data collection or storage behavior. `const WALLET_PATH = path.join(os.homedir(), '.moltspay', 'wallet.json')` → SKILL.md must explicitly disclose that private wallet data is stored locally in ~/.moltspay/	`scripts/setup.js:10`
中危	Undeclared network requests to external domains 权限提升 SKILL.md lists moltspay.com and juai8.com URLs but never formally declares network:READ permission. The actual HTTP calls made by the moltspay CLI to these endpoints are not documented. `GET https://moltspay.com/api/search?q=<keyword>` → Declare network:READ in capabilityMap and enumerate all external endpoints	`SKILL.md:45`
低危	npm package has no version lock 供应链 The npm package 'moltspay' is not pinned to a specific version, creating replay risk if the package is later modified. `"setup": "node scripts/setup.js"` → Pin moltspay version in setup scripts: npm install -g [email protected]	`package.json:13`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`WRITE`	✗ 越权	setup.js:48 writes to ~/.moltspay/wallet.json
网络访问	`NONE`	`READ`	✗ 越权	SKILL.md lines 45-52 list URLs but never declare network:READ
命令执行	`NONE`	`WRITE`	✗ 越权	setup.sh:13 'npm install -g moltspay'; setup.js:32 execSync('npm install -g molt…
环境变量	`NONE`	`READ`	✓ 一致	setup.js reads os.homedir(); wallet.json likely contains private keys
技能调用	`NONE`	`WRITE`	✓ 一致	postinstall hook in package.json auto-runs scripts/setup.js on skill install

7 项发现

🔗

中危外部 URL 外部 URL

https://juai8.com/zen7

README.md:29

🔗

中危外部 URL 外部 URL

https://moltspay.com/docs

README.md:48

🔗

中危外部 URL 外部 URL

https://moltspay.com/services

README.md:49

🔗

中危外部 URL 外部 URL

https://discord.gg/QwCJgVBxVK

README.md:50

🔗

中危外部 URL 外部 URL

https://moltspay.com/api/search?q=

SKILL.md:45

🔗

中危外部 URL 外部 URL

https://moltspay.com/api/services

SKILL.md:46

🔗

中危外部 URL 外部 URL

https://juai8.com/.well-known/agent-services.json

SKILL.md:52

目录结构

7 文件 · 9.9 KB · 364 行

Markdown 2f · 175L Shell 3f · 87L JavaScript 1f · 66L JSON 1f · 36L

├─ ▾ 📁 scripts

│ ├─ 🔧 ensure-wallet.sh Shell 27L · 799 B

│ ├─ 🔧 pay-zen7-video.sh Shell 18L · 479 B

│ ├─ 📜 setup.js JavaScript 66L · 2.1 KB

│ └─ 🔧 setup.sh Shell 42L · 1.3 KB

├─ 📋 package.json JSON 36L · 691 B

├─ 📝 README.md Markdown 54L · 1.3 KB

└─ 📝 SKILL.md Markdown 121L · 3.2 KB

依赖分析 2 项

包名	版本	来源	已知漏洞	备注
`moltspay`	`latest (unpinned)`	npm	否	Package from npmjs.com by Yaqing2023 — not audited, version not pinned, black box
`jq`	`*`	system (used in setup.sh)	否	System dependency assumed present

安全亮点

✓ No base64-encoded payloads or obfuscated code observed

✓ No hardcoded external IPs or C2 infrastructure

✓ No direct credential exfiltration to third parties observed in source scripts

✓ Wallet data stored locally rather than sent externally (based on visible scripts)