安全决策报告
moltspay_skill
The skill installs an unverified third-party npm package (`moltspay`) globally and executes wallet initialization code via a postinstall hook, with no declared shell or network permissions, creating a significant supply-chain and privilege-escalation risk.
最直接的威胁证据
01
User installs skill; postinstall hook triggers scripts/setup.js automatically 初始入口 · package.json
02
setup.js executes 'npm install -g moltspay' installing untrusted package 权限提升 · scripts/setup.js
03
Wallet created at ~/.moltspay/wallet.json with private key material 持久化 · scripts/setup.js
为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 3 项声明之外的能力或越权行为。
复核
隐藏执行与外联
提取到 7 个一般风险产物,需要结合上下文判断。
阻止
攻击链与高危发现
报告包含 4 步攻击链,另有 3 项高危或严重发现。
复核
依赖与供应链卫生
发现 2 项需要关注的依赖或供应链线索。
攻击链
01
User installs skill; postinstall hook triggers scripts/setup.js automatically
初始入口 · package.json:14
02
setup.js executes 'npm install -g moltspay' installing untrusted package
权限提升 · scripts/setup.js:32
03
Wallet created at ~/.moltspay/wallet.json with private key material
持久化 · scripts/setup.js:48
04
moltspay package code is a black box — any malicious behavior in its runtime is invisible to analysis
最终危害 · node_modules/moltspay (uninspectable)
风险分是怎么被拉高的
Undeclared npm install -g moltspay +20
SKILL.md never mentions npm install; skill runs 'npm install -g moltspay' (setup.sh:13, setup.js:32) without user disclosure
Postinstall hook auto-executes code +15
package.json has 'postinstall': 'node scripts/setup.js' which silently runs on npm install
No version pinning on moltspay package +12
npm install -g moltspay with no @version pins the package to latest; could be silently updated to a malicious version
Undeclared shell execution +10
execSync('npm install -g moltspay') and execSync('moltspay init') use shell:WRITE but SKILL.md declares no shell access
Undeclared network access +8
Queries moltspay.com and juai8.com APIs; SKILL.md lists URLs but never declares network:READ permission
Undeclared filesystem write +5
Writes wallet to ~/.moltspay/wallet.json; SKILL.md never mentions filesystem write access
最关键的证据
高危 供应链
Untrusted third-party npm package installed without pinning
setup.sh and setup.js both run 'npm install -g moltspay' from npmjs.com with no version constraint. The package is controlled by an unknown party (Yaqing2023/moltspay) and could be silently updated to a malicious version at any time.
scripts/setup.sh:13 Pin to a specific verified version: npm install -g [email protected], or better, audit the package source before recommending installation
高危 供应链
Postinstall hook executes arbitrary code on skill install
package.json contains 'postinstall': 'node scripts/setup.js' which means the setup script (including npm install -g moltspay and wallet initialization) runs automatically when the skill is installed, without user consent.
package.json:14 Remove the postinstall hook; require explicit user action to run setup
高危 文档欺骗
SKILL.md completely omits the npm install step
SKILL.md describes a 'moltspay CLI' but never tells users that it will install a global npm package. Users have no opportunity to review or refuse the package installation before it happens.
SKILL.md:1 SKILL.md must explicitly declare: 'This skill installs moltspay via npm install -g moltspay from npmjs.com'
中危 权限提升
Undeclared shell execution via execSync and bash
Both setup.sh and setup.js execute shell commands (npm install -g, moltspay init, moltspay pay, moltspay status) but SKILL.md declares no shell permissions. The skill effectively escalates to shell:WRITE without documentation.
scripts/setup.js:17 Declare shell:WRITE permission in SKILL.md and explain all shell commands executed
中危 敏感访问
Wallet file stored in user home directory
The skill creates and reads ~/.moltspay/wallet.json which likely contains private keys or seed phrases for the user's crypto wallet. SKILL.md does not disclose this data collection or storage behavior.
scripts/setup.js:10 SKILL.md must explicitly disclose that private wallet data is stored locally in ~/.moltspay/
中危 权限提升
Undeclared network requests to external domains
SKILL.md lists moltspay.com and juai8.com URLs but never formally declares network:READ permission. The actual HTTP calls made by the moltspay CLI to these endpoints are not documented.
SKILL.md:45 Declare network:READ in capabilityMap and enumerate all external endpoints
低危 供应链
npm package has no version lock
The npm package 'moltspay' is not pinned to a specific version, creating replay risk if the package is later modified.
package.json:13 Pin moltspay version in setup scripts: npm install -g [email protected]
声明能力 vs 实际能力
文件系统 阻止
声明 NONE
→ 推断 WRITE
setup.js:48 writes to ~/.moltspay/wallet.json 网络访问 阻止
声明 NONE
→ 推断 READ
SKILL.md lines 45-52 list URLs but never declare network:READ 命令执行 阻止
声明 NONE
→ 推断 WRITE
setup.sh:13 'npm install -g moltspay'; setup.js:32 execSync('npm install -g moltspay') 环境变量 通过
声明 NONE
→ 推断 READ
setup.js reads os.homedir(); wallet.json likely contains private keys 技能调用 通过
声明 NONE
→ 推断 WRITE
postinstall hook in package.json auto-runs scripts/setup.js on skill install 可疑产物与外联
中危 外部 URL
https://juai8.com/zen7 README.md:29
中危 外部 URL
https://moltspay.com/docs README.md:48
中危 外部 URL
https://moltspay.com/services README.md:49
中危 外部 URL
https://discord.gg/QwCJgVBxVK README.md:50
中危 外部 URL
https://moltspay.com/api/search?q= SKILL.md:45
中危 外部 URL
https://moltspay.com/api/services SKILL.md:46
中危 外部 URL
https://juai8.com/.well-known/agent-services.json SKILL.md:52
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| moltspay | latest (unpinned) | npm | 否 | Package from npmjs.com by Yaqing2023 — not audited, version not pinned, black box |
| jq | * | system (used in setup.sh) | 否 | System dependency assumed present |
文件构成
7 个文件 · 364 行
Markdown 2 个文件 · 175 行Shell 3 个文件 · 87 行JavaScript 1 个文件 · 66 行JSON 1 个文件 · 36 行
需关注文件 · 5
SKILL.md SKILL.md completely omits the npm install step · Undeclared network requests to external domains · https://moltspay.com/api/search?q= · https://moltspay.com/api/services · https://juai8.com/.well-known/agent-services.json
scripts/setup.js Undeclared shell execution via execSync and bash · Wallet file stored in user home directory
scripts/setup.sh Untrusted third-party npm package installed without pinning
README.md https://juai8.com/zen7 · https://moltspay.com/docs · https://moltspay.com/services · https://discord.gg/QwCJgVBxVK
package.json Postinstall hook executes arbitrary code on skill install · npm package has no version lock
其他文件 · ensure-wallet.sh · pay-zen7-video.sh
安全亮点
No base64-encoded payloads or obfuscated code observed
No hardcoded external IPs or C2 infrastructure
No direct credential exfiltration to third parties observed in source scripts
Wallet data stored locally rather than sent externally (based on visible scripts)