MoltX Skill Pack Security Report — Trusted | ClawSafe

0 /100

MoltX Skill Pack

Blockchain task lifecycle orchestration on Base — Maker, Taker, Arbitrator, Prediction, and Tools roles for the MoltX protocol

MoltX skill pack is a legitimate blockchain task management system with no malicious behavior, credential harvesting, code obfuscation, or hidden functionality. All capabilities are fully declared in SKILL.md and trace directly to clean TypeScript implementations.

Skill NameMoltX Skill Pack

Duration55.2s

Enginepi

✓

Safe to install

Approve for use. The skill only performs standard Ethereum blockchain read/write operations and optional API syncs. No additional restrictions needed.

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	viem http() transport to configurable RPC URL + optional fetch() to user-provide…
Filesystem	`NONE`	`WRITE`	✓ Aligned	Writes only to ~/.moltx/ for agent state; single-purpose and scoped
Shell	`NONE`	`NONE`	—	No subprocess, exec, or shell command execution found anywhere
Environment	`READ`	`READ`	✓ Aligned	Reads MOLTX_PRIVATE_KEY, RPC_URL, MOLTX_API_URL, MOLTX_API_KEY, MOLTX_API_JWT; n…
Skill Invoke	`NONE`	`NONE`	—	No dynamic skill invocation or cross-skill calls
Clipboard	`NONE`	`NONE`	—	No clipboard access found
Browser	`NONE`	`NONE`	—	No browser automation found
Database	`READ`	`READ`	✓ Aligned	API sync tools read/write to optional user-provided MOLTX_API_URL endpoint only

3 findings

🔗

Medium External URL 外部 URL

https://sepolia.base.org

SKILL.md:141

🔗

Medium External URL 外部 URL

https://your-project.supabase.co

SKILL.md:157

💰

Medium Wallet Address 加密货币钱包地址

0x4444444444444444444444444444444444444444

runtime/test/config-and-abi.test.ts:28

File Tree

48 files · 829.3 KB · 18774 lines

JSON 8f · 10325L TypeScript 18f · 3943L JavaScript 15f · 2845L Markdown 6f · 1177L YAML 1f · 484L

├─ ▾ 📁 runtime

│ ├─ ▾ 📁 dist

│ │ ├─ ▾ 📁 contracts

│ │ │ ├─ 📋 MoltXCore.json JSON 2647L · 144.2 KB

│ │ │ ├─ 📋 MoltXCouncil.json JSON 1207L · 68.8 KB

│ │ │ └─ 📋 MoltXPrediction.json JSON 1288L · 66.0 KB

│ │ ├─ ▾ 📁 tools

│ │ │ ├─ 📜 agent-query.js JavaScript 129L · 4.9 KB

│ │ │ ├─ 📜 agent-state.js JavaScript 132L · 4.3 KB

│ │ │ ├─ 📜 agent-sync.js JavaScript 276L · 9.7 KB

│ │ │ ├─ 📜 api.js JavaScript 346L · 13.4 KB

│ │ │ ├─ 📜 config.js JavaScript 90L · 3.2 KB

│ │ │ ├─ 📜 core.js JavaScript 707L · 29.1 KB

│ │ │ ├─ 📜 council.js JavaScript 236L · 9.0 KB

│ │ │ ├─ 📜 event-state.js JavaScript 55L · 1.6 KB

│ │ │ ├─ 📜 events.js JavaScript 166L · 5.7 KB

│ │ │ ├─ 📜 hash.js JavaScript 47L · 1.7 KB

│ │ │ ├─ 📜 prediction.js JavaScript 225L · 8.2 KB

│ │ │ ├─ 📜 requirement.js JavaScript 158L · 6.4 KB

│ │ │ ├─ 📜 shared.js JavaScript 201L · 6.7 KB

│ │ │ └─ 📜 wallet.js JavaScript 20L · 557 B

│ │ └─ 📜 cli.js JavaScript 57L · 1.9 KB

│ ├─ ▾ 📁 src

│ │ ├─ ▾ 📁 contracts

│ │ │ ├─ 📋 MoltXCore.json JSON 2647L · 144.2 KB

│ │ │ ├─ 📋 MoltXCouncil.json JSON 1207L · 68.8 KB

│ │ │ └─ 📋 MoltXPrediction.json JSON 1288L · 66.0 KB

│ │ ├─ ▾ 📁 tools

│ │ │ ├─ 📜 agent-query.ts TypeScript 175L · 4.8 KB

│ │ │ ├─ 📜 agent-state.ts TypeScript 234L · 6.5 KB

│ │ │ ├─ 📜 agent-sync.ts TypeScript 330L · 9.7 KB

│ │ │ ├─ 📜 api.ts TypeScript 466L · 14.2 KB

│ │ │ ├─ 📜 config.ts TypeScript 125L · 3.5 KB

│ │ │ ├─ 📜 core.ts TypeScript 872L · 29.2 KB

│ │ │ ├─ 📜 council.ts TypeScript 279L · 8.7 KB

│ │ │ ├─ 📜 event-state.ts TypeScript 78L · 1.8 KB

│ │ │ ├─ 📜 events.ts TypeScript 206L · 5.6 KB

│ │ │ ├─ 📜 hash.ts TypeScript 58L · 1.8 KB

│ │ │ ├─ 📜 prediction.ts TypeScript 266L · 8.0 KB

│ │ │ ├─ 📜 requirement.ts TypeScript 221L · 6.9 KB

│ │ │ ├─ 📜 shared.ts TypeScript 323L · 7.9 KB

│ │ │ └─ 📜 wallet.ts TypeScript 24L · 626 B

│ │ └─ 📜 cli.ts TypeScript 70L · 2.0 KB

│ ├─ ▾ 📁 test

│ │ ├─ 📜 cli-surface.test.ts TypeScript 62L · 1.8 KB

│ │ ├─ 📜 config-and-abi.test.ts TypeScript 49L · 1.8 KB

│ │ └─ 📜 requirement-json.test.ts TypeScript 105L · 3.3 KB

│ └─ 📋 tsconfig.json JSON 14L · 297 B

├─ ▾ 📁 skills

│ ├─ ▾ 📁 moltx_arbitrator

│ │ └─ 📝 SKILL.md Markdown 241L · 6.0 KB

│ ├─ ▾ 📁 moltx_maker

│ │ └─ 📝 SKILL.md Markdown 265L · 7.2 KB

│ ├─ ▾ 📁 moltx_prediction

│ │ └─ 📝 SKILL.md Markdown 236L · 5.6 KB

│ ├─ ▾ 📁 moltx_taker

│ │ └─ 📝 SKILL.md Markdown 129L · 2.4 KB

│ └─ ▾ 📁 moltx_tools

│ └─ 📝 SKILL.md Markdown 123L · 4.0 KB

├─ 📋 package.json JSON 27L · 857 B

├─ 📋 pnpm-lock.yaml YAML 484L · 14.2 KB

└─ 📝 SKILL.md Markdown 183L · 6.0 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`viem`	`^2.0.0`	npm	No	Major version pinned; standard Ethereum library

Security Positives

✓ No subprocess, exec, or shell command execution anywhere in the codebase

✓ No base64-encoded payloads or obfuscated code

✓ Private key (MOLTX_PRIVATE_KEY) is read from env only for local wallet derivation — never exfiltrated

✓ All API credentials (MOLTX_API_KEY, MOLTX_API_JWT) used only for auth headers to user-specified endpoint

✓ No access to ~/.ssh, ~/.aws, .env, or other credential stores

✓ No remote script execution (no curl|bash, wget|sh)

✓ No data exfiltration or C2 communication

✓ No hidden instructions in comments or HTML

✓ No supply chain risks: only one dependency (viem@^2.0.0) with pinned major version

✓ All 5 SKILL.md files are detailed and accurately reflect implementation

✓ State written only to ~./.moltx/ directory with no cross-contamination

✓ Agent state files are namespaced by role (maker-tasks, taker-tasks, disputes, prediction-bets)

✓ Codebase is entirely readable TypeScript with no minified or compiled-only payloads

Scan Report

File Tree

Dependencies 1 items

Security Positives