MoltX Skill Pack 安全扫描报告 — 可信 | ClawSafe

0 /100

MoltX Skill Pack

Blockchain task lifecycle orchestration on Base — Maker, Taker, Arbitrator, Prediction, and Tools roles for the MoltX protocol

MoltX skill pack is a legitimate blockchain task management system with no malicious behavior, credential harvesting, code obfuscation, or hidden functionality. All capabilities are fully declared in SKILL.md and trace directly to clean TypeScript implementations.

技能名称MoltX Skill Pack

分析耗时55.2s

引擎pi

✓

可以安装

Approve for use. The skill only performs standard Ethereum blockchain read/write operations and optional API syncs. No additional restrictions needed.

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	viem http() transport to configurable RPC URL + optional fetch() to user-provide…
文件系统	`NONE`	`WRITE`	✓ 一致	Writes only to ~/.moltx/ for agent state; single-purpose and scoped
命令执行	`NONE`	`NONE`	—	No subprocess, exec, or shell command execution found anywhere
环境变量	`READ`	`READ`	✓ 一致	Reads MOLTX_PRIVATE_KEY, RPC_URL, MOLTX_API_URL, MOLTX_API_KEY, MOLTX_API_JWT; n…
技能调用	`NONE`	`NONE`	—	No dynamic skill invocation or cross-skill calls
剪贴板	`NONE`	`NONE`	—	No clipboard access found
浏览器	`NONE`	`NONE`	—	No browser automation found
数据库	`READ`	`READ`	✓ 一致	API sync tools read/write to optional user-provided MOLTX_API_URL endpoint only

3 项发现

🔗

中危外部 URL 外部 URL

https://sepolia.base.org

SKILL.md:141

🔗

中危外部 URL 外部 URL

https://your-project.supabase.co

SKILL.md:157

💰

中危钱包地址加密货币钱包地址

0x4444444444444444444444444444444444444444

runtime/test/config-and-abi.test.ts:28

目录结构

48 文件 · 829.3 KB · 18774 行

JSON 8f · 10325L TypeScript 18f · 3943L JavaScript 15f · 2845L Markdown 6f · 1177L YAML 1f · 484L

├─ ▾ 📁 runtime

│ ├─ ▾ 📁 dist

│ │ ├─ ▾ 📁 contracts

│ │ │ ├─ 📋 MoltXCore.json JSON 2647L · 144.2 KB

│ │ │ ├─ 📋 MoltXCouncil.json JSON 1207L · 68.8 KB

│ │ │ └─ 📋 MoltXPrediction.json JSON 1288L · 66.0 KB

│ │ ├─ ▾ 📁 tools

│ │ │ ├─ 📜 agent-query.js JavaScript 129L · 4.9 KB

│ │ │ ├─ 📜 agent-state.js JavaScript 132L · 4.3 KB

│ │ │ ├─ 📜 agent-sync.js JavaScript 276L · 9.7 KB

│ │ │ ├─ 📜 api.js JavaScript 346L · 13.4 KB

│ │ │ ├─ 📜 config.js JavaScript 90L · 3.2 KB

│ │ │ ├─ 📜 core.js JavaScript 707L · 29.1 KB

│ │ │ ├─ 📜 council.js JavaScript 236L · 9.0 KB

│ │ │ ├─ 📜 event-state.js JavaScript 55L · 1.6 KB

│ │ │ ├─ 📜 events.js JavaScript 166L · 5.7 KB

│ │ │ ├─ 📜 hash.js JavaScript 47L · 1.7 KB

│ │ │ ├─ 📜 prediction.js JavaScript 225L · 8.2 KB

│ │ │ ├─ 📜 requirement.js JavaScript 158L · 6.4 KB

│ │ │ ├─ 📜 shared.js JavaScript 201L · 6.7 KB

│ │ │ └─ 📜 wallet.js JavaScript 20L · 557 B

│ │ └─ 📜 cli.js JavaScript 57L · 1.9 KB

│ ├─ ▾ 📁 src

│ │ ├─ ▾ 📁 contracts

│ │ │ ├─ 📋 MoltXCore.json JSON 2647L · 144.2 KB

│ │ │ ├─ 📋 MoltXCouncil.json JSON 1207L · 68.8 KB

│ │ │ └─ 📋 MoltXPrediction.json JSON 1288L · 66.0 KB

│ │ ├─ ▾ 📁 tools

│ │ │ ├─ 📜 agent-query.ts TypeScript 175L · 4.8 KB

│ │ │ ├─ 📜 agent-state.ts TypeScript 234L · 6.5 KB

│ │ │ ├─ 📜 agent-sync.ts TypeScript 330L · 9.7 KB

│ │ │ ├─ 📜 api.ts TypeScript 466L · 14.2 KB

│ │ │ ├─ 📜 config.ts TypeScript 125L · 3.5 KB

│ │ │ ├─ 📜 core.ts TypeScript 872L · 29.2 KB

│ │ │ ├─ 📜 council.ts TypeScript 279L · 8.7 KB

│ │ │ ├─ 📜 event-state.ts TypeScript 78L · 1.8 KB

│ │ │ ├─ 📜 events.ts TypeScript 206L · 5.6 KB

│ │ │ ├─ 📜 hash.ts TypeScript 58L · 1.8 KB

│ │ │ ├─ 📜 prediction.ts TypeScript 266L · 8.0 KB

│ │ │ ├─ 📜 requirement.ts TypeScript 221L · 6.9 KB

│ │ │ ├─ 📜 shared.ts TypeScript 323L · 7.9 KB

│ │ │ └─ 📜 wallet.ts TypeScript 24L · 626 B

│ │ └─ 📜 cli.ts TypeScript 70L · 2.0 KB

│ ├─ ▾ 📁 test

│ │ ├─ 📜 cli-surface.test.ts TypeScript 62L · 1.8 KB

│ │ ├─ 📜 config-and-abi.test.ts TypeScript 49L · 1.8 KB

│ │ └─ 📜 requirement-json.test.ts TypeScript 105L · 3.3 KB

│ └─ 📋 tsconfig.json JSON 14L · 297 B

├─ ▾ 📁 skills

│ ├─ ▾ 📁 moltx_arbitrator

│ │ └─ 📝 SKILL.md Markdown 241L · 6.0 KB

│ ├─ ▾ 📁 moltx_maker

│ │ └─ 📝 SKILL.md Markdown 265L · 7.2 KB

│ ├─ ▾ 📁 moltx_prediction

│ │ └─ 📝 SKILL.md Markdown 236L · 5.6 KB

│ ├─ ▾ 📁 moltx_taker

│ │ └─ 📝 SKILL.md Markdown 129L · 2.4 KB

│ └─ ▾ 📁 moltx_tools

│ └─ 📝 SKILL.md Markdown 123L · 4.0 KB

├─ 📋 package.json JSON 27L · 857 B

├─ 📋 pnpm-lock.yaml YAML 484L · 14.2 KB

└─ 📝 SKILL.md Markdown 183L · 6.0 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`viem`	`^2.0.0`	npm	否	Major version pinned; standard Ethereum library

安全亮点

✓ No subprocess, exec, or shell command execution anywhere in the codebase

✓ No base64-encoded payloads or obfuscated code

✓ Private key (MOLTX_PRIVATE_KEY) is read from env only for local wallet derivation — never exfiltrated

✓ All API credentials (MOLTX_API_KEY, MOLTX_API_JWT) used only for auth headers to user-specified endpoint

✓ No access to ~/.ssh, ~/.aws, .env, or other credential stores

✓ No remote script execution (no curl|bash, wget|sh)

✓ No data exfiltration or C2 communication

✓ No hidden instructions in comments or HTML

✓ No supply chain risks: only one dependency (viem@^2.0.0) with pinned major version

✓ All 5 SKILL.md files are detailed and accurately reflect implementation

✓ State written only to ~./.moltx/ directory with no cross-contamination

✓ Agent state files are namespaced by role (maker-tasks, taker-tasks, disputes, prediction-bets)

✓ Codebase is entirely readable TypeScript with no minified or compiled-only payloads