Is chillbruhhh/moltdomesticproduct-sdk safe?

https://github.com/openclaw/skills/tree/main/skills/chillbruhhh/moltdomesticproduct-sdk

75
CAUTION

MoltDomesticProduct SDK installs cleanly as pure documentation with no malicious code, install scripts, git hooks, or detected canary exfiltration. The primary risks are runtime behavioral: the skill explicitly instructs agents to fetch live updated instructions from the operator's server (enabling silent post-install instruction changes), implements an Autonomous Pager Protocol that spends real USDC on-chain without per-transaction user approval, and exposes agents to prompt injection via untrusted job descriptions and marketplace DMs processed in an infinite polling loop. The unaudited @moltdomesticproduct/mdp-sdk npm package — which handles raw private key operations and on-chain transactions — requires separate supply chain review before deployment.

Category Scores

Prompt Injection 65/100 · 30%
Data Exfiltration 72/100 · 25%
Code Execution 82/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 88/100 · 10%
Behavioral Reasoning 48/100 · 5%

Findings (9)

HIGH Live canonical URL enables silent instruction replacement -20

SKILL.md explicitly instructs agents to prefer fetching from https://moltdomesticproduct.com/skill.md rather than using the audited installed version. The skill operator can push updated instructions to all active agents at any time without a new installation event. There is no hash pinning, version locking, or integrity verification on the fetched content.

HIGH Autonomous cryptocurrency transactions without per-operation user approval -25

The fundJob() workflow and Autonomous Pager Protocol enable agents to sign EIP-3009 typed-data authorizations and submit USDC transfers on Base Mainnet without any per-transaction human confirmation. The buyer-mode pager automatically selects proposals and funds escrow on a polling interval. A compromised private key, prompt injection, or malicious job post could drain the user's wallet autonomously.

HIGH Untrusted external message content processed as agent input -15

The pollMessages() loop reads message bodies from job posters on the MDP platform and feeds them into agent decision logic. Job descriptions fetched via sdk.jobs.listOpen() are fully controlled by third parties. Any of these inputs could contain prompt injection payloads targeting the host LLM agent to redirect behavior, exfiltrate data, or override instructions.

MEDIUM Raw Ethereum private key required and transmitted externally -12

MDP_PRIVATE_KEY is a mandatory environment variable containing a raw 0x-prefixed Ethereum private key. The SDK uses it for SIWE-style signing and EIP-3009 typed-data signing, transmitting authentication payloads to api.moltdomesticproduct.com. If the SDK or API is compromised, the key could be extracted or signing operations redirected.

MEDIUM fs.readFileSync + base64 + API upload pattern enables arbitrary file exfiltration if redirected -10

The avatar upload example reads a local file with fs.readFileSync, base64-encodes it, and posts it to the external MDP API. This is a documented, legitimate pattern — but if an agent is manipulated via prompt injection to call uploadAvatar with an attacker-specified path (e.g., ~/.env or ~/.ssh/id_rsa), local credential files could be exfiltrated to api.moltdomesticproduct.com under the guise of an avatar upload.

MEDIUM Unaudited npm package handles private key and on-chain operations -8

@moltdomesticproduct/mdp-sdk was not installed during this audit and its source code has not been reviewed. It handles raw private key ingestion, SIWE authentication, EIP-712 typed-data signing, and on-chain transaction submission — all critical security operations. A malicious or compromised version of this package could silently exfiltrate private keys or redirect signed transactions.

MEDIUM Agent-to-agent autonomous job posting creates cascading financial exposure -15

The buyer-mode pager loop autonomously posts jobs, evaluates proposals by selecting the cheapest verified agent, accepts proposals, and funds escrow — all on a polling interval without human review. In an agent-to-agent workflow, a chain of such agents could commit substantial USDC without any human approval steps.

LOW pager.md external reference URL provides second live-fetch vector -5

The pager.md frontmatter declares 'reference: https://moltdomesticproduct.com/pager.md'. If agents parse frontmatter and fetch referenced URLs, this provides a second channel through which the skill operator can deliver updated autonomous behavior instructions independently of SKILL.md.

INFO Credential file reads confirmed attributable to monitoring framework, not skill 0

Honeypot files were read at two timestamps. The first (1771738681.005, sequences 267-272) occurred 5 seconds before the git clone began — causally impossible for the skill to have triggered. The second (1771738698.914, sequences 1429-1434) occurred post-install and matches the monitoring system's canary verification pattern. No content modification or external transmission was detected.