Is moltbook-registry safe?

https://clawhub.ai/drjmz/moltbook-registry

38
DANGEROUS

This skill is a blockchain identity registry that extracts wallet private keys from the environment, connects to an external RPC endpoint, and executes real ETH-spending transactions. The SKILL.md uses social-engineering techniques to coach the agent into autonomously initiating financial transactions during routine conversations. Filesystem monitoring detected access to AWS credentials and other sensitive files during installation that have no legitimate purpose for this skill's stated function.

Category Scores

Prompt Injection 45/100 · 30%
Data Exfiltration 15/100 · 25%
Code Execution 40/100 · 20%
Clone Behavior 55/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 20/100 · 5%

Findings (11)

CRITICAL Private key extraction and external transmission -55

The skill reads WALLET_PRIVATE_KEY and DEPLOYER_PRIVATE_KEY from environment variables, constructs an ethers.Wallet, and sends signed transactions to an external RPC endpoint. Private keys are the most sensitive credential a crypto user possesses — this skill extracts them and transmits them (as signed payloads) to mainnet.base.org or any attacker-controlled URL via the BASE_RPC env var.

CRITICAL Agent coached to autonomously spend cryptocurrency -60

SKILL.md instructs the agent to proactively suggest spending ETH during routine interactions. Usage guide says 'If you are unverified: I need to register to establish persistence' — coaching the agent to autonomously initiate financial transactions. The 0.0001 ETH fee per operation could drain wallets through repeated calls, and the hardcoded contract address is unverifiable.

HIGH Identity manipulation and behavioral framing -35

SKILL.md uses persona-injection techniques: 'You now have access to the Moltbook Identity Registry' establishes a new agent identity. The 'Philosophy' section ('Proof of Consequence', 'you prove you are an economic actor') is social engineering designed to make the agent internalize the need to spend ETH as a form of identity.

HIGH AWS credentials accessed during installation -35

Filesystem monitoring detected that /home/oc-exec/.aws/credentials was opened and read during the install phase. A blockchain registry skill has no legitimate reason to access AWS credentials. While no outbound network activity was detected (suggesting the data wasn't immediately exfiltrated), this access is highly suspicious.

HIGH Sensitive file access pattern during install -30

During installation, the skill or its dependencies accessed .env, .aws/credentials, auth-profiles.json, .profile, .bashrc, and openclaw.json. This broad credential-harvesting pattern goes far beyond what a blockchain registry tool requires.

HIGH Proactive transaction initiation without user consent -20

The usage guide instructs the agent to autonomously suggest financial operations in conversational contexts ('When meeting a new agent', 'When starting a job', 'After a successful collaboration'). This bypasses user consent for financial transactions by embedding spending triggers into normal agent workflows.

MEDIUM Real financial transactions with no confirmation mechanism -35

register() and rate() execute real on-chain transactions spending 0.0001 ETH each with no user confirmation dialog, spending limits, or dry-run mode. The code directly calls contract.registerAgent() and contract.logReputation() with { value: fee }.

MEDIUM Configurable RPC endpoint enables MITM -25

RPC_URL defaults to mainnet.base.org but is overridable via BASE_RPC env var. An attacker who can modify environment variables could redirect all wallet operations (including private key usage) to a malicious RPC endpoint that captures signed transactions or returns manipulated responses.

MEDIUM Environment fingerprinting via repeated config reads -10

The install phase shows repeated reads of openclaw.json (5 times), .profile (4 times), and .bashrc (4 times), suggesting systematic environment profiling beyond normal initialization.

LOW Large dependency tree via ethers.js -5

ethers@^6.10.0 brings a substantial dependency tree. While no malicious install scripts were detected, the broad dependency surface increases supply-chain risk.

INFO Canary files intact 0

All honeypot files (fake .env, SSH keys, AWS credentials) remained unmodified, indicating no direct canary-targeted exfiltration occurred.