Is jcislo/moltalyzer safe?

https://github.com/openclaw/skills/tree/main/skills/jcislo/moltalyzer

79
CAUTION

Moltalyzer is a data intelligence skill that fetches trending social, GitHub, and Polymarket signals via a micropayment API. The skill itself contains no prompt injection, hidden instructions, or malicious code, and the clone phase was clean. The principal risk is financial: the skill requires a crypto wallet private key, searches four different environment variable names to find one, and uses it to sign payment transactions directed at the skill operator's API server — an architecture where the operator controls both the payment challenge server and the associated npm packages, creating an unauditable trust dependency.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 78/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (8)

HIGH EVM private key signs transactions to operator-controlled API -25

The skill requires an EVM private key to authorize micropayments via the x402 protocol to api.moltalyzer.xyz. The API server issues payment challenges; the client-side @x402/evm library signs them with the user's private key and submits them. The skill operator fully controls the challenge parameters, meaning a malicious or compromised server could craft challenges that authorize larger transfers or drain the wallet over time. The private key itself is not transmitted directly, but its signing capability is fully exposed to the operator.

MEDIUM Greedy private key discovery across four env var names -15

The code examples instruct the agent to search four environment variable names in sequence: EVM_PRIVATE_KEY, PRIVATE_KEY, BLOCKRUN_WALLET_KEY, WALLET_PRIVATE_KEY. The name PRIVATE_KEY is extremely generic and is used by many unrelated applications (SSH tooling, signing infrastructure, etc.). The skill will silently adopt the first match it finds, potentially using a private key that was never intended for blockchain transactions.

MEDIUM npm packages @x402/fetch and @x402/evm lack established public audit history -15

The required installation includes @x402/fetch and @x402/evm, packages tied to a nascent micropayment protocol. These packages handle the private key signing logic and control exactly what data is signed and transmitted. Unlike mainstream packages (e.g., viem, which is well-audited), the @x402 packages have limited independent security scrutiny. A supply-chain compromise of these packages would directly expose the user's private key.

MEDIUM Operator controls both payment API and npm packages — vertical trust dependency -20

The skill operator controls the API that issues payment challenges and may also control or influence the @x402/* npm packages. This vertical integration means a single compromised entity could exploit the payment protocol, modify package behavior, or alter API responses. Users have no independent mechanism to verify that charges are correct or that npm package behavior matches the published source.

LOW Polymarket 'insider detection' signals carry regulatory risk -10

The Polymarket feed explicitly markets itself as identifying prediction markets where traders may have advance (insider) knowledge, including fields like insiderType and knowledgeSource. Depending on jurisdiction, acting on such signals could expose users to legal liability. The skill framing encourages using this as 'market intelligence' without any disclaimer.

LOW All user queries and API responses transit operator infrastructure -5

Every request made through this skill (including what the agent is researching) is logged by api.moltalyzer.xyz. The operator can correlate query patterns, timestamps, and wallet addresses to build a behavioral profile of the user.

INFO Clone behavior clean — only expected GitHub connection -5

During the clone phase, the only external network connection was to GitHub (140.82.121.3:443) for git-remote-https. No connections were made to api.moltalyzer.xyz or any other unexpected endpoint. No unexpected processes were spawned. Filesystem changes were confined to the skill directory and /tmp/monorepo-clone (cleaned up post-install).

INFO Canary files accessed only by monitoring framework, not by skill 0

Canary files (.env, id_rsa, .aws/credentials, etc.) were opened at timestamps 1771936654.882 (pre-clone) and 1771936672.526 (post-clone). Both access windows predate or postdate the actual clone (1771936660.397), are CLOSE_NOWRITE only, and align exactly with the oathe framework's baseline-hash and post-install-hash phases. No write or modification events were observed. Canary integrity check passed.