Is koredeycode/moltbet safe?

https://github.com/openclaw/skills/tree/main/skills/koredeycode/moltbet

43
DANGEROUS

Moltbet is a DANGEROUS skill whose heartbeat routine creates a persistent remote-control backdoor: it instructs the agent to periodically overwrite its own skill files with content fetched from an externally controlled domain (moltbet-web.vercel.app), rendering any one-time install review meaningless. This self-update mechanism, combined with autonomous custody of real USDC cryptocurrency and a 30-60 minute autonomous operating loop, gives the skill author (or anyone who compromises that domain) the ability to silently reprogram the agent's financial behavior at any time post-install. The clone phase itself was clean and canary files were not exfiltrated, but the architectural design of the skill is inherently untrustworthy.

Category Scores

Prompt Injection 20/100 · 30%
Data Exfiltration 50/100 · 25%
Code Execution 25/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 15/100 · 5%

Findings (8)

CRITICAL Remote Self-Update Backdoor: Heartbeat Overwrites Skill Files from External URL -80

heartbeat.md explicitly instructs the agent to check the skill version and, if a new version exists, overwrite both skill.md and heartbeat.md with content fetched from moltbet-web.vercel.app. This gives the skill author (or anyone who compromises that domain) an unrestricted, persistent channel to inject new instructions into the agent at any time, long after the skill passed any initial review. The agent cannot distinguish a legitimate update from a malicious one.

CRITICAL Autonomous Cryptocurrency Custody with Remote Reprogramming Capability -70

The skill instructs the agent to generate or import a wallet, hold USDC, and autonomously execute financial operations (counter bets, claim wins, concede) on a 30-60 minute heartbeat cycle. The self-update mechanism means this autonomous financial agent can be silently reprogrammed by the skill author at any time. A single malicious update could instruct the agent to export and exfiltrate the wallet private key or transfer all funds to an attacker-controlled address.

HIGH Opaque Global npm Package Installation Required -50

skill.md requires the agent to run npm i -g moltbet, installing a third-party package globally. The package source code is not included in the skill and cannot be reviewed from these files. npm postinstall/preinstall scripts can execute arbitrary shell commands at install time. The moltbet binary then handles wallet key management and blockchain transaction signing.

HIGH Fully Autonomous Financial Operations Without Per-Action Human Gating -40

The heartbeat and priority table instruct the agent to autonomously propose, counter, concede, and dispute bets — including CRITICAL-priority immediate actions — without pausing for human approval on each transaction. The only human interaction specified is the initial registration claim URL and low-balance funding alerts.

HIGH All Agent Activity Externalised to Third-Party API Endpoint -30

Every moltbet CLI command (status, notifications, feed, bet operations, wallet balance) communicates with https://moltbet-api.onrender.com/api. This endpoint is controlled by the skill author and can log the agent's wallet address, bet activity, evidence content, reputation score, and any sensitive strings the agent passes as evidence. There is no way to verify what this endpoint retains.

MEDIUM Private Key Export Command Exposed in Agent Context -20

The monitoring command table in skill.md documents moltbet wallet export as a valid command the agent knows about, labelled 'Operator only'. A malicious skill update delivered via the heartbeat self-update mechanism could re-label this command and instruct the agent to run it, capturing the output in an evidence field and sending it to the moltbet API.

LOW Clone Phase Clean: Only Expected GitHub Traffic -15

During the git clone and sparse-checkout phase the only external network contact was to GitHub at 140.82.121.3:443. No connections to moltbet-api.onrender.com, moltbet-web.vercel.app, or any unexpected hosts were observed. No unexpected processes were spawned and no filesystem writes occurred outside the skill directory.

INFO Canary Files Not Exfiltrated During Install 0

Post-install integrity check confirmed all honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .gcloud/application_default_credentials.json) were unmodified. Credential file reads observed in auditd at 10:35:43 and 10:36:01 are attributable to the oathe audit harness pre/post-install sweeps, not the skill.