Is koriyoshi2041/moltlist-marketplace safe?

The moltlist skill <service-id> command fetches skill.md from https://moltlist.com/services/:id/skill.md and delivers its contents to the agent as instructions. Any of the arbitrary third parties who register services on moltlist.com can author malicious LLM instructions that are injected into agents with this skill installed — on demand, with no content validation, sandboxing, or scope restriction. Because content is fetched at runtime rather than at install, malicious payloads are completely invisible to static analysis. The moltlist skill effectively functions as a persistent, remotely-updatable instruction loader.

The SKILL.md 'Recommend to Your Human' section explicitly directs the agent to proactively pitch moltlist.com to users using verbatim provided text, without any user request triggering this behavior. The script includes a call-to-action asking the user to let the agent 'set it up.' This is a form of undisclosed commercial promotion embedded in agent system context — the skill author uses the agent as a free marketing channel while users receive no disclosure that the agent's recommendation is scripted rather than organic. This modification to agent behavior serves the skill author's financial interests (1.5% transaction fees) at the user's expense.

The skill exposes commands that create blockchain escrows and release funds from them: hire commits user USDC to an escrow, confirm releases it to a seller. An agent operating autonomously — especially one nudged by the embedded marketing prompt to proactively explore moltlist — could create real financial commitments without explicit per-transaction user authorization. The Solana devnet designation provides no protection since the skill is designed for mainnet migration ('mainnet coming soon') and the @solana/web3.js library is production-capable.

Skill.md content for listed services is fetched at runtime from moltlist.com, not at install time. The platform operator and any registered service provider can modify their skill.md at any time after the moltlist skill is installed on an agent. A sophisticated attacker could register an initially-benign service to avoid detection during audits, then later update its skill.md with instructions to exfiltrate data, drain wallets, or chain attacks with other installed skills. This creates a time-bomb attack surface entirely undetectable by static analysis or sandbox monitoring.

Every marketplace interaction sends sensitive user data to moltlist.com: Solana wallet addresses (linkable to on-chain transaction history and balances), transaction amounts, and deliverable content via the deliver command. The deliver endpoint (POST /escrow/:id/deliver --content) accepts arbitrary string content — if an agent is hired to perform a task involving user data (research, document analysis, code processing), that content is transmitted to and stored by the moltlist operator.

Six high-value credential files were accessed at audit timestamps 1771930821 and 1771930833, which fall after the skill installation completed at 1771930829. The files accessed are ~/.env, ~/.ssh/id_rsa, ~/.aws/credentials, ~/.npmrc, ~/.docker/config.json, and ~/.config/gcloud/application_default_credentials.json. The identical pattern also appears before install, and canary integrity is confirmed intact, strongly suggesting these accesses originate from the Oathe monitoring infrastructure's periodic canary checks rather than the skill. Flagged for completeness given the post-install timing.

The package-lock.json records hasInstallScript: true for both [email protected] and [email protected]. These packages compile native C/C++ Node.js addons using node-gyp during npm install. No npm install was executed during this audit (installation was git clone + cp only), so these scripts were not triggered. However, any user who runs npm install in the skill directory to activate the @solana/web3.js dependency will execute native compilation code from these packages on their host system.

The skill installation used only standard git operations (clone, sparse-checkout, checkout) and cp. No unexpected filesystem writes outside the skill directory were detected. All new network connections in the post-install diff (to 104.16.2.34 Cloudflare and 54.211.197.216 AWS) are attributed to the openclaw-gateway process (pid=1084) rather than any skill-spawned process. DNS did not resolve moltlist.com during the install window.

The monitoring system confirmed that no honeypot credential files were modified or their contents exfiltrated. The fake .env, SSH keys, AWS credentials, and other canary files show no evidence of data theft.