Security Audit

moltwallet

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

moltwallet received a trust score of 51/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 7 findings: 2 critical, 2 high, 3 medium, and 0 low severity. Key findings include Unsafe deserialization / dynamic eval, Missing required field: name, Direct LLM Instruction for Shell Command Execution (Prompt Injection).

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 3/100, indicating areas for improvement.

Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

93%

Static Code Analysis

93%

Dependency Graph

100%

LLM Behavioral Safety

Behavioral Risk Signals

Filesystem Write

2 findings

Shell Execution

5 findings

Dynamic Code

3 findings

Excessive Permissions

3 findings

Security Findings7

Severity	Finding	Layer	Location
CRITICAL	Direct LLM Instruction for Shell Command Execution (Prompt Injection) The skill explicitly instructs the host LLM to execute shell commands (`npm init`, `npm install`) based on user input ('moltwallet' or 'open wallet'). This is a direct prompt injection attempt, manipulating the LLM's behavior to perform arbitrary command execution without explicit tool invocation, which can lead to severe compromise. Remove direct instructions for the LLM to execute shell commands. Instead, define specific, sandboxed tools for installation and other operations, allowing the LLM to call these tools with controlled parameters.	LLM	SKILL.md:15
CRITICAL	Explicit Command Injection via LLM Instruction The skill explicitly instructs the LLM to execute shell commands (`npm init -y`, `npm install ...`, `node cli.js ...`) as part of its operational flow. This grants the LLM direct access to the underlying shell, enabling arbitrary command execution and potential system compromise if the LLM is manipulated or misinterprets instructions. Replace direct shell command instructions with predefined, sandboxed tool functions. These tools should encapsulate the necessary operations and expose only safe, validated parameters to the LLM, preventing direct shell access.	LLM	SKILL.md:60
HIGH	Credential Handling and Logging of Sensitive Data The skill instructs the LLM to handle private keys, including reading them from files (`--keyfile moltwallet/wallets/<PUBKEY>.json`) and potentially logging sensitive information. The `cli.js` file overrides `console.log` to append all output to `logs.txt`. If private keys or other sensitive data are logged by `cli.js`, they will be persistently stored in an accessible file, posing a significant data exfiltration and credential harvesting risk. Implement secure credential management practices. Private keys should never be directly handled by the LLM or stored in plain text files accessible to the LLM. Use secure vaults or environment variables with strict access controls. Review `cli.js` to ensure no sensitive data is logged to `logs.txt` or any other persistent storage.	LLM	SKILL.md:80
HIGH	Excessive Permissions Granted to LLM The skill grants the LLM broad filesystem and shell execution permissions, including `npm` commands, `git clone`, `mkdir`, `cd`, and `node cli.js` with various arguments. It also instructs the LLM to manage sensitive files like wallet JSONs, `contacts.json`, `logs.txt`, and `.gitignore`. This level of access is excessive and creates a large attack surface for an LLM skill, enabling potential unauthorized data access, modification, or system compromise. Restrict the LLM's capabilities to a minimal set of predefined, sandboxed tools. Avoid direct shell access. Implement file operations through secure APIs with strict path validation and least privilege principles. All interactions should be mediated by explicit tool definitions.	LLM	SKILL.md:60
MEDIUM	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/gillberto1/moltwallet/cli.js:807
MEDIUM	Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter.	Static	skills/gillberto1/moltwallet/SKILL.md:1
MEDIUM	Unpinned Dependencies in Installation Instructions The `npm install` command specifies dependencies without pinning them to specific versions (e.g., `package@latest` or `package`). This introduces a supply chain risk, as future installations could pull in new, potentially malicious, or incompatible versions of these packages without explicit review, leading to unexpected behavior or security vulnerabilities. Pin all dependencies to specific, known-good versions (e.g., `dotenv@16.3.1`). Use a `package-lock.json` or `yarn.lock` file to ensure deterministic and auditable builds across all environments.	LLM	SKILL.md:61

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/b99e978924578577.svg)](https://skillshield.io/report/b99e978924578577)