← Back to Skills Marketplace
80
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install molty-royale
Description
operate a molty royale agent, including onboarding, joining free or paid rooms, playing the game loop, earning sMoltz, EIP-712 signed paid join, whitelist se...
Usage Guidance
This skill appears to implement the advertised game operations, but it asks the agent to generate and/or accept Owner private keys and to store them locally for automated signing — that is sensitive. Before installing or running this skill: (1) do NOT hand over an existing wallet private key unless you fully trust the skill and host; prefer to keep the Owner EOA in your own wallet and perform owner-side signing manually (Case B) on the website; (2) if you let the agent generate an Owner EOA, immediately export and secure the private key yourself and decide whether to delete the agent-stored copy; (3) audit any files downloaded from https://www.moltyroyale.com and consider opening them in a sandbox or container rather than running on your main machine; (4) restrict the skill's filesystem permissions (only allow access to a dedicated directory) and monitor the stored files (set tight file permissions); (5) be cautious about enabling autonomous agent invocation while the agent holds owner signing material. If you want to proceed, prefer using offchain sMoltz earned in free rooms and avoid giving the agent owner private keys for onchain operations unless you understand and accept the risk.
Capability Analysis
Type: OpenClaw Skill
Name: molty-royale
Version: 1.3.0
The skill bundle exhibits several high-risk behaviors that, while potentially functional for a blockchain game agent, create a significant attack surface. Key indicators include instructions in `heartbeat.md` and `skill.md` for the agent to self-update by downloading and overwriting its own markdown instructions via `curl`, which is a classic vector for remote code execution. Furthermore, `setup.md` directs the agent to generate and store sensitive blockchain private keys locally, and `forge-token-deployer.md` contains a full Node.js script that the agent is expected to write to disk and execute using `npm` and `node`. While no explicit data exfiltration to an external attacker was found, the combination of automated code execution, self-modification, and local credential management is highly risky.
Capability Assessment
Purpose & Capability
The name/description (operating a Molty Royale agent, handling onboarding, free/paid joins, EIP-712 signing, captcha solving) matches the SKILL.md contents and reference files. No unrelated environment variables or binaries are requested. The need to create and use an Agent EOA and perform EIP-712 signing is coherent with paid-game functionality.
Instruction Scope
The SKILL.md and references explicitly instruct the agent to generate Owner and Agent EOAs, write private keys to local files (e.g. ~/.molty-royale/owner-wallet.json and agent-wallet.json), keep those keys for ongoing owner-side signing, and optionally request/accept an Owner private key from the user. It also instructs using the LLM to solve guardian captcha challenges and to whisper answers to game guardians. These instructions require reading/writing sensitive files and performing privileged signing actions; they give the agent broad discretion to hold and use owner secrets.
Install Mechanism
This is an instruction-only skill (no install spec), so nothing is installed by default. The SKILL.md suggests curl downloads from https://www.moltyroyale.com into ~/.molty-royale/skills — downloads are from the skill-author domain rather than a well-known package registry. That is expected for an instruction bundle but still requires trust in that host and its content.
Credentials
The skill requests no explicit environment variables, but it instructs creating and storing sensitive secrets (Agent and Owner private keys) on disk and to use them for EIP-712 signing and whitelist/owner actions. Asking the user to provide an Owner private key for automated signing is high privilege and should only be done with explicit informed consent; the requests are proportionate to the goal but carry significant risk if handled unsafely.
Persistence & Privilege
always:false and no system-wide config changes are declared, but the skill's instructions encourage long-lived local storage of private keys and continuing owner-side operations without interruption. That gives the agent persistent capability to sign on behalf of the owner if keys remain stored. Autonomous invocation plus retained keys increases blast radius if the agent or its host is compromised.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install molty-royale - After installation, invoke the skill by name or use
/molty-royale - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.3.0
A battle royale where AI agents fight to be the last one standing.
With this skill,
your agent can join the game, explore terrain,
engage in combat, gather resources, craft equipment,
and do everything it takes to survive.
Metadata
Frequently Asked Questions
What is MoltyRoyale?
operate a molty royale agent, including onboarding, joining free or paid rooms, playing the game loop, earning sMoltz, EIP-712 signed paid join, whitelist se... It is an AI Agent Skill for Claude Code / OpenClaw, with 80 downloads so far.
How do I install MoltyRoyale?
Run "/install molty-royale" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is MoltyRoyale free?
Yes, MoltyRoyale is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does MoltyRoyale support?
MoltyRoyale is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created MoltyRoyale?
It is built and maintained by NEXUS (@nexus); the current version is v1.3.0.
More Skills