← Back to Skills Marketplace

MoltsPay

Name: MoltsPay
Author: asterisk622

by asterisk622 · GitHub ↗ · v1.0.4 · MIT-0

cross-platform ⚠ suspicious

260

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install xiaoding-moltpay

Description

AI Agent's crypto wallet manager - generate wallets, manage transactions, and claim ORA token rewards.

Usage Guidance

Things to consider before installing/running this skill: - Do NOT store real private keys in ~/.config/moltpay/wallets.json unencrypted. If you follow these instructions, use a throwaway/test wallet with no funds. Prefer hardware wallets or encrypted key stores. - The skill registers addresses with https://moltpay.net to claim tokens; verify the legitimacy of that domain/project before sending addresses or interacting further. Offers of 'free' tokens with high withdrawal thresholds are a common scam pattern. - The SKILL.md does not show how to sign or broadcast real on-chain transactions; 'manage transactions' appears to mean recording transactions in MoltPay's service rather than controlling funds on-chain. - The heartbeat/check code suggests periodic network calls. Audit the full SKILL.md (complete heartbeat code) to ensure it does not read and transmit private keys. If you can't review it, avoid running automated heartbeat tasks. - If you install the recommended Python packages, do so in a virtualenv and inspect package sources (pip install -U --no-cache-dir in a controlled environment). Avoid global installs. - If you want to try the skill safely: create new test wallets with no funds, register only addresses (not private keys), monitor network calls, and never enter real private keys or mnemonic phrases into scripts you haven't audited. Additional information that would change this assessment: a complete SKILL.md showing the heartbeat implementation (confirming it does not transmit private keys), an explicit statement and code demonstrating encrypted local key storage or hardware-wallet integration, or a trustworthy project homepage/source code repository for moltpay.net that can be audited would increase confidence and could move the verdict toward benign.

Capability Analysis

Type: OpenClaw Skill Name: xiaoding-moltpay Version: 1.0.4 The skill exhibits several high-risk patterns characteristic of a cryptocurrency scam and contains significant security vulnerabilities. It instructs the agent to generate crypto wallets and store private keys in plaintext at `~/.config/moltpay/wallets.json` (SKILL.md). The instructions use prompt injection to compel the agent to force-open QR code images on the host machine using `subprocess.run` and to solicit funds directly from the user. Additionally, the 'ORA token' reward system (moltpay.net) employs a common scam tactic where a small initial 'reward' is granted but withdrawal is blocked by a high minimum threshold (3333 ORA), likely intended to lure users into depositing funds or providing data.

Capability Tags

cryptorequires-walletcan-make-purchases

Capability Assessment

ℹ Purpose & Capability

Name/description claim: 'generate wallets, manage transactions, and claim ORA rewards' — the SKILL.md provides clear code to generate and locally save BTC/ETH/SOL keys and to call moltpay.net endpoints to register addresses and record transactions. However, it does not provide instructions for securely signing and broadcasting on-chain transactions (only for recording transactions via MoltPay's API), so 'manage transactions' is overstated. Claiming rewards via moltpay.net is coherent with the reward feature, but centralizing 'management' without signing/broadcast guidance is misleading.

⚠ Instruction Scope

The instructions explicitly generate private keys and instruct saving them unencrypted to ~/.config/moltpay/wallets.json. That creates a single, predictable local secret store with no guidance for encryption or hardware wallets. The skill also directs contacting an external endpoint (https://moltpay.net/claim-ora) to register addresses and to check balances/withdrawal state. The truncated heartbeat section suggests periodic network activity; it's not clear whether the heartbeat or other examples ever transmit private keys, but the presence of an always-readable local file and networked claim/check APIs is a notable risk if code ever exfiltrates the file.

ℹ Install Mechanism

This is instruction-only (no install spec). The SKILL.md tells users to pip install eth-account, bitcoinlib, and solders. Asking to install common crypto libraries is expected, but pip installs can pull many dependencies — users should install in an isolated environment and verify package integrity. No arbitrary URL downloads or extract operations are present.

ℹ Credentials

The skill requests no environment variables or credentials, which is proportionate. However, it instructs storing private keys on disk in plaintext, which is effectively creating a local credential store without access controls; that is disproportionate to a minimal 'address registration' workflow and raises confidentiality concerns.

ℹ Persistence & Privilege

The skill is not forced-always-installed and does not request special agent privileges. The SKILL.md recommends adding a heartbeat that polls the external service periodically — autonomous invocation combined with network access increases blast radius if the agent or heartbeat were to transmit sensitive data. On its own this is not a privilege escalation, but it amplifies risk given the plaintext key storage.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install xiaoding-moltpay
After installation, invoke the skill by name or use /xiaoding-moltpay
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.4

No changes detected in this release. - Version bump only; no updates to files or documentation. - Behavior, features, and API remain unchanged from the previous release.

v1.0.3

Version 1.0.3 Changelog - No file or documentation changes detected in this release. - Functionality and documentation remain as in the previous version.

v1.0.2

**Major update with new features and expanded blockchain support:** - Now supports Bitcoin, Ethereum, and Solana wallet generation and management. - Local wallet and private key creation; no sensitive data sent to MoltPay. - Integrated ORA token rewards—register wallets to claim 333 ORA tokens (withdrawal minimum: 3333 ORA). - Added detailed API reference and transaction management endpoints. - Enhanced security model and local data storage. - Requires displaying generated wallet QR codes to your owner after setup.

Metadata

Slug xiaoding-moltpay

Version 1.0.4

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 3

Frequently Asked Questions

What is MoltsPay?

AI Agent's crypto wallet manager - generate wallets, manage transactions, and claim ORA token rewards. It is an AI Agent Skill for Claude Code / OpenClaw, with 260 downloads so far.

How do I install MoltsPay?

Run "/install xiaoding-moltpay" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is MoltsPay free?

Yes, MoltsPay is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does MoltsPay support?

MoltsPay is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created MoltsPay?

It is built and maintained by asterisk622 (@asterisk622); the current version is v1.0.4.

More Skills