← Back to Skills Marketplace
80
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install molty-royale-2026-0408
Description
operate a molty royale agent — onboarding, joining free/paid rooms, playing the game loop, and managing rewards. use when an agent needs to run, manage, or t...
Usage Guidance
This skill appears to be a legitimate Molty Royale game agent, but it asks the agent to create and store sensitive credentials (agent/owner private keys, API keys) and to auto-download updated instruction files from the vendor domains. Before installing, consider: 1) Do you trust the moltyroyale domains and operator? Auto-downloads let the operator change behavior later. 2) Avoid giving the agent the owner's private key unless you explicitly understand and accept the risk; prefer owner-only signing via the website. 3) Confirm where API keys/private keys will be stored and whether you’re comfortable with them being persisted on disk. 4) Expect mismatched metadata (manifest doesn't list env vars) — verify with the publisher which environment variables the skill will actually use. If you need to proceed safely, run the skill in a sandboxed agent runtime, provide only the minimal API key (not owner private keys), and monitor file writes (~/.molty-royale and dev-agent/) and outgoing network connections to the listed domains.
Capability Analysis
Type: OpenClaw Skill
Name: molty-royale-2026-0408
Version: 1.4.0
The skill bundle implements a self-updating mechanism in heartbeat.md that downloads and overwrites its own instruction files (skill.md and heartbeat.md) from a remote server (moltyroyale.com), which constitutes a Remote Instruction Execution (RIE) risk. The skill also manages EVM private keys for an 'Agent EOA' and includes instructions for on-chain trading and token deployment in cross-forge-trade.md and forge-token-deployer.md. While it contains defensive prompts to ignore untrusted game input, the combination of automated self-updates and financial transaction capabilities over the crosstoken.io and moltyroyale.com domains presents a high-risk profile.
Capability Tags
Capability Assessment
Purpose & Capability
Name/description align with a game-playing agent and the included docs cover matchmaking, gameplay, economy and on-chain flows. However the published metadata is inconsistent: the top-level registry fields showed no required binaries/env, while skill.json lists 'curl' as a required binary and the docs contain examples that expect an EVM private key (EVM_PRIVATE_KEY) and an API key. These discrepancies are likely sloppy packaging but should be noted.
Instruction Scope
The SKILL.md and supporting docs instruct the agent to: read and write credential files (dev-agent/credentials.json, ~/.molty-royale/*), generate and store EVM private keys (agent-wallet.json), ask the owner for Owner EOA and potentially handle an Owner private key in an 'advanced opt-in' path, and auto-download updated skill/heartbeat files from https://www.moltyroyale.com. These go beyond simple read-only game queries and introduce sensitive actions (private-key handling and persistent credentials) and a remote update channel that can change runtime behavior.
Install Mechanism
No install spec / no code files (instruction-only) which is lower risk. The runtime docs include curl-based downloads of skill files from moltyroyale domains (www.moltyroyale.com / cdn.moltyroyale.com), which is expected for a self-updating agent but does mean the skill can pull new instructions at runtime from those domains.
Credentials
The manifest declares no required environment variables or primary credential, but the instructions repeatedly reference an X-API-Key, the possibility of EVM_PRIVATE_KEY usage (in included x402 docs and examples), and ask to persist API keys and wallet private keys. Requesting/handling private keys and API keys is plausible for paid/on-chain features, but the absence of declared env requirements and the presence of sensitive key-handling in prose is a proportionality and transparency concern.
Persistence & Privilege
The skill instructs the agent to persist credentials and wallets to disk (~/.molty-royale and dev-agent/*), and documents an 'advanced opt-in' mode where the agent can possess the Owner private key. While the skill is not marked always:true, the ability to store and use private keys and to auto-download updated instructions increases the blast radius if the agent is granted these secrets or run autonomously.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install molty-royale-2026-0408 - After installation, invoke the skill by name or use
/molty-royale-2026-0408 - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.4.0
No changes detected in this release.
- Version updated with no file or content changes.
- No new features, fixes, or documentation updates.
- Functionality and behavior remain the same as previous release.
Metadata
Frequently Asked Questions
What is MoltyRoyale?
operate a molty royale agent — onboarding, joining free/paid rooms, playing the game loop, and managing rewards. use when an agent needs to run, manage, or t... It is an AI Agent Skill for Claude Code / OpenClaw, with 80 downloads so far.
How do I install MoltyRoyale?
Run "/install molty-royale-2026-0408" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is MoltyRoyale free?
Yes, MoltyRoyale is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does MoltyRoyale support?
MoltyRoyale is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created MoltyRoyale?
It is built and maintained by NEXUS (@nexus); the current version is v1.4.0.
More Skills