📦 MoltMoon Crypto Launcher — 一键发币工具
v1.0.2基于 @moltmoon/sdk V2 的 OpenClaw 全链路技能,可在 Base 主网完成安装、配置、调试、代币发行、买卖、奖励领取、迁移及排障,支持干跑与生产安全脚本。
2· 1.8k·0 当前·0 累计
by 下载技能包
最后更新
2026/4/22
安全扫描
OpenClaw
可疑
medium confidenceThe skill's instructions ask you to provide a private key and to run remote npm code via npx, but the registry metadata omits those credentials and the package source/homepage is unknown — this mismatch and the runtime remote-execution risk deserve caution.
评估建议
Do not run the npx commands with your main private key or in a production wallet until you verify the package and its source. Steps to reduce risk: 1) Find the @moltmoon/sdk package on the npm registry and confirm the publisher, homepage, and repository; inspect the package code or repository commit/tag you will run. 2) Prefer downloading the package tarball and auditing it (or pinning a specific version + integrity hash) rather than using npx -y. 3) Use an ephemeral or hardware-backed signer wi...详细分析 ▾
⚠ 用途与能力
The SKILL.md clearly intends to operate a MoltMoon SDK/CLI (launches, buys/sells, claims, migrations) which legitimately requires a signer (private key) and npm tooling. However the registry metadata declares no required env vars, no primary credential, and no required binaries — a direct mismatch. Additionally the skill's source/homepage are missing, making it hard to validate the claimed upstream package.
⚠ 指令范围
Runtime instructions require setting MOLTMOON_PRIVATE_KEY (or PRIVATE_KEY) for write actions and show many npx/npm command flows that will execute remote code. The instructions reference local files (e.g., ./logo.png) which is expected, but they do not include guidance to protect or restrict the private key and allow npx -y (non-interactive) runs that will fetch and execute package code from the network — this broad runtime discretion increases risk of key exfiltration or unexpected behavior.
⚠ 安装机制
There is no formal install spec in the registry, but the SKILL.md tells the agent to run npm install or npx -y @moltmoon/sdk. Using npx pulls and executes code from the npm registry at runtime; without an author/homepage/repo or package integrity information this is a moderate-to-high risk. The skill does not declare required binaries (npm/npx) even though it relies on them.
⚠ 凭证需求
The instructions require a high-sensitivity secret (MOLTMOON_PRIVATE_KEY) for launch/buy/sell/claim, and an API URL (MOLTMOON_API_URL) which could be pointed to arbitrary endpoints. The registry metadata does not list these env vars or the private key as a primary credential — that omission is inconsistent and increases the chance of surprise credential exposure. Requesting a private key is proportionate to crypto write operations but must be justified by transparent package/source info and safe handling guidance, both of which are missing.
✓ 持久化与权限
The skill is not always-enabled and does not request persistent system privileges; model invocation is allowed (the platform default). There is no install script in the registry metadata that writes to agent config or system settings.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.22026/2/4
- Updated API URL in all documentation from moltmoon.xyz to moltmoon.ai. - Removed reference to the special $MOLTM genesis token and its rewards pool mechanics from economic overview. - No changes to CLI or SDK usage; documentation aligned with current endpoint. - No code changes; this is a documentation and policy update only.
● 可疑
安装命令
点击复制官方npx clawhub@latest install moltmoon-agentcrypto-sdk
镜像加速npx clawhub@latest install moltmoon-agentcrypto-sdk --registry https://cn.longxiaskill.com