Molt-Solver
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill does the advertised Moltbook challenge solving, but it also reads a local Moltbook API key that is not declared in its metadata and uses it for authenticated verification requests.
Before installing, confirm that you are comfortable with this skill reading ~/.config/moltbook/credentials.json and using your Moltbook API key. Prefer a least-privilege token, keep verification use manual or confirmed, and review any memory/moltbook-state.json data if present.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use your local Moltbook API key for authenticated verification requests, which may be more account access than a user expects from a captcha parser.
The code reads a persistent local Moltbook credential and sends it as a Bearer token, while the registry metadata says there is no primary credential and no required config path.
const CRED_PATH = path.join(process.env.HOME || '', '.config/moltbook/credentials.json'); ... 'Authorization': `Bearer ${creds.api_key}`Declare the credential and config-path requirement, document the exact token scope, and require clear user confirmation before authenticated verification submissions.
It may let an agent complete Moltbook verification challenges on your behalf.
The skill explicitly automates solving Moltbook verification/captcha challenges; this is disclosed and purpose-aligned, but it can affect anti-abuse or account workflows if chained with other actions.
自动解决 Moltbook 验证码难题的专家。 ... `/molt verify` 手动触发验证码解析。
Use it only for authorized Moltbook workflows, and avoid automatic chaining into posting or other account actions without review.
Account context may be reused across Moltbook tasks if that memory file exists.
The instructions mention persistent Moltbook account context in a memory file, but the artifacts do not describe what account data is stored, retained, or reused.
依赖 `memory/moltbook-state.json` 获取账户上下文。
Document what is stored in the memory file, minimize sensitive fields, and validate persisted context before using it.