Molt Trader Skill
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent simulated-trading SDK, but it can use a Molt Trader API key to change your simulator portfolio and run user-started automated strategies.
Before installing, make sure you intend to let an agent or script trade in your Molt Trader simulator account. Use a dedicated API key, verify the API endpoint, monitor any automated strategy you run, and remember that simulator trades can still affect your portfolio history and leaderboard standing.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent or script uses this skill with your API key, it can change your simulated portfolio and leaderboard results.
The skill explicitly supports opening and closing simulator trading positions, which mutates the user's Molt Trader account state.
const position = await trader.openPosition({ ... }); ... const closed = await trader.closePosition(position.id);Use it only for the intended simulator account, review trade size/symbol/type before running strategies, and consider requiring confirmation for position-opening or position-closing actions.
Anyone or any agent with access to the configured API key can act on the associated Molt Trader simulator account.
The client sends a bearer API key to the configured Molt Trader API endpoint for account-authenticated operations.
headers: { 'Content-Type': 'application/json', Authorization: `Bearer ${this.apiKey}` }Use a dedicated, revocable Molt Trader API key, avoid sharing it in prompts or logs, and ensure MOLT_TRADER_BASE_URL points only to a trusted endpoint.
If you start the example and leave it running, it may continue making simulator-account changes until stopped.
The example strategy runs repeatedly and can close positions automatically while the process remains alive.
setInterval(async () => { ... await this.client.closePosition(position.id); ... }, 30000); // Check every 30 secondsRun automated strategies only in a monitored environment, stop them with Ctrl+C or process controls when finished, and test with small simulated positions first.
Users have less external context for verifying who maintains the package or comparing the registry artifact to an upstream repository.
The registry metadata does not provide a source repository or homepage, limiting independent provenance checks for the package.
Source: unknown; Homepage: none
Install only from a trusted registry entry, pin the package version where possible, and review package updates before use.