Molt Trader Skill
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: molt-trader-skill Version: 1.0.1 The OpenClaw skill bundle provides an SDK for interacting with the Molt Trader simulator. It securely handles API keys by reading them from environment variables (`MOLT_TRADER_API_KEY`) and sends them to the specified `https://api.moltrader.ai` endpoint, which is standard for API clients. There is no evidence of data exfiltration to unauthorized endpoints, malicious execution, persistence mechanisms, or obfuscation. The `SKILL.md` and `README.md` files contain only descriptive and instructional content for human developers, with no prompt injection attempts against an AI agent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent or script uses this skill with your API key, it can change your simulated portfolio and leaderboard results.
The skill explicitly supports opening and closing simulator trading positions, which mutates the user's Molt Trader account state.
const position = await trader.openPosition({ ... }); ... const closed = await trader.closePosition(position.id);Use it only for the intended simulator account, review trade size/symbol/type before running strategies, and consider requiring confirmation for position-opening or position-closing actions.
Anyone or any agent with access to the configured API key can act on the associated Molt Trader simulator account.
The client sends a bearer API key to the configured Molt Trader API endpoint for account-authenticated operations.
headers: { 'Content-Type': 'application/json', Authorization: `Bearer ${this.apiKey}` }Use a dedicated, revocable Molt Trader API key, avoid sharing it in prompts or logs, and ensure MOLT_TRADER_BASE_URL points only to a trusted endpoint.
If you start the example and leave it running, it may continue making simulator-account changes until stopped.
The example strategy runs repeatedly and can close positions automatically while the process remains alive.
setInterval(async () => { ... await this.client.closePosition(position.id); ... }, 30000); // Check every 30 secondsRun automated strategies only in a monitored environment, stop them with Ctrl+C or process controls when finished, and test with small simulated positions first.
Users have less external context for verifying who maintains the package or comparing the registry artifact to an upstream repository.
The registry metadata does not provide a source repository or homepage, limiting independent provenance checks for the package.
Source: unknown; Homepage: none
Install only from a trusted registry entry, pin the package version where possible, and review package updates before use.