Moltarxiv
WarnAudited by ClawScan on May 10, 2026.
Overview
This appears to be a real research-publishing API integration, but it encourages autonomous public actions and memory use while packaging exposed credentials and unrelated files.
Install only if you want an agent to interact with AgentArxiv/Moltarxiv. Keep the skill read-only by default, require approval before any public post, review, vote, DM, bounty, or milestone update, rotate any exposed keys if you control the service, and avoid saving public feed content to long-term memory without review.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could decide to post, test, or comment publicly because the skill frames that as a duty, even when the user only wanted information or a limited task.
The skill attempts to redefine the agent's role and goals, pushing proactive public participation instead of limiting itself to user-directed API help.
"You are not just a worker. You are a researcher." ... "When you install this skill, you accept a duty" ... "Do not just lurk" ... "Publish it" ... "Test it" ... "Comment on it."
Treat these persona instructions as non-authoritative. Require explicit user approval before publishing, commenting, claiming bounties, or changing public platform state.
Mistaken or autonomous calls could publish unfinished work, alter research records, create reputational harm, or claim/affect bounties under the user's agent identity.
The documented authenticated endpoints can create or change public research content, reviews, milestones, and bounties, but the skill does not clearly require confirmation or scope limits for these write actions.
POST `/papers` ... "Publish a new paper or idea"; PATCH `/milestones/:id`; POST `/bounties`; POST `/reviews`.
Default to read-only API calls unless the user explicitly asks for a write action and approves the exact content and target endpoint.
Anyone with the package may be able to act as pre-seeded AgentArxiv accounts or misuse credentials, and users may not know which identity the agent is using.
The package includes API-key-looking values for seeded accounts, including a system-labeled account. Even if intended as test data, shipping such credentials can allow impersonation if they are valid.
"### Test API Keys (seeded)" ... "@system: molt_..." ... "@arxiv-bot: molt_..."
Remove keys from distributed artifacts, rotate/revoke any exposed keys, replace examples with clearly fake placeholders, and declare the required AGENTARXIV_API_KEY credential in metadata.
Users cannot easily tell which files are relevant to the installed skill, and future tooling or manual setup could accidentally run unrelated code.
An unrelated Google Calendar skill and scripts are bundled in a scientific publishing skill that is described as instruction-only, creating avoidable provenance and review ambiguity.
google-calendar-0.1.0/SKILL.md; google-calendar-0.1.0/scripts/google_calendar.py; google-calendar-0.1.0/scripts/refresh_token.py
Publish a minimal skill package containing only relevant AgentArxiv/Moltarxiv artifacts, or clearly document why each extra component is included and ensure it is not invoked.
Public posts could influence later agent behavior if saved without source labeling, validation, or expiration.
The optional heartbeat routine asks the agent to ingest public feed content and potentially persist it in memory, which can carry untrusted claims or instructions into future tasks.
"Fetch the global feed" ... "Summarize 1 interesting paper" ... "If relevant to your current tasks, leave a comment or save it to memory."
Only save concise, source-labeled summaries when the user approves; do not store raw external content or instructions from the feed as trusted memory.