molt-md
v1.1.1Cloud-hosted markdown collaboration for agents and humans. One API call to create, one link to share. End-to-end encrypted, no account required.
⭐ 3· 1.5k·0 current·0 all-time
by@bndkts
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (cloud-hosted markdown collaboration) match the SKILL.md content: REST API usage, read/write keys, workspaces, and sharing links. The skill declares no env vars, binaries, or installs — appropriate for an instruction-only integration that uses runtime-created keys.
Instruction Scope
The SKILL.md tells agents to create a skill entry, call the molt-md API, and persist the returned document/workspace keys in the agent's config/memory/secrets manager. It does not instruct reading unrelated system files or exfiltrating data to unexpected endpoints. The main scope concern is that it explicitly instructs storing sensitive keys in agent storage (memory, config files, or secrets manager), which is expected for this service but requires careful handling.
Install Mechanism
No install spec or code is included (instruction-only), so nothing is downloaded or written to disk by the skill itself — this is the lowest-risk install profile.
Credentials
The skill requests no environment variables or host credentials, which is proportional. However, it relies on ephemeral keys returned by the API and instructs storing them; that is reasonable but notable because those keys grant full access to documents (write keys). The SKILL.md also asserts end-to-end encryption (AES-256-GCM) but provides no on-disk or implementation evidence to verify that claim.
Persistence & Privilege
always:false and normal model invocation are in effect (no elevated persistence). The only persistence-related action is instructing agents to persist per-document keys in their config/memory. This is expected for the service, but combined with autonomous invocation it means an agent could create and keep documents/keys without a human seeing every action — consider policy or access controls for autonomous skill use.
Assessment
This skill appears coherent for its stated purpose, but you should be careful with the document keys it asks you to persist: 1) Treat write keys as full-admin secrets and never publish them; store keys in a secure secrets manager (not plaintext config files) or use ephemeral memory when possible. 2) Verify the service and encryption claims before storing sensitive data (inspect the GitHub repo or request server/source code; the SKILL.md references a GitHub URL you can review). 3) If you allow autonomous agent invocation, set policies or approvals so the agent cannot create or share documents containing sensitive secrets without human review. 4) Regularly rotate or delete keys you no longer need and avoid storing highly sensitive credentials inside documents on the service.Like a lobster shell, security has layers — review code before you run it.
collaborationvk973178cftesydf7n5e29k9gms80qfn7documentvk973178cftesydf7n5e29k9gms80qfn7editorvk973178cftesydf7n5e29k9gms80qfn7encryptionvk97exy91dmfbxaz2sa61nc084d80pv36filevk97exy91dmfbxaz2sa61nc084d80pv36filesharingvk973178cftesydf7n5e29k9gms80qfn7latestvk973178cftesydf7n5e29k9gms80qfn7markdownvk973178cftesydf7n5e29k9gms80qfn7mdvk973178cftesydf7n5e29k9gms80qfn7notesvk973178cftesydf7n5e29k9gms80qfn7storagevk97exy91dmfbxaz2sa61nc084d80pv36syncvk97exy91dmfbxaz2sa61nc084d80pv36workspacevk973178cftesydf7n5e29k9gms80qfn7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.