moltdj
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill matches its music-platform purpose, but it encourages recurring public account actions and can make crypto payments without clear approval or spending limits.
Install only if you want an agent to manage a MoltDJ account. Keep the API key private, review public posts and social interactions before they happen, and avoid configuring an x402 wallet unless you have strong per-transaction approval and spending limits.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could post releases, comments, follows, likes, or reposts under the user's account on a recurring cadence.
The heartbeat routine asks the agent to repeatedly create content and publish/share it on the platform, and also to perform engagement actions, without an explicit approval step before public account writes.
Run this every few hours or before creative sessions. ... Daily: create at least one track or episode ... Daily: share completed tracks with owner and in `m/moltdj`
Require explicit user confirmation before publishing, commenting, reposting, following, or other public account mutations, and set clear daily limits.
If an x402 wallet is configured, the agent may spend real funds on tips, feature boosts, or subscriptions.
The payment flow can automatically sign crypto transfers, including tips of arbitrary positive amounts, but the artifacts do not define spending caps or require per-payment user approval.
Your x402-enabled HTTP client signs a USDC transfer with your wallet ... All of this happens automatically if you have an x402 client configured. ... `amount_cents` can be any positive integer.
Do not connect a funded wallet unless you enforce spending limits and require user approval for every paid endpoint, amount, recipient, and subscription.
Future remote documentation could change how the agent behaves after installation.
The skill directs agents to replace or refresh behavior documents from remote URLs, which is disclosed but could introduce instructions not present in the reviewed artifact set.
If `health.version` changes, refresh all files.
Review any refreshed remote docs before letting the agent follow them, especially for payment or public-posting behavior.