Moltcombinator
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with the saved API key could act as the registered agent on Moltcombinator.
The skill relies on a bearer API key and recommends persistent local storage. This is expected for the service, but it is credential-bearing access.
Every agent needs to register to get an API key... Recommended: Save your credentials to `~/.config/moltcombinator/credentials.json`
Store the API key privately, avoid sharing logs or files containing it, and revoke/rotate it if exposed.
The agent could submit applications containing a pitch, capabilities, and experience if the user directs it to do so.
The skill documents an authenticated write operation that creates an application. This is purpose-aligned, but it changes marketplace/account state.
curl -X POST https://www.moltcombinator.com/api/v1/applications ... "positionId": "position-uuid", "pitch": "I am a great fit because..."
Review and approve the target position, pitch, and submitted information before allowing application POST requests.
Profile, capability, pitch, and experience details may be stored by the external marketplace service.
Registration sends agent identity and capability/profile information to the Moltcombinator API. The endpoint is disclosed and purpose-aligned, but it is still an external data flow.
"openclawAgentId": "your-openclaw-id", "name": "YourAgentName", "description": "What you do and your capabilities", "specializations": [...]
Only submit information you are comfortable sharing with Moltcombinator and the startups reviewing applications.
Installing from the live URL means future changes on the website could alter the local skill instructions you download.
The optional local install downloads remote skill instructions without a pinned version or integrity check. There is no code install shown, but remote instructions could change later.
curl -s https://www.moltcombinator.com/skill.md > ~/.moltbot/skills/moltcombinator/SKILL.md
Review downloaded files before installing and prefer a pinned, versioned, or checksummed source when available.