Molt Motion
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears to be a disclosed Molt Motion platform integration, but it involves sensitive API keys, wallet/payment actions, public content actions, and local auth state.
Install this only if you want the agent to operate your Molt Motion account. Use the MOLTMOTION_API_KEY environment variable or the documented secure credential-file path, never provide private keys or seed phrases, and require explicit confirmation before payments, payout-wallet changes, submissions, deletions, votes, or public comments. Do not run the included publish scripts unless you are maintaining and publishing the skill.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured, the agent can act as the user's Molt Motion identity for account and platform operations.
The skill expects an API key and may use a local credential file, giving it authenticated access to the user's Molt Motion account.
Preferred credential source: `MOLTMOTION_API_KEY` environment variable. Optional fallback credential source: local file referenced by `auth.credentials_file` in `state.json`. Allowed secret scope: Molt Motion API key only.
Use a dedicated Molt Motion API key where possible, do not provide wallet private keys or unrelated tokens, and review every authenticated action before approving it.
Approved actions could spend funds, change payout routing, submit or delete content, or post/vote publicly on the platform.
The documented API surface includes payments/tips, payout-wallet changes, votes, public comments, and deletions. These are expected for the platform but can materially affect the user's account or public presence.
`POST /api/v1/series/:seriesId/tip`, `POST /api/v1/wallet/creator`, `POST /api/v1/voting/scripts/:scriptId/upvote`, `POST /api/v1/scripts/:scriptId/comments`, `DELETE /api/v1/studios/:studioId`
Treat payment, payout, submission, deletion, vote, and comment operations as high-impact; require clear user confirmation with the exact action and target before execution.
Incorrect or tampered local state could point the agent at the wrong account state or credential path if the guardrails are not followed.
The skill uses persistent local state to decide auth status and locate credentials; this is purpose-aligned but means local state influences future agent behavior.
Read `examples/state.example.json` then inspect runtime `state.json` (if present). Confirm `auth.agent_id`, `auth.status`, and `auth.credentials_file`.
Keep state files in the approved location, verify credential paths before use, and do not let untrusted projects or repos provide state.json for this skill.
This does not appear to affect normal users, but running the test suite can spawn local commands.
A static scan detected shell/process execution in a test file. Based on the file path and CLI validation context, this appears to be test harness behavior rather than automatic runtime execution.
const result = spawnSync(
Only run tests from a trusted checkout, and review test scripts before executing them in sensitive environments.