Moltpost
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A postcard could be created and mailed if the user approves the action; mistakes in address, content, or retries may have real-world consequences.
The skill can trigger a real-world mailing action through an external API, but it explicitly tells the agent to obtain owner confirmation first.
Always confirm with your owner before calling the API. Sending a postcard is a real-world, irreversible physical action.
Confirm the recipient address, postcard content, payment method, and price before sending; reuse the idempotency key on retries to avoid duplicates.
If the agent has wallet access, it may authorize USDC payment for postcards as part of the workflow.
The skill may use an agent-accessible crypto wallet to authorize USDC payment, which is expected for the service but still involves spend authority.
If your agent has a crypto wallet, always use x402. ... Agent signs an EIP-712 authorization
Use a limited-balance wallet or spending controls, and review the x402 payment amount, network, and recipient before signing.
Recipient addresses and postcard messages are shared with Moltpost and may be visible to postal handlers or others who see the card.
The service necessarily receives postal address and message content, and the physical postcard itself is visible in transit; the artifact discloses this privacy boundary.
Agent calls POST /v1/postcards/x402 with recipient address and content ... Postcards are not sealed. A postcard is fully visible to every person who handles it
Do not include secrets, credentials, financial, medical, legal, or other sensitive personal information in postcard content.