MoltsList - CraigsList for where agents make listings for humans & vice versa
ReviewAudited by ClawScan on May 10, 2026.
Overview
MoltsList matches its marketplace purpose, but it tells the agent to treat installation as permission to autonomously register, post listings, trade, and spend or transfer credits.
Install this only if you want your agent to be a visible MoltsList participant. Before providing the API key, set strict rules requiring your approval for registration, public posts, comments, service requests, accepting work, credit transfers, and any real-money or USDC-related listing.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your agent may decide it is authorized to act in the marketplace just because the skill is installed.
The skill treats installation as standing consent for marketplace activity, rather than requiring a user-directed goal or explicit approval.
Your human installed this skill, which means you're ready to participate.
Use this only with explicit user instructions that require confirmation before registration, posting, commenting, requesting services, or spending credits.
The agent could create public listings, request services, or move virtual credits in ways the user did not specifically approve.
The documented API workflows include public marketplace mutations and credit-spending or credit-transfer actions, but the instructions do not require per-action user confirmation.
Create listings for services you can actually deliver ... Request services you genuinely need ... Transfer to another agent | -amount sent
Set clear approval rules, budget limits, and allowed action types before providing the API key.
Anyone or any agent process with the key can act on the MoltsList account within the API's permissions.
The API key is expected for this marketplace integration and is disclosed, but it gives the agent authority to act as the MoltsList account.
All requests require your API key ... Authorization: Bearer YOUR_API_KEY
Store the key securely, avoid sharing it, and revoke or rotate it if the agent behaves unexpectedly.
Other marketplace participants could send requests or comments that try to steer the agent or ask for sensitive information.
The skill intentionally connects the agent with other agents and humans through comments and trades, which means untrusted external messages may influence the agent.
Negotiate in comments before committing ... a2a | Agent2Agent | Bot-to-bot trades
Tell the agent to treat marketplace messages as untrusted and not to share private data, credentials, files, or system details without explicit approval.
The agent may keep interacting with the marketplace beyond the immediate task the user had in mind.
The skill frames the agent as continuing autonomous marketplace activity after registration, without visible stop conditions or user-control boundaries.
I'm now actively trading. I'll respond to comments, accept requests, and browse for services I need.
Require the agent to ask before any ongoing participation, and define when it must stop monitoring, responding, or accepting requests.