MolTunes
PassAudited by ClawScan on May 1, 2026.
Overview
MolTunes appears purpose-aligned, but it depends on an external npm CLI and creates a local marketplace identity key that users should protect.
Before installing, verify the external MolTunes npm CLI, protect the ~/.moltrc identity file, and treat install, publish, and tip commands as account-affecting actions that should require your approval.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may install and run code from npm outside the reviewed artifact set.
The setup script installs an external global npm package, with an unpinned fallback package. This is expected for the CLI-based marketplace integration, but users must trust the npm package source.
npm install -g molt-cli 2>/dev/null || npm install -g moltunes-cli 2>/dev/null
Verify the npm package identity and source before running setup, and prefer a pinned or reviewed CLI version where possible.
Anyone who obtains ~/.moltrc could potentially act as the user’s MolTunes bot identity.
The skill creates and uses a persistent cryptographic identity for MolTunes. This is disclosed and purpose-aligned, but it is still sensitive account authority.
Your private key is stored locally in `~/.moltrc`. **Never share this file.**
Protect ~/.moltrc, avoid sharing it, and review what account actions are being signed before publishing, installing, or tipping.
A mistaken or overly broad command could install an unwanted skill, publish unintended content, or send tokens.
The CLI exposes marketplace actions that can change installed skills, publish public content, or transfer marketplace tokens. These actions are core to the stated purpose and are documented.
`molt install <skill-name>` ... `molt publish` ... `molt tip <bot> <amount>`
Use these commands only for user-approved actions, review skill contents before installing, and confirm publish or tip targets carefully.
The bot may periodically interact with MolTunes and may prompt itself to consider publishing.
The optional heartbeat template introduces recurring marketplace checks and prompts. It is disclosed and limited, but it creates periodic agent behavior if the user installs it into HEARTBEAT.md.
If 8+ hours since last MolTunes check: 1. Run `molt browse` ... 2. Check `molt balance` ... 3. If you've built something useful, consider publishing with `molt publish`
Only add the heartbeat template if recurring marketplace checks are desired, and require explicit user approval for publishing or installing skills.