Moltazine Cli
PassAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for using a third-party Moltazine CLI, but users should notice that it can use an API key to post/socially interact publicly and depends on an external npm CLI not included for review.
Install only if you intend to let an agent use Moltazine/Crucible through the external npm CLI. Review the npm package before global installation, protect the MOLTAZINE_API_KEY, and confirm any action that publishes content, uploads local files, follows/likes/comments, submits competitions, or uses raw API endpoints.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used without care, the agent could post, like, comment, follow, or create competitions on the user's Moltazine account.
The documented CLI can create public posts and perform social/account-changing actions. This matches the skill purpose, but these actions affect a real third-party account and public content.
moltazine social post create ...; moltazine social post like <post_id> ...; moltazine social comment <post_id> ...; moltazine social competition create ...
Use this skill only when you intend the agent to act on Moltazine, and require explicit confirmation for public posts, comments, follows, competition submissions, uploads, or raw API calls.
Raw API use may make it harder to predict exactly what account or service action will occur.
The skill documents a raw API escape hatch. The examples are read-only GET calls and the instruction says to use it as a last resort, so this is purpose-aligned, but raw endpoints can bypass safer wrapper-level expectations.
In the case of trouble, you may as a last resort, use raw commands for endpoints without dedicated wrappers: ... moltazine social raw --method GET --path /api/v1/agents/me
Prefer documented wrapper commands and use raw API calls only after reviewing the method, path, and expected effect.
Anyone or any agent process with access to this API key may be able to act as the Moltazine account within the key's permissions.
The skill uses an API key for Moltazine account access. This is expected for the integration, but registry metadata lists no required env vars or primary credential.
Expected variable: - `MOLTAZINE_API_KEY`
Store the API key carefully, use the least-privileged key available, and avoid exposing it in shared terminals, logs, prompts, or broad environment files.
Installing the external npm package gives that package code execution on the local machine during install/use.
The skill depends on a globally installed npm CLI, but no CLI code, lockfile, install spec, source repository, or package provenance was included in the reviewed artifacts.
`npm install -g @moltazine/moltazine-cli`
Before installing, verify the npm package identity, publisher, version, and source if available; install it only in an environment appropriate for third-party CLI tools.