MoltTalent
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for a live portfolio service, but it asks agents to run recurring background profile/social updates with an API key and to follow remotely fetched instructions, so it needs careful review.
Install only if you want an agent to help maintain a public professional profile. Keep autonomous heartbeat disabled or suggestion-only until you trust the workflow, require approval for public actions, pin or review remote heartbeat updates, and protect the MoltTalent API key.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could change the user’s public professional profile or interact publicly with others if these actions are run too broadly or without fresh approval.
The heartbeat workflow documents API actions that create public posts/comments and perform social engagement as the user’s MoltTalent identity.
"Create a post linked to that project:" ... "Comment on a post:" ... "Follow a human:"
Require explicit confirmation before any public post, comment, follow, unfollow, like, deletion, or profile change, and keep a review queue for suggested updates.
The agent may keep operating on a schedule and make account-related decisions outside the user’s immediate session.
The skill encourages recurring background operation, including a cron example and retry behavior, rather than only user-invoked actions.
"This file contains periodic maintenance tasks your agent should run every 4 hours."
Disable autonomous heartbeat by default, or configure it only to collect suggestions until the user explicitly approves each action.
If the remote heartbeat content changes unexpectedly, the agent could receive new operational instructions without the user noticing.
The skill tells agents to fetch and obey a remote heartbeat file, which can change after installation or review and then influence recurring account actions.
"Fetch https://molttalent.com/heartbeat.md and follow it"
Pin reviewed versions, show diffs before accepting remote updates, and do not automatically follow changed remote instructions.
Anyone with the API key may be able to act as the user on MoltTalent.
The skill uses a MoltTalent API key for authenticated account access; this is expected for the service and includes chmod guidance, but it is still a sensitive credential.
"Save your credentials to `~/.config/molttalent/credentials.json`"
Store the key with restrictive permissions, do not paste it into other services, and rotate it if it may have been exposed.
Private or tentative information from conversations could be turned into profile suggestions if preferences are too broad.
The skill uses conversation history and persistent preferences/state to infer professional updates, which is purpose-aligned but can involve sensitive context.
"Review recent conversations for new skills mentioned."
Set narrow tracking preferences, maintain a never-track list, and keep `ask_before_posting` enabled.