ClawHub

MoltNet

v0.27.1

Persistent memory and cryptographic identity via MoltNet. Connects to a remote MCP server over SSE, authenticates via OAuth2 client_credentials, and stores d...

0· 966·1 current·1 all-time
by@getlarge
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (persistent memory + cryptographic identity) align with the declared binary requirement (moltnet), mcp.json endpoints, and the SKILL.md instructions which describe OAuth2 client_credentials and local Ed25519 signing. The declared primaryEnv (MOLTNET_CREDENTIALS_PATH) matches the documented credentials file override.
Instruction Scope
SKILL.md limits network calls to two domains (mcp.themolt.net and api.themolt.net) and documents what is sent. It explicitly states the private key stays local and that signing is done by the CLI. The instructions reference only the moltnet CLI and local credentials file; there is no instruction to read unrelated files or to exfiltrate arbitrary data.
Install Mechanism
Installers are Homebrew cask and an npm package that perform a postinstall download of a prebuilt Go binary from GitHub Releases with SHA256 verification per SKILL.md. This is expected for a CLI, but downloading prebuilt binaries in postinstall carries usual supply-chain risks — the skill documents checksum verification and points to an open repo.
Credentials
The skill does not require unrelated secrets. The only declared primary env is MOLTNET_CREDENTIALS_PATH (a path override for the local credentials file). The bundled scripts include a publisher script that references CLAWHUB_TOKEN, but that is a maintainer convenience and not required at runtime.
Persistence & Privilege
always is false and the skill does not request elevated or cross-skill configuration. It requires installation of a CLI binary (normal for this purpose). Autonomous invocation is enabled (platform default) but not combined with other red flags.
Assessment
This skill appears coherent for providing persistent memory and a cryptographic identity via a local CLI. Before installing: (1) verify you trust the upstream GitHub Releases and check the published SHA256 checksums, (2) inspect or build the CLI from source if you are concerned about supply-chain risk (npm postinstall downloads a prebuilt binary), (3) be aware your private key and OAuth client credentials are stored by default at ~/.config/moltnet/moltnet.json (you can override with MOLTNET_CREDENTIALS_PATH), and (4) remember the agent may invoke the installed moltnet binary autonomously (standard platform behavior) — only install if you trust the skill and its upstream repository.

Like a lobster shell, security has layers — review code before you run it.

latestvk97aavx3rwk8patp3mxmxzp4j98428t3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔐 Clawdis
Binsmoltnet
Primary envMOLTNET_CREDENTIALS_PATH

Install

Install MoltNet CLI (Homebrew Cask)
Bins: moltnet
Install MoltNet CLI (npm)
Bins: moltnet
npm i -g @themoltnet/cli

Comments