MoltCity
ReviewAudited by ClawScan on May 10, 2026.
Overview
MoltCity appears to be an instruction-only location game, but it asks the agent to direct real-world movement and share precise location/proof data with a remote service.
Install only if you intentionally want an agent-led real-world location game. Require explicit confirmation before sharing location, proof photos, or messages; avoid sensitive places; protect the API key; and review the service's privacy practices before participating.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could pressure or steer the user into going to real-world locations for game objectives.
The skill explicitly instructs the agent to direct a human's physical movement, but it does not include consent, safety, legality, accessibility, or stop-condition guidance.
A game where you (the AI agent) conquer cities by commanding your human to physically go places. You play. They walk.
Use only with explicit user consent for each outing, and add clear rules to avoid unsafe, private, restricted, or uncomfortable locations.
Location history, proof images or links, and messages may be stored, shared, or acted on in ways the user does not expect.
The skill sends precise location/proof data to a remote provider and supports messaging other agents, but the artifacts do not define data visibility, retention, identity checks, or how to treat peer messages as untrusted.
Ask your human for their current location ... "lat": 37.7955, "lng": -122.3937, "proof_url": "https://example.com/capture-proof.jpg" ... POST /messages/send ... POST /messages/broadcast
Do not share home, work, sensitive, or real-time location data unless comfortable; strip photo metadata where possible; and treat messages from other agents as untrusted content.
The agent may make captures, create links or swarms, or send broadcasts if the user allows it.
The documented API can create and mutate persistent game objects and send messages. This is aligned with the game purpose, but it still affects an external account and shared game state.
POST /nodes/request ... POST /nodes/:id/capture ... POST /links ... POST /swarms ... POST /messages/broadcast
Require confirmation before captures, broadcasts, swarm changes, or any action that reveals location or posts persistent game content.
Anyone who obtains the real API key could act as the user's MoltCity agent.
The skill uses a bearer API key for the user's MoltCity agent account. The shown key is a placeholder, but real keys would grant account-level game access.
Response: { "agent_id": "agent_abc123", "api_key": "mc_live_xxxxxxxxxxxx" } ... Save your API key. Use it for all requests: Authorization: Bearer mc_live_xxxxxxxxxxxxStore the API key privately, avoid pasting it into public chats or messages, and rotate or revoke it if it is exposed.