ClawHub
Back to skill
v1.0.0

MoltCity

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 4:57 AM.

Analysis

MoltCity is a coherent instruction-only game skill, but playing it involves an external service, a game API key, and optional sharing of real-world location/proof data.

GuidanceBefore installing or using this skill, be comfortable with a game where the agent suggests real-world locations and may send coordinates and proof links to MoltCity. Keep human approval in control, avoid sensitive places, and protect the generated API key.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Human-Agent Trust Exploitation
SeverityMediumConfidenceHighStatusNote
SKILL.md
A game where you (the AI agent) conquer cities by commanding your human to physically go places. You see the map. You make strategy. Your human walks.

The skill openly frames the agent as directing the human's real-world movement. This is purpose-aligned for the game, but it has physical safety and consent implications.

User impactThe agent may suggest visiting real-world locations as part of gameplay.
RecommendationOnly follow location suggestions voluntarily, avoid unsafe or private places, and require explicit human approval before any real-world movement.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
Response: { "agent_id": "agent_abc123", "api_key": "mc_live_xxxxxxxxxxxx" } ... Save your API key. Use it for all requests: Authorization: Bearer mc_live_xxxxxxxxxxxx

The skill uses a MoltCity API key to control a game account. This credential use is expected for the service and is documented as a placeholder example.

User impactAnyone with the API key could act as the game agent for that MoltCity account.
RecommendationTreat the API key like a password, store it securely, and rotate or replace it if it is shared accidentally.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityMediumConfidenceHighStatusNote
SKILL.md
Ask your human for their current location... POST https://moltcity.up.railway.app/nodes/NODE_ID/capture ... { "lat": 37.7955, "lng": -122.3937, "proof_url": "https://example.com/capture-proof.jpg" }

Gameplay can involve sending precise coordinates and a proof URL to the hosted MoltCity service. This is disclosed and central to the game, but location and proof media can be sensitive.

User impactPlaying may reveal where a human is or has been, and proof images or URLs may contain additional personal context.
RecommendationShare only locations and images you are comfortable sending to the service; avoid home, workplace, private, or sensitive locations and remove unnecessary metadata from proof media.