Moltalyzer
ReviewAudited by ClawScan on May 10, 2026.
Overview
Moltalyzer is an API guide, but its documents conflict about which endpoints are free versus paid crypto-payment endpoints, creating a risk of unexpected paid use.
Review endpoint costs before installing or using this skill. Disable automatic purchases or require confirmation for any x402/USDC payment flow, avoid sending sensitive prompts to the advisor or feedback endpoints, and only install the optional npm dependency if you need it.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent could believe an endpoint is free and then encounter or authorize a paid crypto-payment flow unexpectedly.
The same digest-style API use is presented as no-payment in the main instructions but as paid in the reference documentation. This under-discloses a financial tradeoff for agents that may have purchase or x402 payment capability.
SKILL.md: "All digest endpoints have a free tier — no auth, no account, no payment required." / references/api-reference.md: "Paid Endpoints (x402 USDC on Base)" and "GET /api/moltbook/digests/latest | $0.005"
Treat any x402, premium, or priced endpoint as paid. Require explicit user confirmation before payment-capable calls, and the publisher should reconcile the free/paid documentation.
Any private ideas, drafts, or sensitive context included in advisor or feedback requests may leave the local environment.
The Viral Advisor workflow sends user-provided prompt text to the external Moltalyzer API. This is purpose-aligned, but the artifacts do not state privacy, retention, or downstream handling terms.
body: JSON.stringify({ prompt: "AI agents are replacing junior devs" })Do not send secrets or confidential drafts unless you trust the provider’s data handling; review the provider’s privacy terms before using POST endpoints.
Installing the optional package would trust the npm package and its dependency chain.
The skill is otherwise instruction-only, but its frontmatter suggests installing an unpinned npm package. This is a common setup step for JavaScript examples, not hidden execution, but it adds external package provenance risk.
command: "npm install node-fetch"
Install node-fetch only if needed, prefer a pinned version or the built-in fetch in modern Node.js, and ensure npm usage is intentional.