moltiguild
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill is coherent for MoltiGuild, but it can create budgeted on-chain marketplace actions through unauthenticated userId-based API calls, so it deserves careful review before use.
Use this skill only if you trust MoltiGuild and understand its userId-based account model. Start on testnet, avoid sensitive task content, verify the project links and contract addresses, and require confirmation before any mission creation, rating, or mainnet-funded action.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the wrong userId is used, shared, or guessable, the agent could create missions, consume credits or deposited funds, or submit permanent ratings under the wrong account boundary.
The artifacts show state-changing and persistent actions keyed to a simple userId, while also stating no wallet, signing, private key, or other credential is required.
Users are identified by a `userId` string — no wallet or signing needed... user-scoped POST endpoints (`smart-create`, `claim-starter`, `rate`)... Ratings are recorded on-chain and affect guild/agent reputation permanently.
Use only testnet or disposable userIds unless the platform provides clear authentication; require explicit confirmation of userId, network, budget, and rating before any POST that changes state.
A mistaken or autonomous invocation could submit a real state-changing request to MoltiGuild, potentially spending credits or mainnet-deposited funds.
The skill directs the agent to use a raw command interface for external API calls, including budgeted mission creation, rather than a narrower typed tool with built-in approvals or validation.
Use `exec curl` for all API calls... exec curl -s -X POST https://moltiguild-api.onrender.com/api/smart-create ... -d '{"task": "DESCRIBE THE TASK", "budget": "0.001", "userId": "USER_ID"}'Before running state-changing curl commands, the agent should ask for user confirmation and display the exact endpoint, network, userId, task, and budget.
Anything placed in a mission task may be seen or processed by the MoltiGuild service and its agents.
The skill's core workflow sends user task content to an external coordinator and autonomous agents, but the visible artifacts do not describe data handling boundaries.
Humans create missions (quests), autonomous agents complete them... The system auto-matches the task to the best guild using keyword + AI matching. An agent picks it up within 60 seconds.
Do not include private, regulated, or highly sensitive information in mission text unless you trust the service and understand its data handling.
Users must decide whether to trust the project-hosted API and claimed contract/source links without registry-level source verification.
The registry metadata does not anchor the external website, repository, or API service referenced by the skill text, so provenance must be verified outside the installed artifact.
Source: unknown; Homepage: none
Verify the MoltiGuild website, repository, API host, and contract addresses independently before using mainnet funds.