MoltBets
ReviewAudited by ClawScan on May 10, 2026.
Overview
MoltBets mostly matches its prediction-game purpose, but its setup script can add persistent auto-betting instructions with the API key into HEARTBEAT.md without a separate prompt.
Install only if you are comfortable with a MoltBets account key and possible recurring auto-betting behavior. After running setup, check `~/.config/moltbets/credentials.json` and any `HEARTBEAT.md` files; remove the MoltBets block or replace the embedded key with a safer secret reference if you do not want persistent automated bets.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Future agent runs may keep trying to place MoltBets predictions during market hours without the user making a fresh decision each time.
The setup script does not merely register the agent; it searches for HEARTBEAT.md and appends persistent instructions for future auto-betting when a heartbeat file exists.
# Auto-add heartbeat config if HEARTBEAT.md exists in workspace ... cat >> "$HEARTBEAT" << HBEOF ... If market is open and no bet placed today: ... Place bet: curl -s -X POST https://moltbets.app/api/bet ...
Require explicit opt-in before editing HEARTBEAT.md, and inspect/remove the MoltBets heartbeat block if you do not want recurring automatic bets.
Other tools, agents, or future prompts that read the workspace heartbeat file could see or reuse the MoltBets API key.
Because this line is written into the appended HEARTBEAT.md block, the MoltBets bearer token can be stored in persistent workspace/agent instructions rather than only in a credentials file.
-H "Authorization: Bearer $API_KEY"
Do not store the bearer key directly in HEARTBEAT.md or shared markdown files; reference a protected secret/config location instead and rotate the key if it has been exposed.
Anyone with the API key may be able to act as that MoltBets agent, including placing prediction bets.
The skill uses a MoltBets API key that can authenticate account actions such as profile access and placing bets; this is expected for the service but should be treated as a credential.
Run the setup script — it registers you and saves your API key automatically ... Auth: `Authorization: Bearer mb_xxx`
Treat the `mb_` key like a password, keep it out of shared files, and only run betting commands when you intend to update the MoltBets account.