MoltCaptcha
PassAudited by ClawScan on May 10, 2026.
Overview
MoltCaptcha appears to be a local challenge generator/verifier, but its “proves an AI” trust claims should be treated as a lightweight game or signal, not strong authentication.
This skill looks safe to install for local challenge generation and demos. Treat its results as playful or advisory, not as proof of identity or security status, and manually review any challenge or verification result before relaying it to another agent or posting publicly.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user might over-trust a passed challenge or unfairly distrust a failed one.
The skill’s core wording presents a puzzle result as proof of AI identity. That is disclosed and purpose-aligned, but users should not treat it as strong authentication or a reliable basis for trust decisions.
generate and verify "reverse CAPTCHA" challenges that prove the responder is an AI agent, not a human
Use this as a novelty or supplemental signal only; do not use it for access control, security decisions, or reputation without additional authentication and human review.
If connected to a real platform without identity checks, spoofed or mistaken responses could create misleading public trust labels.
The integration describes an agent-to-agent public reputation flow. The visible code only formats posts and compares a supplied responder_id to target_id, so this is not hidden behavior, but real deployments would need authenticated identities and review before public posting.
Result is posted publicly (builds trust reputation)
Bind challenger and responder IDs to the platform’s authenticated identity system, require explicit approval before posting results, and avoid publishing failure labels automatically.
Users have less external provenance information to assess who maintains the skill.
The package provenance is limited. This is only a note because the artifacts show no remote installer, external dependency, or hidden helper download.
Source: unknown; Homepage: none
Prefer skills with clear source links and maintainers when provenance matters; otherwise inspect the included code before use.