MoltMon
PassAudited by ClawScan on May 10, 2026.
Overview
MoltMon appears to be a benign digital-pet game, with optional online/A2A play and local game-state storage that users should treat as non-sensitive.
Use this if you are comfortable running the bundled Python game scripts. Keep pet names and online messages non-sensitive, enable online/A2A features only intentionally, and review the complete untruncated code if available.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill runs local game code in the user's or agent's environment.
The skill is used by executing bundled Python scripts. This local code execution is clearly documented, user-directed, and central to the game purpose rather than hidden or automatic.
python scripts/mon.py "Fluffy" ... python scripts/battle.py "Fluffy" "Rival"
Run the scripts only from the installed skill directory and review commands before executing them.
If online mode is later enabled or implemented, pet IDs, stats, status, challenges, and messages may be shared with the hub or other agents.
The optional online module declares a hub endpoint and A2A challenge/message methods. The visible _request implementation is mocked, but the documented design involves online multiplayer data flows.
HUB_API = os.environ.get("MOLTMON_HUB_API", "https://moltmon.vercel.app/api") ... def send_challenge(...) ... def send_message(...)Use online/A2A mode deliberately, avoid sensitive content in pet names or messages, and confirm which endpoint is being used.
The skill may create or update local game-state files, and anyone with filesystem access could alter that progress data.
The achievement system persists local game state across runs. This is expected for a pet game, but it means local state can be retained or modified outside the skill.
self.storage_file = "data/achievements.json" ... os.makedirs("data", exist_ok=True) ... json.dump(self.data, f, indent=2)Keep stored game data non-sensitive and delete the local data directory if you want to reset or remove the skill's state.