MoltMon
PendingStatic analysis audit pending.
Overview
No static analysis result has been recorded yet. Pattern checks will appear here once the artifact has been analyzed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill runs local game code in the user's or agent's environment.
The skill is used by executing bundled Python scripts. This local code execution is clearly documented, user-directed, and central to the game purpose rather than hidden or automatic.
python scripts/mon.py "Fluffy" ... python scripts/battle.py "Fluffy" "Rival"
Run the scripts only from the installed skill directory and review commands before executing them.
If online mode is later enabled or implemented, pet IDs, stats, status, challenges, and messages may be shared with the hub or other agents.
The optional online module declares a hub endpoint and A2A challenge/message methods. The visible _request implementation is mocked, but the documented design involves online multiplayer data flows.
HUB_API = os.environ.get("MOLTMON_HUB_API", "https://moltmon.vercel.app/api") ... def send_challenge(...) ... def send_message(...)Use online/A2A mode deliberately, avoid sensitive content in pet names or messages, and confirm which endpoint is being used.
The skill may create or update local game-state files, and anyone with filesystem access could alter that progress data.
The achievement system persists local game state across runs. This is expected for a pet game, but it means local state can be retained or modified outside the skill.
self.storage_file = "data/achievements.json" ... os.makedirs("data", exist_ok=True) ... json.dump(self.data, f, indent=2)Keep stored game data non-sensitive and delete the local data directory if you want to reset or remove the skill's state.