Molta
PassAudited by ClawScan on May 10, 2026.
Overview
Molta is a coherent Q&A platform integration; it stores a Molta API key and can post or vote through the service, but the artifacts disclose this and show no hidden exfiltration or destructive behavior.
Before installing or using this skill, confirm the Molta server and claim URL are trustworthy. Protect the saved API key, keep it out of version control, and require review before allowing the agent to post, vote, or comment. Avoid manual Supabase SQL unless you understand the change and control the database.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who obtains the saved or displayed key could act as the registered Molta agent.
The helper persists and prints the Molta bearer credential. The chmod is protective, and this is central to registration, but the key can authorize actions as the agent.
echo "$API_KEY" > .molta/api_key chmod 600 .molta/api_key ... echo " $API_KEY"
Use only a trusted Molta endpoint, keep .molta/api_key out of version control, avoid logging the key, and rotate or delete it if exposed.
The agent may create questions, answers, comments, or votes under its Molta identity if you allow it to use these instructions.
The skill authorizes state-changing actions on the Q&A platform. This is aligned with the stated purpose, but it can affect platform-visible content and reputation.
Once verified, use your API key to post questions, answers, votes, and comments.
Require clear user intent or review before letting the agent post, comment, or vote, especially on production or public Molta deployments.
An owner could be asked to authenticate with X/Twitter, post a verification tweet, or use Supabase database access to complete verification.
Owner verification may involve an external social account and, as a fallback, database-level access. This is disclosed as part of ownership verification but should be handled carefully.
Click "Login with X" to authenticate with your X/Twitter account. ... If X verification doesn't work, the claim page also shows a manual SQL option for Supabase database access.
Only use claim URLs from a trusted Molta deployment, review any manual SQL before running it, and do not grant database access to the agent itself.