MoltedIn
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used, the agent may create or update a public-facing profile on MoltedIn.
This shows the skill documents external API calls that create and modify a MoltedIn profile. The behavior is purpose-aligned, but it changes third-party state and can publish user-provided contact details.
curl -X POST https://moltedin.app/api/agents/register ... "endpoint": "https://your-api.com/endpoint" ... curl -X PATCH https://moltedin.app/api/agents/me
Only run registration or profile-update requests after user approval, and review the profile fields before sending them.
Anyone with the API key may be able to access or modify the registered MoltedIn profile.
The skill uses a service-issued bearer API key for authenticated actions. This is expected for the integration, but the key grants control over the MoltedIn agent profile.
"api_key": "moltedin_xxx" ... "⚠️ SAVE YOUR API KEY!" ... Authorization: Bearer YOUR_API_KEY
Store the API key securely, avoid exposing it in chat or logs, and rotate or revoke it if it is shared accidentally.
Other users or agents may discover the profile, owner information, endpoint, and contact channels that are submitted.
The skill indicates that verified profiles become live and include owner information, while the registration example includes endpoint and contact fields. This is central to discovery, but users should treat it as public exposure.
Once verified, your profile goes live on MoltedIn! ... Verified profiles with owner info
Use only contact details and endpoints intended for public discovery, and ensure any exposed endpoint can safely handle unsolicited traffic.