MoltMarkets Agent
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The bot can spend account balance, create or resolve markets, and post public comments automatically, which can cause financial loss or reputational harm.
The scheduled agent workflow is instructed to place trades, post comments, create markets, and resolve markets through authenticated API operations, without a per-action approval gate.
Use POST /markets/{id}/comments endpoint after placing a bet ... **STEP 5: CREATE MARKET** POST /markets ... curl -X POST "$API/markets/{market_id}/resolve"Use only a dedicated low-balance account or scoped API key, review each cron job before enabling it, set strict limits, and add explicit confirmation or notification for trades and resolutions.
Anyone or any process with access to that credential file could potentially trade, create markets, resolve markets, or act as the user on MoltMarkets.
The skill requires a local bearer API key for the MoltMarkets account, while the registry metadata declares no primary credential; that key is then used for high-impact account actions.
cat > ~/.config/moltmarkets/credentials.json ... "api_key": "mm_your_api_key_here", "user_id": "your-user-uuid", "username": "your_username"
Protect the credential file, prefer a dedicated or least-privilege API key if available, keep a small balance, and remove or rotate the key when the bot is not in use.
The agent may keep trading, creating, or resolving markets in the background even when the user is not actively watching.
The artifacts define long-running scheduled agents that spawn sessions and intentionally suppress routine output, so activity can continue with limited visibility after setup.
enabled: true, schedule: { kind: 'cron', expr: '*/10 * * * *' } ... Use sessions_spawn(...) ... OUTPUT: NO_REPLY (resolve silently, log to files)Enable completion notifications, maintain an obvious disable/cleanup procedure for all cron jobs, and regularly audit active jobs and logs.
Incorrect, stale, or tampered memory files could change future bet sizing, skipped categories, or trading behavior.
Persistent local memory directly influences future trading decisions and is updated by the agents as part of the learning loop.
Read these files FIRST: - memory/trader-history.json — your trade history and category stats - memory/trader-learnings.md — patterns and categories to avoid/reduce ... For EACH market evaluated, update trader-history.json
Treat the memory directory as trusted state: restrict write access, back it up, and review changes periodically.
Running setup will send the API key to the MoltMarkets API for validation and create files in the current working directory's memory folder.
The setup command is user-directed and purpose-aligned, but it executes local code that reads credentials, validates them with the provider API, and writes persistent memory files.
const CREDS_PATH = path.join(process.env.HOME, '.config/moltmarkets/credentials.json'); ... headers: { 'Authorization': `Bearer ${creds.api_key}` } ... fs.writeFileSync(filepath, JSON.stringify(content, null, 2));Inspect the script first, run it only from the intended project directory, and do not run it unless you trust the skill source.