v1.0.0

MoltMarkets Trading Agent

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:24 AM.

Analysis

This is an openly autonomous trading setup, but it needs careful review because it uses your MoltMarkets API key to run recurring silent agents that can bet, create and resolve markets, and post comments.

GuidanceInstall only if you intentionally want an autonomous trading bot. Start with crons disabled or visible logging enabled, use a low-balance or limited-scope account, verify all spending and position caps, protect the API key and memory directory, and require human approval until you are comfortable with its behavior.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

references/cron-definitions.md

Trader: "Use POST /markets/{id}/comments endpoint after placing a bet." Creator: "POST /markets". Resolution: "curl -X POST \"$API/markets/{market_id}/resolve\""

The cron payloads direct agents to perform authenticated account-changing API calls, including betting-related comments, market creation, and market resolution, on a schedule.

User impactThe agent could spend account funds/credits, create markets that cost liquidity, resolve markets incorrectly, or post public comments under the user's account.

RecommendationAdd explicit approval or a dry-run mode for each bet, market creation, resolution, and public comment; enforce hard spend/loss caps and prefer limited-scope API keys if MoltMarkets supports them.

Rogue Agents

SeverityHighConfidenceHighStatusConcern

references/cron-definitions.md

"enabled: true" ... "Use sessions_spawn(label='moltmarkets-trader'" ... "NO intermediate messages" ... "work SILENTLY" ... "deliver: false"

The skill sets up enabled recurring jobs that spawn background agent sessions and explicitly suppress routine user-visible messages.

User impactOnce configured, the agents may keep operating in the background and continue taking account actions unless the user notices and disables the cron jobs.

RecommendationKeep the jobs disabled until tested, set deliver/logging to visible during rollout, document a stop/removal procedure, and require periodic human review of all active crons.

Agent Goal Hijack

SeverityMediumConfidenceMediumStatusConcern

references/cron-definitions.md

"FIRST: READ EXISTING COMMENTS" ... "GET /markets/{market_id}/comments" ... "Responds to or references other comments"

The trader agent is instructed to read and use public market comments, which are untrusted external text, without a stated boundary that comments must be treated only as data and not as instructions.

User impactA malicious or careless market comment could influence the agent's generated public comments, and in a tool-enabled context could attempt to steer broader agent behavior.

RecommendationExplicitly instruct the agent to treat market titles, descriptions, and comments as untrusted data, ignore instructions found in them, and quote/summarize them without obeying them.

Unexpected Code Execution

SeverityLowConfidenceHighStatusNote

scripts/setup.js

const CREDS_PATH = path.join(process.env.HOME, '.config/moltmarkets/credentials.json'); ... fs.writeFileSync(filepath, ...) ... headers: { 'Authorization': `Bearer ${creds.api_key}` }

The user-directed setup script reads the local credential file, contacts the MoltMarkets API, and writes local memory files. This is disclosed and purpose-aligned, but it is still local code execution that handles credentials.

User impactRunning the script gives it access to the local API key and lets it create or modify files in the current project's memory directory.

RecommendationReview the setup script before running it, run it from the intended project directory, and avoid running it with unnecessary elevated privileges.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

SKILL.md

cat > ~/.config/moltmarkets/credentials.json ... "api_key": "mm_your_api_key_here", "user_id": "your-user-uuid", "username": "your_username"

The skill requires a local bearer API key for MoltMarkets account access, even though the registry metadata declares no primary credential or required environment variables.

User impactAnyone or any process that can use that credential may be able to act as the user on MoltMarkets, including trading and other account-changing actions.

RecommendationProtect the credential file with restrictive permissions, use a dedicated low-balance or limited-permission account/key if possible, and rotate the key if it is exposed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusNote

references/cron-definitions.md

"Read these files FIRST: memory/trader-history.json ... memory/trader-learnings.md" and "For EACH market evaluated, update trader-history.json"

Persistent memory files are intentionally used to steer future trading decisions and are updated by the agents over time.

User impactIf these memory files are corrupted or edited incorrectly, future automated trades or market choices could be based on bad strategy state.

RecommendationLimit write access to the memory directory, review changes regularly, back up the files, and avoid letting unrelated agents or untrusted content write to them.