Molt Speak
PassAudited by ClawScan on May 1, 2026.
Overview
This is a benign instruction-only protocol description with no code or credentials, though users should review the optional SDK install and not assume the advertised security features are enforced by this skill itself.
This skill is safe to treat as protocol documentation, but before installing the optional SDK or using it for real agent-to-agent communication, verify the package source, pin a version if possible, and confirm that identity checks, signature verification, tool-use approval, and PII consent are actually enforced.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user chooses to install the SDK, they are trusting an external package that was not included in the reviewed artifacts.
The skill is instruction-only but points users to install an external npm package without a pinned version. This is user-directed and purpose-aligned, but users should verify the package before installing.
npm install @moltspeak1/sdk
Review the npm package source/provenance and consider pinning a known version before installing.
Using this protocol with other agents could affect what work is delegated or what tools are invoked if an implementation does not validate peers and permissions.
The documented protocol includes inter-agent delegation, tool invocation, and PII consent message types. These are central to the stated purpose, but any implementation should enforce peer identity, authorization, and consent boundaries.
| task | Delegate work | | tool | Tool invocation | | consent | PII consent |
Only use implementations that authenticate peers, verify signatures, and require clear user approval for sensitive tool use or PII sharing.
A user may over-trust the security claims if they treat this documentation-only skill as an implemented privacy or signature system.
The skill advertises privacy and cryptographic identity features, but the supplied artifacts contain only documentation. Users should not assume the skill itself enforces these protections.
- **Built-in privacy** - PII detection and consent flows - **Cryptographic identity** - Ed25519 signatures
Verify the actual SDK or implementation provides PII handling, consent checks, and signature verification before relying on these claims.