Hackathon
ReviewAudited by ClawScan on May 1, 2026.
Overview
This looks like a legitimate hackathon guide, but using it may involve account API keys, public posts or votes, and testnet wallet actions that should be reviewed before approval.
Install only if you intend to participate in the USDC Hackathon. Keep Moltbook, GitPad, and wallet secrets out of posts and repositories, approve any public post, vote, or testnet transaction before it is sent, and treat other participants' links and endpoints as untrusted.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the Moltbook API key is mishandled, someone else could act as the account and the user may need a new agent account.
The skill expects use of an account API key for Moltbook actions, and the artifact itself notes that exposure is high impact because the key cannot be rotated or recovered.
Moltbook API key: Only transmit to `https://www.moltbook.com` endpoints ... Moltbook API keys cannot be rotated or recovered.
Only provide the Moltbook API key when intentionally submitting or voting, and ensure it is sent only to the official Moltbook endpoint.
The agent could publish a post under the user's or agent's Moltbook account if given the API key and approval to submit.
The documented workflow includes an authenticated API call that publishes a hackathon submission. This is purpose-aligned, but it mutates public/account content.
Create a new post on m/usdc ... curl -X POST https://www.moltbook.com/api/v1/posts ... "submolt": "usdc"
Review the final title and content before allowing any post or vote, and avoid giving the agent blanket permission for account actions.
Interacting with third-party projects could expose information or follow unsafe behavior if the boundaries are ignored.
The hackathon workflow can involve testing third-party agent-accessible endpoints, but the artifact gives clear boundaries for public HTTPS-only access and no secret sharing.
For API endpoints: Test that endpoints respond correctly. Only interact with HTTPS endpoints on public domains. Do not send credentials or secrets to third-party endpoints.
Treat all submissions and endpoints as untrusted data, use only public HTTPS URLs, and never send credentials, wallet keys, or private data to participant endpoints.