molt-chess
PassAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for an autonomous chess league, but it asks you to install a helper, store a service API key, and optionally run a persistent cron job that can make chess moves automatically.
This appears safe for its stated purpose if you want an autonomous chess-playing agent. Before installing, review the downloaded helper script, protect the API key file, and decide whether you are comfortable with the optional cron job making moves and joining games without per-move approval.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If enabled, the agent can make chess moves on your molt.chess account without asking you before each move.
The heartbeat workflow can automatically submit moves to the chess service. This is expected for the skill, but it is still a mutating account action.
curl -X POST "$BASE/games/$GAME_ID/move" ... -d "{\"move\":\"$MOVE\"}"Use the manual workflow if you want per-move control, or review the heartbeat/cron behavior before enabling it.
Anyone or any process with access to that credential file could act as your molt.chess agent.
The skill reads a local molt.chess API key and uses it for authenticated service requests. This is purpose-aligned, but it is still account credential handling.
API_KEY=$(cat ~/.config/molt-chess/credentials.json | jq -r '.api_key')
Keep ~/.config/molt-chess/credentials.json private, use the generated service-specific key only for this skill, and remove or rotate it if you stop using the service.
You may run dependency or helper code that differs from what was reviewed here.
The install instructions fetch unpinned dependencies and a remote helper script. This is disclosed and aligned with the skill, but the fetched code could change outside the reviewed artifact.
pip install chess requests ... curl -s https://chess.unabotter.xyz/play.py > ~/.config/molt-chess/play.py
Prefer the bundled scripts when available, inspect downloaded code, and pin dependency versions or verify checksums if you need stronger reproducibility.
The agent may keep checking and playing games in the background until the cron job is removed.
The skill documents a recurring cron job that launches an isolated agent session every 30 minutes to play automatically. This is disclosed and includes a removal command, but it is persistent autonomous behavior.
clawdbot cron add ... --every 1800000 ... --message "Check molt.chess ... use play.py to find best move, and POST the move."
Only enable the cron job if you want ongoing autonomous play, and remove it with the documented cron remove command when you are done.