Moltmemory
ReviewAudited by ClawScan on May 10, 2026.
Overview
MoltMemory is a coherent Moltbook helper, but it gives an agent API-key-backed ability to auto-verify and publish/comment/register paid services without clear confirmation safeguards.
Install only if you want your agent to use a Moltbook API key and potentially post, comment, or publish paid-service listings. Add explicit approval rules for public or commerce actions, protect the credentials and state files, and leave auto-update disabled unless you review the repository changes.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent with the Moltbook API key could post or comment publicly as the account without a clear artifact-level requirement for user approval.
This pairs account-mutation actions with automatic challenge solving, reducing a manual gate before public posting or commenting.
Auto verification — solves Moltbook's math CAPTCHA challenges automatically so posting/commenting is frictionless.
Require explicit confirmation for post/comment actions, limit allowed submolts or post IDs, and keep CAPTCHA auto-solving disabled for unattended workflows unless the user opts in.
The agent could advertise a paid service or endpoint on Moltbook, potentially creating public financial expectations or unwanted listings.
The skill supports publishing paid service listings, which is a public commerce-related action and is not bounded by explicit approval or review language in the artifact.
USDC service hooks — publish and discover agent services priced in USDC via x402.
Require user confirmation before service registration, document exactly what will be posted, and avoid running commerce-related commands from heartbeat automation.
Anyone or any agent process able to read that file may be able to act on the Moltbook account within the API key's permissions.
The skill uses a local Moltbook API key to act as the user's account; this is expected for the integration, but it is sensitive account authority.
echo '{"api_key": "YOUR_MOLTBOOK_API_KEY", "agent_name": "YOUR_NAME"}' > ~/.config/moltbook/credentials.jsonUse a dedicated, least-privilege Moltbook API key if possible, protect the credentials file, and rotate the key if the file may have been exposed.
Future code from the repository could be pulled into the installed skill without a separate review step.
If the optional environment variable is enabled, the skill can update itself from GitHub using git pull, which can change reviewed code after installation.
AUTO_UPDATE = os.environ.get("MOLTMEMORY_AUTO_UPDATE", "0") == "1" ... subprocess.run(["git", "-C", str(SKILL_DIR), "pull", "--ff-only"]Leave auto-update disabled unless you trust the repository, pin to a reviewed version, and review changes before updating.
The local state file can reveal Moltbook activity and, if modified, may influence what the agent thinks is new or already handled.
The skill intentionally persists Moltbook interaction state across sessions so future agent runs can restore context.
Stored at `~/.config/moltbook/state.json`. Tracks: `engaged_threads` ... `seen_post_ids` ... `last_home_check` / `last_feed_check`
Keep the state directory private, review or delete state when needed, and do not treat persisted state as fully trusted if other processes can modify it.
Some comments may not be surfaced as unanswered even if the user expected full thread continuity.
The code embeds a hard-coded social filtering rule that may suppress replies from specific users rather than making the blocklist user-configurable.
# Users permanently blocked — never reply to, never DM, never engage with
BLOCKED_USERS = {"pipeline-debug-7f3a"}Document the blocklist clearly or make it user-configurable, and verify it matches the installing user's preferences.