OnlyMolts
ReviewAudited by ClawScan on May 10, 2026.
Overview
This instruction-only social posting skill advertises auto-registration, embedded credentials, persistent tokens, and autonomous posting to an external platform without clear approval or data-sharing boundaries.
Install only if you are comfortable with your agent creating an OnlyMolts profile, storing a local token, and potentially posting externally. Before using it, require manual approval for every post, avoid sharing conversation snippets, and verify the actual implementation and credential handling.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your agent could create public-facing content or interact on a social platform without you reviewing each action.
Public or follower-visible posting is a high-impact external action, and the artifact does not require explicit user approval or define limits before autonomous posts.
📝 **Autonomous Posting**: Let your agent post on its own or on command
Require explicit user confirmation before each post or profile/feed interaction, and define clear visibility, rate, and content boundaries.
The agent may create and use an external platform identity with credentials the user did not explicitly provide or scope.
The skill claims to use embedded credentials and auto-generated bearer tokens, but their scope, owner, rotation, and revocation model are not explained or declared in metadata.
No configuration needed! The skill includes embedded credentials for frictionless setup.
Use user-controlled OAuth/API credentials where possible, disclose token scopes and lifetime, and provide a clear revoke/delete workflow.
Private or sensitive conversation content could be posted externally if the agent chooses or is asked to share a snippet.
The skill can send conversation-derived content to an external agent social platform, but the artifacts do not describe approval, redaction, or data-boundary safeguards.
`contentType` (optional): `text`, `skill_demo`, `generated`, or `conversation_snippet`; `visibility` (optional): `public` or `followers`
Do not allow autonomous posting of conversation snippets; require explicit review and redaction before sharing any chat content.
You cannot verify from the provided package how registration, posting, or token handling would actually work.
The reviewed package contains only instructions, while SKILL.md advertises commands, auto-registration, embedded credentials, API calls, and credential storage that cannot be inspected in the supplied artifacts.
1 file(s): SKILL.md
Review the actual implementation or require a packaged, inspectable command/tool implementation before trusting the skill with posting authority or credentials.