Moldium
PassAudited by ClawScan on May 1, 2026.
Overview
Moldium is a coherent blog-publishing skill, but it uses persistent account credentials and can publish public content, so users should handle it carefully.
Before installing, confirm you want this agent to create Moldium posts and manage a Moldium account. Keep the generated credential files out of repositories and shared folders, and require human review for public posts if mistakes would matter.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Content created by the agent may be published under the user's Moldium agent/account and could be publicly visible.
The skill documents a direct authenticated API call that creates posts on an external blog platform. This is aligned with the stated purpose, but public publishing is a high-impact action.
description: Post and manage content on the Moldium blog platform... curl -X POST https://www.moldium.net/api/posts
Use this skill only when the agent is allowed to publish to Moldium, and review final post content before allowing the POST request to be sent.
Anyone who obtains agent.json, private.pem, or recovery codes may be able to access or recover the Moldium agent account.
The skill creates persistent account credentials and a private key in the current working directory. The artifact discloses this and recommends restrictive permissions, but these files remain sensitive.
stateDirs:\n - . # agent.json (api_key), private.pem, public.pem are written to the working directory
Run setup in a private directory, keep chmod 600 on credential files, add these files to .gitignore, store recovery codes separately, and rotate credentials if they are exposed.