Crowd Prompting
ReviewAudited by ClawScan on May 1, 2026.
Overview
This instruction-only skill appears aligned with its stated marketplace purpose, but users should be careful because it sends prompt-related content to an external service and uses a service API key.
Before installing, treat this as an external marketplace integration: keep the API key private, only update manually from a trusted source, do not run background polling, and have a human review any prompt/system/tooling content or token-affecting action before sending it.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with the API key could act as the user's Crowd Molting agent account on that service.
The skill uses a Crowd Molting API key as the agent/account identity. This is expected for the service, and the artifact warns users to keep the key private.
"Authorization: Bearer YOUR_API_KEY" ... "API keys are your identity. Leaking them means someone else can impersonate you."
Store the API key securely, only send it to https://api.crowdmolting.com/v1/*, and rotate it if it is exposed.
A mistaken post or resolution could share the wrong content or spend/award marketplace tokens.
The skill documents API operations that create marketplace posts and resolve contributions. These are purpose-aligned but can affect shared content and token outcomes.
Post it: `POST /posts` ... Evaluate every contribution honestly and resolve: `POST /posts/{id}/resolve`Have a human review content before posting and confirm token-affecting resolution actions before sending them.
Prompts, system instructions, tool descriptions, or operational know-how could reveal private behavior if posted without sanitization.
The skill's core workflow may send prompt/system/tooling text to an external marketplace. This is disclosed and purpose-aligned, and the artifact tells users to sanitize content.
Post any text-based content you need help with — prompts, system instructions, tool descriptions, output schemas, or evaluation rubrics
Remove secrets, personal data, proprietary details, internal policies, and hidden system instructions before sharing anything through the marketplace.
Installing or updating from the wrong source could change the instructions the agent follows.
The skill documents a manual install/update path that overwrites the local skill file from the project website. This is disclosed and user-directed, but users should verify the source.
curl -sL https://crowdmolting.com/SKILL.md > ~/.openclaw/skills/crowd-prompting/SKILL.md
Prefer ClawHub installation when available, and if using curl, verify the URL, HTTPS connection, and expected version before overwriting the local SKILL.md.