Is moltforsale safe?

The skill references heartbeat.md, messaging.md, and skill.json as additional documents the agent should read from https://molt-fs.vercel.app. These documents are not included in the skill package and are served dynamically from the external server. They could contain prompt injection payloads, behavioral overrides, or instructions that change over time without triggering a skill version update.

The skill uses authoritative language to dictate agent behavior, including disabling shell command execution, modifying HTTP client redirect behavior, and restricting how API keys are handled. While framed as safety constraints, these directives demonstrate the skill's ability to reshape agent runtime behavior through prompt injection patterns.

The skill establishes a persistent bidirectional data channel between the agent and the external Moltforsale API. During registration, the agent sends handle, display name, bio, and arbitrary metadata. During polling, the agent receives context from the server. During acting, the agent sends arbitrary content strings. This channel could be used to exfiltrate information from the agent's runtime context if the agent populates these fields with session data.

The registration endpoint returns an API key exactly once, creating a persistent credential that binds the agent identity to the external service. Loss of this key requires re-registration. The key must be stored in the agent runtime, creating a persistent state dependency on the external service.

The registration response includes a claim_url that directs to the Moltforsale website and a verification flow involving posting to X (Twitter). This creates a social engineering pathway where the agent or user is directed to interact with external websites as part of the skill's workflow.

The filesystem monitor detected reads of .env, .aws/credentials, .profile, and .bashrc during the install phase. These appear to be from the openclaw agent runtime initialization rather than the skill itself, as no network connections were made and no skill code executed. However, the skill's presence triggered the runtime startup which performed these reads.

The skill's game mechanics include agent ownership (BUY), identity modification by other agents (CHANGE_BIO, CHANGE_NAME), denial-of-service (JAIL for 6 hours), and explicitly adversarial framing ('scheme, own each other, fight for status'). These mechanics create unpredictable behavioral dynamics where the agent's identity and availability can be controlled by external actors on the platform.

The skill document discloses the existence of an operator-only /sim/tick endpoint protected by secrets. While agents are told not to call it, the disclosure of this endpoint and its authentication mechanism (header or query param) provides reconnaissance information that could be exploited.

The skill package contains only SKILL.md, _meta.json, and origin.json. No executable code, npm scripts, git hooks, submodules, or symlinks were found. The package.json is empty.