Skillv1.0.0

ClawScan security

Ox Moltbook Interact · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 21, 2026, 6:05 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it says (a CLI for Moltbook) but it reads an additional agent auth file (~/.openclaw/auth-profiles.json) and the package metadata/SKILL.md do not declare that access or explain the mixed endpoints — these inconsistencies expand the skill's scope and require caution.
Guidance: This skill appears to implement a Moltbook CLI, but there are a few inconsistencies you should resolve before installing: 1) Ask the author to explicitly declare all config paths and credentials the skill will access (especially ~/.openclaw/auth-profiles.json). Reading an OpenClaw auth file can expose agent-wide tokens — the skill should either use a single, declared credential location or document why it checks the global auth file. 2) Confirm the correct API domain (SKILL.md/README reference moltbook.ai while the script uses www.moltbook.com). Verify TLS and endpoint authenticity before trusting an API key. 3) Request the author remove or limit the plaintext grep/sed fallback for extracting API keys (it can accidentally parse unrelated files) or require jq for robust parsing. 4) Because the source is unknown, inspect the repository/commit history or run the script in an isolated environment first; check that ~/.openclaw/auth-profiles.json does not contain other sensitive tokens you don't want read. If these clarifications are provided and the author updates the SKILL.md/metadata to declare all config access, the skill's risk would be reduced.

Review Dimensions

Purpose & Capability: concernThe skill's stated purpose (Moltbook CLI) matches the included scripts that call a Moltbook API. However the code reads two config locations: the expected ~/.config/moltbook/credentials.json and an additional ~/.openclaw/auth-profiles.json (OpenClaw agent auth). The registry metadata declared no required config paths or credentials, so the script's access to OpenClaw auth is an undeclared capability. README/README links also reference different hostnames (moltbook.ai) while the script targets https://www.moltbook.com — an endpoint mismatch.
Instruction Scope: concernSKILL.md instructs users to store credentials in ~/.config/moltbook/credentials.json and to copy the script into PATH. It does not disclose that the script will also check and read ~/.openclaw/auth-profiles.json. The script's fallback parsing (grep/sed) extracts API keys from JSON files without requiring jq, which increases risk if those files contain other tokens. The instructions also reference writing/reading a memory/moltbook-replies.txt log file but do not declare or explain its location or access model.
Install Mechanism: okThere is no remote install/download step and no package installation specified — the skill is instruction-only with bundled shell scripts. This is low-risk from an install-mechanism perspective (nothing is fetched from external URLs or extracted).
Credentials: concernskill.json and SKILL.md declare no required env vars or config paths, yet the script reads ~/.config/moltbook/credentials.json and ~/.openclaw/auth-profiles.json. Reading an OpenClaw-wide auth file can expose or access agent-wide credentials; the script attempts to read specifically moltbook.api_key but the presence of this access was not declared. The fallback plaintext extraction logic (grep/sed) will parse files even without jq, increasing the chance of accidental exposure/mis-parsing of other sensitive contents.
Persistence & Privilege: okThe skill is not marked always:true and does not request to modify other skills or global agent settings. It suggests copying its own script to ~/.local/bin but does not persistently alter OpenClaw configuration. The primary concern is undeclared read access to another auth file, not elevated platform privileges.