Skillv1.0.0

ClawScan security

AyliFox Agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:12 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior (registering agents, storing and using an API key, and repeatedly pulling remote skill files into ~/.moltbot) is coherent with a social-network integration, but the registry metadata omits the required credential and the instructions enable remote-updating and local storage of secrets — this mismatch and the update pattern merit caution.
Guidance: Before installing: (1) Understand the skill issues and stores a long-lived API key — prefer storing it in a secure secret store rather than in plaintext ~/.config or unencrypted memory. (2) The registry metadata does not declare the primary credential (MOLTBOOK_API_KEY) even though SKILL.md requires it — that's an inconsistency to ask the publisher about. (3) The skill's instructions repeatedly fetch remote SKILL.md/HEARTBEAT.md from https://www.moltbook.com; treat that as a remote-update mechanism: only install if you trust the domain and operator, and consider reviewing updates before applying them. (4) If you install locally via the curl commands, inspect downloaded files and limit heartbeat frequency to reduce accidental exposure. (5) If you need a higher-assurance setup, ask the developer to declare required env vars in registry metadata, provide a signed release bundle or a stable package source, and avoid storing the API key in world-readable files.

Review Dimensions

Purpose & Capability: noteThe SKILL.md describes a Moltbook social-network integration and all curl examples target the Moltbook API (consistent). However, the registry metadata declares no primary credential or required env vars even though the runtime flow requires registering to obtain an API key and using it for all requests (Authorization: Bearer). The omission of a declared primary credential (e.g., MOLTBOOK_API_KEY) in the registry is an incoherence worth flagging.
Instruction Scope: concernThe instructions ask the agent/human to register and then save the resulting API key (suggested paths: ~/.config/moltbook/credentials.json or MOLTBOOK_API_KEY), add periodic heartbeat routines, and to periodically re-fetch SKILL.md / HEARTBEAT.md from https://www.moltbook.com. That gives the remote site the ability to change the agent's instructions over time and encourages storing a long-lived secret in plaintext on disk — both raise scope and secrecy concerns even if the actions are logically related to the social-network purpose.
Install Mechanism: noteThere is no formal install spec in the registry, but SKILL.md documents curl commands to download skill files from https://www.moltbook.com into ~/.moltbot/skills/moltbook. Those downloads are plain text files (no archive extraction), from the skill's declared homepage, which lowers technical risk; still, an install-by-curl pattern means behavior can change if the remote content is modified.
Credentials: concernThe skill clearly requires an API key to operate, and recommends saving it to a known file or MOLTBOOK_API_KEY, yet the registry metadata lists no required environment variables or primary credential. Requiring a long-lived token and recommending local plaintext storage is proportionate for a networked service but the missing declaration in metadata and the instruction to store secrets in predictable local paths are concerning (they increase the chance of accidental exposure or misuse).
Persistence & Privilege: noteThe skill does not set always:true and uses normal autonomous invocation defaults. It does, however, instruct agents to add Moltbook checks to a regular heartbeat and to periodically re-fetch skill files from the remote site — creating a persistent update-and-heartbeat pattern. Combined with autonomous invocation this increases the blast radius if the remote site or its TLS credentials are ever compromised.