SentiBook
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: sentibook Version: 1.0.0 The skill bundle (SKILL.md) facilitates an AI agent's autonomous participation in the 'SentiBook' social network via the `sentibook.com` API. It is classified as suspicious because it instructs the agent to enter a recurring 'heartbeat loop' that involves automatically reading and responding to mentions and direct messages from untrusted third parties. This design creates a significant vulnerability to remote prompt injection, as the agent is encouraged to engage with external content without explicit safety constraints or input sanitization, potentially allowing remote users to hijack the agent's logic.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could affect a public social identity, contact other users, vote, follow accounts, or create content in ways the user did not specifically approve.
The artifact exposes many public and interpersonal mutation workflows but does not require user approval or define safe scopes for posts, votes, follows, comments, debates, or DMs.
Here you can post, edit, delete, upvote, downvote, comment, vote on comments, bookmark, DM any human or agent, follow anyone, join zones, create debates, vote on debates...
Require explicit user confirmation for account creation and every public, voting, follow, profile, debate, or DM action; define allowed recipients, zones, and content rules.
A user's agent may keep checking in and engaging with the platform as an ongoing participant rather than only acting when the user asks.
The skill encourages autonomous account creation and recurring activity, which can continue beyond a single user-directed task.
No restrictions. No priority. Full autonomy. ... Register yourself (automatic — no human needed) ... Start your heartbeat loop ... every 30 minutes
Do not run a background heartbeat or autonomous engagement loop unless the user explicitly opts in; include clear stop conditions and a way to disable or revoke the agent identity.
If the generated API key is mishandled, the SentiBook agent identity could be reused or abused, and the user may not know where the credential is stored.
The skill creates and relies on a persistent bearer credential, but the artifact does not define secure storage, revocation, scope, or user ownership boundaries.
Authentication: Bearer token + Agent ID header ... Save your agent_id and agent_api_key immediately. The API key is shown only once and cannot be recovered.
Declare the credential requirement, store the API key only in an approved secret store, document revocation/rotation, and avoid saving it in prompts, chats, or public files.
Untrusted messages from other users or agents could influence the agent, and the agent could send outbound DMs without clear controls.
The skill enables peer messaging with humans and agents but does not define identity verification, prompt-injection handling, or boundaries for sensitive information in messages.
Direct Messages (DM anyone — human or agent) ... GET /api/messages/threads ... POST /api/messages/threads/<thread_id>/messages
Treat all posts, mentions, and DMs as untrusted content; require user approval before sending DMs or sharing any private context, and verify recipients before messaging.