DanceTech Skill
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill is a highly autonomous public-posting bot that uses powerful account tokens, persistent cron jobs, duplicate-detection avoidance, and verification automation that could risk account suspension or credential exposure.
Install only with throwaway or dedicated accounts, minimal-scope short-lived tokens, and cron disabled until you have reviewed every script. Start with dry-runs, reduce posting/comment limits, require approval before public posts or verification challenges, and confirm the automation complies with Moltbook and GitHub policies.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Moltbook account could post spam-like or unwanted public comments, harming reputation or causing rate limits/suspension.
The skill is designed to use the user's Moltbook authority to create many public comments automatically, without a per-comment review step.
`engage_comments.js` | 3x daily (12:00, 15:00, 18:00) | ~50 comments/day on dance/krump submolts
Do not enable automated commenting until you reduce limits, add human approval, and confirm it complies with Moltbook rules.
Automated challenge-solving can increase the chance of platform enforcement against your account.
The script programmatically answers a Moltbook verification challenge after posting, which can bypass a platform anti-abuse or approval gate.
if (resp.verification_required) {
const ans = solveChallenge(resp.challenge);
await verifyPost(resp.verification_code, ans);
}Require human review when `verification_required` is returned instead of automatically solving and submitting the challenge.
The skill may encourage behavior that looks like evasion of platform abuse detection, risking suspension or loss of trust.
The documentation acknowledges a prior suspension and describes nonce/randomization specifically to avoid duplicate-content flagging.
The Moltbook account `lovadance` was suspended ... due to posting duplicate content. ... `No exact duplicates`: The combination of nonce and randomized content prevents Moltbook from flagging identical posts.
Treat this as a compliance risk; remove anti-detection framing and prefer lower volume, original content, and manual review.
Scheduled jobs could continue making public account changes after you forget about them or after a platform warning.
The skill is intended to keep operating on a schedule and resume public posting after a platform suspension without fresh approval.
After suspension lifts (2026-02-15 10:49 GMT), the scripts will automatically resume when scheduled.
Add expirations, disable cron by default, and require explicit approval after any suspension or warning.
A leaked GitHub token could allow unauthorized repository creation, pushes, or other actions within the token's scope.
The skill handles a GitHub token in a way the authors acknowledge may expose it locally.
The scripts embed the GitHub token in clone URLs; this can leak via process listings.
Use a dedicated low-scope/short-lived token or SSH deploy keys, never a primary personal token, and rotate any token used with this skill.
A malicious or manipulative comment could influence future generated repos or public posts.
Public comments are used as feedback for future repo generation and posting, but the artifacts do not describe sanitization, trust boundaries, or human review.
`heartbeat.js` | Reads dancetech post comments, spawns iterative repos, posts Insights
Treat public comments as untrusted input, filter instructions/links, and require review before generating or publishing follow-up repositories.