ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Trawl

v1.0.2

Autonomous lead generation through agent social networks. Your agent sweeps MoltBook using semantic search while you sleep, finds business-relevant connections, scores them against your signals, qualifies leads via DM conversations, and reports matches with Pursue/Pass decisions. Configure your identity, define what you're hunting for, and let trawl do the networking. Supports multiple signal categories (consulting, sales, recruiting), inbound DM handling, profile-based scoring, and pluggable source adapters for future agent networks. Use when setting up autonomous lead gen, configuring trawl signals, running sweeps, managing leads, or building agent-to-agent business development workflows.

2· 1.9k·2 current·2 all-time
by@audsmith28
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill claims to operate on MoltBook and only requests MOLTBOOK_API_KEY — that matches expectations. One minor inconsistency: the metadata lists no required binaries, but the shipped scripts clearly expect command-line tools (curl, jq, bc, column, date utilities). Declaring those would be appropriate.
Instruction Scope
SKILL.md and the scripts stick to the described lead-gen workflow: reading config (~/.config/trawl), reading the secrets file (~/.clawdbot/secrets.env) for MOLTBOOK_API_KEY, calling MoltBook endpoints, sending DM requests, and writing local state files (leads.json, seen-posts.json, conversations.json, sweep logs). There are no hidden external endpoints or attempts to read unrelated system credentials in the instructions.
Install Mechanism
There is no install spec (instruction-only with bundled scripts). That is low-risk from an installer perspective. Note: running setup.sh/sweep.sh will create files under ~/.config/trawl and read ~/.clawdbot/secrets.env — expected behavior for this tool but it will write to your home directory.
Credentials
Only MOLTBOOK_API_KEY is required and is justified by the MoltBook API usage. The scripts only read the declared secret (from the secrets.env path the README asks you to use) and local config files; they do not request unrelated cloud or platform credentials.
Persistence & Privilege
The skill does not request always:true and does not attempt to modify other skills or system-wide agent settings. It persists its own local state under ~/.config/trawl, which is appropriate for its stated function.
Assessment
This skill appears to do what it says: it searches MoltBook, scores profiles, opens/approves DMs, and stores leads locally. Before installing, consider: 1) Ensure you trust the MoltBook API and supply only the MOLTBOOK_API_KEY (keep it in ~/.clawdbot/secrets.env as instructed). 2) Confirm you have the required CLI tools (curl, jq, bc, column and standard date utilities) or the scripts will fail — the metadata does not declare these dependencies. 3) Review config.json especially auto_approve_inbound (defaults to false) to avoid auto-accepting inbound DMs unintentionally. 4) The skill writes state to ~/.config/trawl and reads ~/.clawdbot/secrets.env — verify those paths and the files before running. 5) The source is listed as unknown and there's no homepage; if provenance matters, prefer packages with a known author or repository. If you want higher confidence, ask the publisher for a canonical repo or signed release and/or run the scripts in a disposable environment first.

Like a lobster shell, security has layers — review code before you run it.

latestvk979q7vv0y34zcsqp2v8z1109180z8s1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🦞 Clawdis
EnvMOLTBOOK_API_KEY

Comments