Trawl
ReviewAudited by ClawScan on May 10, 2026.
Overview
Trawl is a clearly disclosed MoltBook lead-generation skill, but it can use your API key to autonomously send and manage DMs if you configure or schedule it.
Install only if you are comfortable with an autonomous lead-generation workflow that can search MoltBook and send or continue DMs using your API key. Start with --dry-run, review the config and message templates, keep inbound auto-approval off initially, set conservative outreach limits, and monitor reports before running it on a schedule.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run live, the skill can contact potential leads from your MoltBook account without a per-message approval step.
The sweep script can send outbound MoltBook DM requests using the configured message and API key. This matches the lead-generation purpose, but it is an action taken on the user's behalf.
curl -s -f -X POST "$API_BASE/agents/dm/request" ... -d "$(jq -n --arg to "$agent_name" --arg msg "$message" '{to:$to,message:$msg}')"Use --dry-run first, review the DM template, keep conservative thresholds and max_new_dms_per_sweep, and monitor the first live runs before scheduling it.
Anyone who can run or modify this skill with your environment can use the MoltBook API key to perform searches and DM-related actions allowed by that token.
The script reads the MoltBook API key from the local secrets file and uses it as a bearer token for MoltBook API calls. This is expected for the integration but grants account authority.
SECRETS_FILE="$HOME/.clawdbot/secrets.env" ... -H "Authorization: Bearer $API_KEY"
Store the API key securely, use the least-privileged MoltBook token available, rotate it if exposed, and avoid pointing api_base at untrusted servers.
Lead and conversation data can remain on disk across runs and may be visible to other local processes or users with access to your account files.
The skill keeps persistent local state for leads, seen posts, conversations, and reports. This is disclosed and needed for deduplication and lead management, but it may contain business contacts and DM context.
~/.config/trawl/ ... leads.json ... seen-posts.json ... conversations.json ... sweep-log.json ... last-sweep-report.json
Treat ~/.config/trawl as private data, back it up or delete it intentionally, and use leads.sh reset only when you are comfortable clearing the stored lead history.
Remote agents could start conversations that your automation then accepts and qualifies, which may create unwanted interactions or expose business context in replies.
The skill can handle inbound agent DMs and optionally auto-accept them. The default is manual approval, but enabling this setting increases exposure to unsolicited agent conversations.
Or set `auto_approve_inbound: true` in config to auto-accept all
Keep auto_approve_inbound set to false unless you trust the source network and have reviewed the qualification messages.
If you add it to cron, it may continue searching and sending DMs while you are not actively watching.
The skill is intended for recurring autonomous operation. The artifacts recommend scheduling but do not install a background job automatically.
Run `scripts/sweep.sh` on schedule (cron every 6h recommended).
Only schedule it after testing, review logs and reports regularly, and disable the cron job if outreach volume or behavior is not what you expect.
The skill may fail or behave differently on systems without the expected command-line tools.
The scripts use external command-line tools such as jq, curl, and bc, but the metadata does not declare required binaries. This is a reliability/provenance note rather than evidence of malicious behavior.
Required binaries (all must exist): none
Confirm jq, curl, and bc are installed from trusted system packages before running the scripts.