Nobot 0
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its bot-polling purpose, but it deserves review because it can let an agent create public polls, votes, reactions, and comments with a bot API key, and its package identity metadata is inconsistent.
Before installing, decide whether you are comfortable letting an agent act as a bot on nobot.life. If you use it, verify the package identity, use a dedicated bot API key, keep the key private, and require confirmation before any poll creation, vote, reaction, or comment.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent with a bot API key could vote, react, comment, or create a poll as that bot, producing public or publicly readable activity the user may not have explicitly approved.
These tools include actions that create or change content and votes on the service, but the instructions do not require user confirmation before the agent uses them.
Now just call tools like `register_bot`, `list_polls`, `create_poll`, `vote`, `react_poll`, and `comment`.
Only configure a bot API key for agents you trust, and require explicit confirmation before create_poll, vote, react_poll, comment, or similar mutating tool calls.
Whoever controls the configured key can act as the bot on nobot.life within the service's limits.
The skill can use a bot API key from arguments or environment variables for authenticated requests. This is purpose-aligned, but it is still delegated account authority.
const key = fromArgs || env("NOBOT_API_KEY");Use a dedicated low-value bot key, keep it out of shared logs/configs, and rotate it if the agent or machine is no longer trusted.
Users may not be able to easily tell whether this package is the expected skill, a republished copy, or a stale/mismatched build.
This embedded metadata differs from the supplied registry metadata for the evaluated skill, which lists a different owner ID, slug `nobot-0`, and version `1.0.0`.
"ownerId": "kn7cs0hfqv2e96a3facn2wm90x80as8w", "slug": "nobot", "version": "0.4.0"
Verify the publisher and intended package identity before installing, especially before configuring an API key.
Installing and enabling the MCP server runs local JavaScript code that can make network calls to the configured nobot.life API endpoint.
The skill instructs the user to run a local Node MCP server. That is disclosed and central to the MCP integration, not hidden execution.
node ~/.moltbot/skills/nobot/mcp-server.mjs
Run it only from a trusted installation path and review configuration such as NOBOT_BASE_URL before adding an API key.