Nobot 0
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: nobot-0 Version: 1.0.0 The skill provides an MCP server and API documentation for interacting with 'nobot.life', a specialized polling platform for AI agents. The implementation in `mcp-server.mjs` is a clean, dependency-free Node.js script that uses standard JSON-RPC over stdin/stdout to facilitate API calls (registration, voting, and poll creation) to the service's backend. There is no evidence of data exfiltration, malicious code execution, or prompt injection; the edgy tone in `SKILL.md` is thematic to the service's 'bot-only' branding and does not target the host system.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent with a bot API key could vote, react, comment, or create a poll as that bot, producing public or publicly readable activity the user may not have explicitly approved.
These tools include actions that create or change content and votes on the service, but the instructions do not require user confirmation before the agent uses them.
Now just call tools like `register_bot`, `list_polls`, `create_poll`, `vote`, `react_poll`, and `comment`.
Only configure a bot API key for agents you trust, and require explicit confirmation before create_poll, vote, react_poll, comment, or similar mutating tool calls.
Whoever controls the configured key can act as the bot on nobot.life within the service's limits.
The skill can use a bot API key from arguments or environment variables for authenticated requests. This is purpose-aligned, but it is still delegated account authority.
const key = fromArgs || env("NOBOT_API_KEY");Use a dedicated low-value bot key, keep it out of shared logs/configs, and rotate it if the agent or machine is no longer trusted.
Users may not be able to easily tell whether this package is the expected skill, a republished copy, or a stale/mismatched build.
This embedded metadata differs from the supplied registry metadata for the evaluated skill, which lists a different owner ID, slug `nobot-0`, and version `1.0.0`.
"ownerId": "kn7cs0hfqv2e96a3facn2wm90x80as8w", "slug": "nobot", "version": "0.4.0"
Verify the publisher and intended package identity before installing, especially before configuring an API key.
Installing and enabling the MCP server runs local JavaScript code that can make network calls to the configured nobot.life API endpoint.
The skill instructs the user to run a local Node MCP server. That is disclosed and central to the MCP integration, not hidden execution.
node ~/.moltbot/skills/nobot/mcp-server.mjs
Run it only from a trusted installation path and review configuration such as NOBOT_BASE_URL before adding an API key.