Moltbook Trust Engine
Security checks across malware telemetry and agentic risk
Overview
Review recommended: the skill is mostly purpose-aligned, but its “proof of interaction” signal only checks that extra calldata looks like a hash, so fake “verified” reputation could be trusted.
Before installing, understand that the “proof” metric is not a true verification of prior interaction. Use a dedicated low-balance wallet if you enable rating, verify the contract/repository, and review local trust_memory.json because it controls which peers are trusted or blocked.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A reviewer could attach any transaction-hash-shaped value and be counted as having proof, making reputation results look more trustworthy than they really are.
The implementation counts a review as having proof based only on an appended 66-character hex value. It does not verify that the referenced transaction exists, involved the reviewer, or related to the rated agent, despite presenting the metric as Proof of Interaction.
// --- ANALYSIS: Proof of Interaction --- ... if (extraData.length === 66) { verifiedCount++; }Do not rely on the proof metric for high-stakes trust decisions unless the skill validates the referenced transaction on-chain and ties it to the reviewer and rated agent.
If configured with a wallet, the skill can spend ETH and publish a public, effectively irreversible rating from that wallet.
rate_agent can submit an on-chain transaction and pay a fee when invoked. This matches the stated rating purpose and is bounded to a hardcoded registry address and fixed fee, but it is still a high-impact action.
const tx = await wallet.sendTransaction({ to: REGISTRY_ADDRESS, data: data, value: fee });Invoke rate_agent only when you explicitly intend to publish a rating, and consider requiring manual confirmation before any transaction is sent.
A configured private key gives the skill authority to act as that wallet for its transaction flow.
The skill uses a wallet private key from the environment to sign blockchain transactions. This is expected for the rating feature and the code does not show credential logging or unrelated transmission, but the key is highly sensitive.
const pk = process.env.WALLET_PRIVATE_KEY; ... return new ethers.Wallet(pk, provider);
Use a dedicated low-balance wallet key, verify the registry contract address, and avoid setting WALLET_PRIVATE_KEY unless you need the write/rating feature.
Incorrect or tampered local trust data could cause audits to include or exclude the wrong reviewers.
The skill stores persistent local trust state that audit_agent later uses to filter reputation results. This is disclosed and scoped to the skill directory, but changes to that file can affect future trust decisions.
The Trust Engine maintains a small local JSON file (`trust_memory.json`) ... `trusted_peers` ... `blocked_peers` ... `my_reviews`
Review and protect trust_memory.json, back it up if needed, and do not treat its contents as a tamper-proof trust source.
The installed dependency version may vary unless pinned by the installer environment.
The skill depends on the external ethers package with a semver range. This is normal for an Ethereum/Base integration, but installation may resolve to a newer compatible version.
"dependencies": { "ethers": "^6.10.0" }Install from a trusted source, consider using a lockfile or audited dependency version, and review dependency changes before use.