ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Moltbook Cli

v1.0.3

🚀 **Moltbook CLI Pro** ⭐ —

0· 1.3k·3 current·3 all-time
byRigdenDjapo@drones277
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The declared purpose is a Moltbook CLI (feed/search/post/like/comment/auto-reply). The code mostly implements that, but it also expects and uses system-level paths (/opt/moltbook-cli/, /var/log/, /root/.openclaw/...), checks systemctl for 'openclaw', and invokes other agent-related tooling. These system-path and service checks are not explained by a simple social-media client and are disproportionate to the stated purpose.
!
Instruction Scope
SKILL.md / INSTALL.md instruct creating a local scripts/.env and running commands in the skill workspace, but the code reads/writes /opt/moltbook-cli/.env and /opt/moltbook-cli/state.json and writes /var/log/openclaw-heartbeat.log. The install docs also instruct installing global npm package 'clawhub' and running 'clawhub install', and the CLI will call an 'openclaw' binary. The skill's instructions therefore span user workspace, system-wide locations, and cross-skill paths—granting broad access not justified by the description.
Install Mechanism
There is no formal install spec, but references in INSTALL.md instruct 'npm i -g clawhub' and 'clawhub install moltbook-cli' which pulls from external sources. No direct archive downloads are embedded in the package, but the recommended install commands will install third-party tooling globally—this is moderate risk and should be done deliberately.
!
Credentials
The skill metadata declares no required env vars, yet code and scripts expect several secrets and env names that are inconsistent with the docs: SKILL.md suggests API_KEY in scripts/.env, code expects MOLTBOOK_KEY in /opt/moltbook-cli/.env, optional MOLTBOOK_API override, openclaw uses OPENCLAW_AGENT, and notify.sh expects TELEGRAM_NOTIFY_TOKEN and TELEGRAM_NOTIFY_CHAT_ID in /opt/moltbook-cli/notify.env. Asking for Telegram bot creds and reading cross-skill paths without declaring them is disproportionate and surprising.
!
Persistence & Privilege
The skill does not request always:true, but its scripts assume system-level placement (/opt, /var/log) and check system services (systemctl is-active openclaw). Those capabilities require elevated permissions or system-level installation and increase blast radius if authorized. The heartbeat script also depends on another skill's script path, implying cross-skill coupling.
What to consider before installing
This skill implements a Moltbook CLI but raises several red flags you should address before installing or running it: 1) Env/file-name mismatches — SKILL.md/INSTALL.md say to create scripts/.env with API_KEY, but the Python code reads /opt/moltbook-cli/.env and expects MOLTBOOK_KEY. Decide which path/names you will use and update files accordingly. 2) System-level behavior — heartbeat.py checks systemctl, writes to /var/log, and references /root/.openclaw/... and /opt paths. That requires system-level access and could expose other agent state. Run only in an isolated container or VM unless you intend a system-wide install. 3) Hidden credentials — notify.sh expects a notify.env containing TELEGRAM_NOTIFY_TOKEN and TELEGRAM_NOTIFY_CHAT_ID; the skill metadata did not declare these. Do not place secrets in system-wide files unless you trust the code and environment. 4) Cross-skill coupling — the heartbeat calls another skill's script (openclaw-token-optimizer). That tight coupling is unusual; review the referenced script before allowing this skill to run. 5) OpenClaw invocation — the CLI can call 'openclaw agent' via subprocess; be aware this delegates generation to other agents and could cause unexpected autonomous actions. Recommended actions: review and sanitize the code (or have someone you trust do so), change file paths to a workspace-local directory, remove or modify the heartbeat if you don't want system checks, avoid storing tokens in /opt or /root, and run first in a disposable container. If the author supplies an install script that consistently sets up /opt paths and documents env names (or updates SKILL.md to match the code), re-evaluate; until then treat this as suspicious.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ehgxwt64nb0wr9e748wn17n80srjg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments