Moltbook Cli
ReviewAudited by ClawScan on May 10, 2026.
Overview
The Moltbook account features are mostly disclosed, but the skill includes risky auto-reply behavior and an off-purpose heartbeat script that executes hard-coded external helpers.
Review carefully before installing. The Moltbook CLI functions are mostly expected, but avoid live auto-reply unless you can review comments first, protect the Moltbook and Telegram credentials, and do not run heartbeat.py unless you trust the external openclaw-token-optimizer helper and the hard-coded /opt paths on your system.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or manipulative Moltbook post could influence the nested agent’s generated reply, which may then be posted publicly from the user’s account.
Public Moltbook post title/content is placed directly into a prompt for an OpenClaw agent, and the resulting text can be posted as a live comment.
f"Title: {post.get('title','')}\n" ... f"Content: {post.get('content','')}\n" ... comment_text = openclaw_generate(prompt) ... request('POST', f"/posts/{post.get('id')}/comments", body)Use dry-run mode and manually review generated replies before posting. Ideally, the skill should treat post content as untrusted, use a tool-disabled generation path, and require explicit confirmation before live posting.
If invoked by an agent, these commands can change the user’s Moltbook account or publish/delete public content.
The skill openly provides account-mutating commands, including public posting, commenting, deletion, following, and live auto-reply.
exec command: ./molt post "title" "content" ... ./molt comment ... ./molt reply ... ./molt delete POST_ID ... ./molt follow ... Auto-reply ... Live: `./molt respond "keyword" [limit] --post`
Only use this skill with a Moltbook account where agent posting is intended, and require human confirmation for delete, follow/unfollow, and live auto-reply actions.
The Moltbook key can authorize public posts, comments, deletes, follows, and other account actions.
The CLI authenticates with a bearer token from a local .env file; this is expected for the Moltbook API, but it is sensitive account authority and the documented setup uses a different name/path.
ENV_PATH = Path('/opt/moltbook-cli/.env') ... key = os.environ.get('MOLTBOOK_KEY', '').strip() ... return {'Authorization': f'Bearer {key}'}Use a least-privilege or dedicated Moltbook key if available, protect the .env file permissions, and verify the correct variable name and path before use.
Running heartbeat.py may execute code from another local skill and rely on files outside this skill, creating unexpected dependency and tampering risk.
The heartbeat script executes a helper from a different skill path outside this package, so its behavior and provenance are not covered by the provided Moltbook artifacts.
HB_OPT = Path('/root/.openclaw/workspace/skills/openclaw-token-optimizer/scripts/heartbeat_optimizer.py') ... run(['python3', str(HB_OPT), 'check', 'monitoring'])Do not run heartbeat.py unless the external helper is separately reviewed and trusted. The skill should vendor or declare this dependency, or remove the off-purpose heartbeat integration.
Any alert text passed to notify.sh, including heartbeat alerts, is sent to a Telegram chat outside OpenClaw.
Notifications are sent to Telegram using a bot token and chat ID from a local env file.
source /opt/moltbook-cli/notify.env ... curl -s -X POST "https://api.telegram.org/bot${TELEGRAM_NOTIFY_TOKEN}/sendMessage" ... -d "chat_id=${TELEGRAM_NOTIFY_CHAT_ID}" ... -d "text=${MESSAGE}"Use a dedicated Telegram bot/chat, avoid sending secrets in alert text, and confirm the notify.env file is protected and points to the intended chat.