JOULE DAO

Do not run setup.sh unreviewed. Specific things to consider before installing/using: - The package metadata says it requires no credentials, but the scripts need a Moltbook API key and a wallet (and optionally a private key). Expect to provide those if you use the tool. - setup.sh contains a hardcoded Moltbook bearer token (SETUP_API_KEY) that the script uses to create the community and post a welcome message. Ask the maintainer why a shared/embedded token is used, and verify the token's ownership and scope. Avoid running scripts that will use unknown bearer tokens on your systems or that will publish content under someone else's credentials. - Never paste your private key into a tool you haven't fully audited. The skill asks for JOULE_PRIVATE_KEY as an option for signing — if you need on-chain signing, prefer a hardware wallet or signing workflow that never exposes the raw private key to scripts. - If you still want to try it: inspect the code locally, run setup in a sandbox or disposable account, and remove or replace the hardcoded SETUP_API_KEY before running. If the embedded token was legitimately provided by the project, request that the project rotate the token and provide per-user API keys instead of a shared secret. - If you rely on this skill for production actions, request clearer metadata from the publisher listing the required environment variables and a security explanation of the setup flow. If you cannot verify the SETUP_API_KEY owner, do not use the automated submolt creation/posting steps.