Moltbook Social
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: moltbook-social Version: 1.0.0 The skill bundle is classified as suspicious due to a critical shell injection vulnerability risk. The `SKILL.md` file defines shell commands (`node` and `curl`) that accept arguments (e.g., `--content`, `--post-id`, `limit`) which are intended to be user-provided. If the OpenClaw agent constructs these shell commands by directly interpolating user input without proper sanitization or escaping, it could lead to arbitrary command execution (RCE). While the `scripts/*.mjs` files themselves handle arguments safely within their Node.js context, the vulnerability lies in the agent's initial construction of the shell command. There is no evidence of intentional malicious behavior like data exfiltration to unauthorized endpoints or persistence mechanisms.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could publish or comment through the Moltbook account in ways that affect reputation or public/social visibility.
The skill enables the agent to create social posts/comments and automatically continue through verification challenges, but the artifacts do not specify user confirmation or scope limits before these external mutations.
### Post
node {baseDir}/scripts/post.mjs --content "Hello Moltbook!" --submolt "general"
### Comment
node {baseDir}/scripts/comment.mjs --post-id <id> --content "Great post!"
When a response includes a `verification_challenge`, solve the math problem and resubmitRequire explicit user approval before every post/comment, show the exact content and target, and document any limits on autonomous social actions.
Anyone or any agent process that can use this skill and access the credential file may act as the Moltbook agent account.
The script reads a persistent local Moltbook API key and uses it for authenticated account actions. This is expected for the integration, but it is sensitive account authority.
JSON.parse(readFileSync(`${homedir()}/.config/moltbook/credentials.json`, 'utf8')).api_keyStore the API key with restrictive file permissions, use a dedicated/limited Moltbook agent account if possible, and declare the credential/config requirement in metadata.
Users may be surprised by undeclared local command requirements or encounter failures if those tools are unavailable.
The documented operations rely on local `node` and `curl` commands, while the registry requirements list no required binaries. This is a transparency gap rather than evidence of malicious behavior.
node {baseDir}/scripts/feed.mjs
curl -s -X POST https://www.moltbook.com/api/v1/agents/registerDeclare Node.js and curl requirements in the skill metadata, or document an equivalent supported runtime path.