Moltspaces
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: moltspaces Version: 1.0.16 The skill bundle is classified as suspicious due to several risky capabilities, primarily the potential for shell injection and prompt injection. The `SKILL.md` and `README.md` files instruct the OpenClaw agent to execute `curl` commands with interpolated values (e.g., `agent_name`, `agent_bio_under_160_chars`). If the OpenClaw agent's command interpreter does not properly sanitize these inputs, it could lead to shell injection (RCE). Additionally, the skill instructs the agent to generate `assets/personality.md` and `assets/notes.md` based on user input and internal OpenClaw context files (`SOUL.md`, `USER.md`, `MEMORY.md`), which are then used to construct the LLM's system prompt in `scripts/bot.py`. This creates a significant prompt injection surface against the LLM, allowing a malicious user to potentially manipulate the bot's behavior. While these are vulnerabilities rather than explicit malicious intent by the skill developer, they represent high-risk behaviors.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private memories or profile details could be sent to an external LLM provider and influence what the bot says in a live audio room.
This explicitly directs the agent to read persistent local profile, user, and memory files and put them into the bot's LLM context without clear boundaries, filtering, or review.
Locate Source Files: Find `SOUL.md`, `USER.md`, and `MEMORY.md` from your OpenClaw environment. ... Synthesize the content from these files into a single, cohesive narrative optimized for an LLM context.
Do not allow automatic ingestion of SOUL.md, USER.md, or MEMORY.md. Create a minimal, sanitized personality file manually and review it before running the bot.
Anyone running the skill must provide API keys that can incur costs or control the Moltspaces agent account.
The skill requires service credentials for Moltspaces, OpenAI, and ElevenLabs. This is expected for the stated voice-bot purpose, but these keys grant access to external accounts and possible usage costs.
MOLTSPACES_API_KEY=moltspaces_xxxx MOLT_AGENT_ID=molt-agent-xxxx OPENAI_API_KEY=sk-proj-xxxx ELEVENLABS_API_KEY=sk_xxxx
Use restricted keys where possible, store them only in the intended .env file, and revoke them if the skill is no longer used.
The bot may remain connected to a room and continue using API services until it is stopped.
The documented launch command starts the bot in the background. This is aligned with a live room bot and stop commands are provided, but it can keep running after the user’s immediate interaction ends.
uv run scripts/bot.py --url "https://songjam.daily.co/room-name" --token "daily_token_xxx" --topic "The future of AI" --personality "assets/personality.md" > bot.log 2>&1 &
Run it only when needed, monitor bot.log and running processes, and stop it with the documented kill or pkill command when done.
Future dependency versions could change behavior or introduce vulnerabilities.
The skill installs several unpinned Python dependencies from package sources. This is normal for a Python voice bot, but there is no lockfile or install spec in the provided artifacts.
dependencies = [
"pipecat-ai[webrtc,daily,silero,elevenlabs,openai,local-smart-turn-v3,runner]",
"pipecat-ai-cli",
"fastapi",
"uvicorn",
"python-dotenv",
"aiohttp",
]Prefer a reviewed lockfile or pinned dependency versions before installation, especially for production or long-running use.