Back to skill

Security audit

Openclaw Social Scheduler

Security checks across malware telemetry and agentic risk

Overview

This social scheduler appears purpose-built for posting and media uploads, but it handles real account credentials and public posting with under-scoped safeguards.

Install only if you are comfortable giving this skill authority to publish to real social accounts. Use test accounts first, avoid passing live secrets on the command line, keep credential and queue files outside version control with restricted permissions, and do not let untrusted prompts choose local file paths or remote media URLs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (22)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The document explicitly states that working credentials are stored in `.credentials/moltbook.json`, which reveals secret location and confirms valid tokens exist. In a research/documentation file, that unnecessarily exposes credential-storage details to anyone who can read the note and increases the chance of credential discovery, mishandling, or targeting of that path.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document includes operational examples that pass API keys directly on the command line and references a concrete credential file path. This can lead to accidental secret exposure through shell history, process listings, logs, screenshots, or unsafe reuse by downstream agents/users who copy the examples verbatim.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The build summary promotes the integration as production-ready and provides live posting and scheduling workflows without a clear warning that these actions affect real external accounts and can create irreversible public or scheduled content. In an agent skill context, that increases the chance of unintended posting, reputation damage, spam, or misuse by operators who interpret the examples as safe defaults.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The guide explicitly supports fetching media from arbitrary HTTP(S) URLs and states that the image will be downloaded and re-uploaded, but it provides no warning about privacy, metadata leakage, untrusted remote content, or network access implications. In an agent context, this can cause unintended outbound requests, expose IP/network environment details, and process attacker-controlled content without user awareness.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The quick-start examples instruct users to upload local files to third-party social platforms without clearly warning that file contents and potentially embedded metadata will be transmitted externally. In an automation or agent setting, this increases the risk of accidental disclosure of sensitive images, EXIF/location data, or internal files if users misunderstand the trust boundary.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation explicitly shows passing a live API key as a command-line argument, which can leak via shell history, process listings, logs, or telemetry on multi-user or monitored systems. Although this is presented as convenience documentation rather than an active exploit, it normalizes an unsafe secret-handling pattern that can expose credentials and enable unauthorized posting.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The agent example reads a sensitive credential from an environment variable and immediately launches a subprocess that performs an outbound posting action, without any warning about credential usage, consent, or external data transmission. In an agent-skill context, this is more dangerous because it encourages automated exfiltration-capable behavior and may cause operators to grant posting capability without understanding that the skill can act on an external service using stored secrets.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The document explicitly promotes media loading from local file paths and HTTP(S) URLs with auto-download, but it does not warn users that invoking the feature may transmit data over the network or read arbitrary local files. In an agent setting, this can lead to unintended exfiltration of sensitive local content or server-side request behavior if untrusted inputs are passed into the media loader.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The project description explicitly plans multi-platform posting, scheduling, media uploads, and browser automation to third-party services, but it provides no user-facing warning, consent boundary, or safety constraints around external side effects. In an agent skill context, this increases the risk of unintended posting, leakage of stored content, and automated actions against external accounts, especially once browser automation is introduced for platforms without official APIs.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README instructs users to store highly sensitive secrets such as webhook URLs, API keys, OAuth client secrets, access tokens, and account passwords in local JSON files, but it provides no warning about protecting those files, excluding them from version control, or using safer secret-management mechanisms. In an AI-agent context, this is more dangerous because agents may automatically create, read, copy, or expose config files in logs, workspaces, or repositories, increasing the chance of credential leakage and downstream account compromise.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The skill is designed to transmit user-provided content and authentication material to third-party social platforms, but the documentation does not clearly warn users about credential handling, external data disclosure, or the risks of passing secrets on the command line. In agent environments, this omission increases the chance that webhook URLs, API keys, tokens, or sensitive post content are exposed in logs, process listings, or unintended external posts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The module will fetch arbitrary HTTP(S) URLs supplied as media sources and then process/upload the downloaded content without any consent gate, source restrictions, or safety checks on remote destinations. In an agent context, this creates an SSRF-style primitive and can cause unintended outbound network access to attacker-controlled or internal endpoints, as well as silent transmission of retrieved content to third-party platforms.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The function performs a real outbound network action that publishes content to a third-party Mastodon instance, but the code itself provides no user-consent gate, dry-run mode, or explicit disclosure at the point of execution. In an agent-skill context, silent posting is more dangerous because higher-level automation may invoke this skill without the user fully realizing it will externally publish data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill sends user-provided content to an external social platform without any built-in user-facing disclosure, confirmation, or consent mechanism. In an agent-skill context, this can cause unintended publication of sensitive, private, or hallucinated content to a third-party service, making the behavior materially risky even if the code is functionally correct.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code transmits an API key in authenticated requests to an external service but provides no user-facing notice that credentials are being sent off-box to Moltbook. In agent ecosystems, lack of transparency around credential use increases the chance that operators unknowingly authorize external access or misuse a production secret in an untrusted workflow.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The post function performs a real external side effect by sending tweets through the Twitter API, but this module contains no built-in confirmation, dry-run mode, or explicit user acknowledgment mechanism. In an agent-skill context, that increases the risk of unintended or unauthorized posting if upstream components invoke this function automatically from model output or untrusted instructions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The queue persists the entire post object, including `post.config`, directly to `storage/queue.json`. Because the comments indicate this config may contain webhooks, tokens, or other secrets, the code stores sensitive credentials in plaintext on disk without minimization, encryption, or access controls, increasing the risk of credential disclosure through local file access, backups, logs, or accidental commits.

External Transmission

Medium
Category
Data Exfiltration
Content
const auth = Buffer.from(`${config.clientId}:${config.clientSecret}`).toString('base64');
  const userAgent = config.userAgent || 'OpenClawBot/1.0';
  
  const response = await fetch('https://www.reddit.com/api/v1/access_token', {
    method: 'POST',
    headers: {
      'Authorization': `Basic ${auth}`,
Confidence
87% confidence
Finding
fetch('https://www.reddit.com/api/v1/access_token', { method: 'POST'

Credential Access

High
Category
Privilege Escalation
Content
}

/**
 * Get OAuth2 access token
 * @param {object} config - OAuth credentials
 * @returns {Promise<string>} - Access token
 */
Confidence
84% confidence
Finding
access token

Credential Access

High
Category
Privilege Escalation
Content
/**
 * Get OAuth2 access token
 * @param {object} config - OAuth credentials
 * @returns {Promise<string>} - Access token
 */
async function getAccessToken(config) {
  // Return cached token if still valid
Confidence
84% confidence
Finding
Access token

Known Vulnerable Dependency: form-data==4.0.5 — 1 advisory(ies): CVE-2026-12143 (form-data: CRLF injection in form-data via unescaped multipart field names and f)

High
Category
Supply Chain
Confidence
93% confidence
Finding
form-data==4.0.5

Known Vulnerable Dependency: node-fetch==2.6.1 — 1 advisory(ies): CVE-2022-0235 (node-fetch forwards secure headers to untrusted sites)

High
Category
Supply Chain
Confidence
96% confidence
Finding
node-fetch==2.6.1

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/platforms/mastodon.js:94

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/platforms/twitter.js:103

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/test.js:49

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/upload-media.js:86