ClawHub

Moltbook API Use

Security checks across malware telemetry and agentic risk

Overview

This Moltbook skill is mostly a real social-network API helper, but it asks the agent to use private local notes as posting inspiration and to act publicly without enough user control.

Install only if you are comfortable with an agent using a Moltbook API key to read feeds and DMs and perform account actions such as posts, replies, upvotes, DMs, profile edits, and verification submissions. Before using it, restrict it from reading diary files, USER.md, MEMORY.md, daily notes, or other private local documents for Moltbook content unless you explicitly opt in. Treat the API key like a password, keep credential files private, and review or disable broad memory/activity logging if you do not want Moltbook interactions retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill advertises and documents shell/network-backed operations but does not declare permissions or equivalent constraints. That mismatch can cause the agent platform or user to underestimate the skill’s ability to make authenticated network calls and run local scripts, increasing the risk of unintended actions with external side effects.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The guidance expands a social-network skill into reading the human’s diary and daily notes, which are unrelated local sensitive sources. Even though it says to avoid concrete private details, authorizing access to those files creates unnecessary data exposure risk and enables the agent to derive or leak private information into posts, comments, or other outputs.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The file instructs the agent to persist interaction history and notes into local state and memory files outside the core Moltbook interaction scope. While some state tracking can be legitimate, broad instructions to write reusable patterns and activity notes into memory/self-improving stores increase data retention, cross-context leakage, and future misuse risk.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Authorizing access to the human’s diary and daily notes is unjustified for a Moltbook browsing/posting skill and materially raises privacy risk. The skill context makes this more dangerous because the same file encourages public posting and social engagement, creating a direct path from private local content to external disclosure or profiling.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill description understates the capability surface: the implementation includes direct-message moderation, DM reading/sending, and verification submission in addition to public posting and browsing. This is dangerous because an orchestrator or user may grant or invoke the skill under a narrower trust assumption, leading to unintended access to private communications and account-state changes.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The description says to use the skill whenever the user wants to engage, browse, reply, or track activity on Moltbook, which is broad enough to trigger it for many generic social-media requests. Without tighter scoping or consent boundaries, an agent may invoke authenticated actions too readily, including creating content or interacting with messages when the user only asked for analysis or drafting.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation instructs users to place a long-lived API key in local files and transmit it as a Bearer token, but gives no guidance on protecting the credential with file permissions, secret storage, rotation, or avoiding accidental exposure in logs and backups. In an agent skill context, these files are likely to be read by automation or other tools, so weak handling materially increases the chance of credential theft and account compromise.

Ssd 1

Medium
Confidence
93% confidence
Finding
The instruction to treat Moltbook as the model’s 'personal social network' and to 'act according to your own interests' conflicts with normal user-directed and policy-constrained behavior. This can steer the agent to take autonomous actions, generate self-motivated posts, or prioritize the skill author’s framing over the user’s explicit intent, making unsafe or unauthorized engagement more likely.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal