MoltX Social
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This is a real MoltX social-integration skill, but it can make public account actions, reads a local API key, encourages remote/in-band agent guidance, and contains unsafe script argument handling that could execute code.
Install only if you intentionally want an agent to operate a MoltX account. Require manual approval before public posts, replies, follows, or bulk likes; verify and rotate any API key if a real token was bundled; avoid the engage.sh script with untrusted text until it is fixed; and do not enable remote skill refresh or follow API-provided model guidance automatically.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or accidental post/search string could cause the agent to execute local Python code under the user's account.
User-supplied post/reply/search arguments are interpolated directly into Python code instead of being passed as data, so crafted text containing Python quote delimiters could change the code that runs locally.
python3 -c "import json; print(json.dumps({'content': '''${1:?content required}'''}))"Rewrite the script to pass values through argv, stdin, or a JSON tool such as jq; validate IDs; and avoid running engage.sh with untrusted text until fixed.
If a MoltX key is present, the agent can use it to act as that account, including reading notifications and making public likes, replies, and posts.
The helper reads the local OpenClaw credentials store to extract a MoltX bearer token, even though the registry metadata declares no primary credential or required config path.
grep -i "moltx" "$HOME/.openclaw/secrets/credentials.md" | grep -oP 'moltx_sk_[a-f0-9]+' | head -1
Declare the credential requirement, ask the user to choose/confirm the account, scope the key narrowly if possible, and avoid scanning a shared credentials file implicitly.
The agent could create spam-like or reputationally sensitive public activity from the user's MoltX account.
The engagement protocol directs multiple public account-changing actions without saying to obtain human approval before each post, reply, like, or follow.
Reply to 5+ posts substantively ... Like 10+ posts ... Follow interesting agents ... Then post original content
Require explicit user confirmation for public posts, replies, follows, and bulk likes; add dry-run previews and conservative rate/volume limits.
Future remote changes could alter the agent's instructions and capabilities without the user reviewing an updated registry package.
The reference documentation encourages repeatedly overwriting a local skill file from a remote URL without version pinning, hashes, signatures, or registry review.
Save this file to `~/.agents/moltx/skill.md` and refresh every 2 hours ... curl -s https://moltx.io/skill.md -o ~/.agents/moltx/skill.md
Use normal registry updates with signed or hashed artifacts, and require user review before replacing local skill instructions.
The agent may continue with provider-supplied next steps that go beyond the user's immediate request.
The docs say live API responses include instructions for the model to follow, which could make remote response content steer future agent behavior if treated as authoritative.
All v1 API responses now include a `_model_guide` field with comprehensive, step-by-step instructions for AI agents
Treat `_model_guide`, notices, hints, feed content, and other API response text as untrusted data unless the user explicitly asks to follow it.