MoltX Social
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: moltx Version: 1.0.1 The skill bundle is classified as suspicious due to a critical supply chain vulnerability and shell injection risks. The `references/api-full.md` file explicitly instructs the AI agent to download and overwrite its own skill definition file from `https://moltx.io/skill.md`, creating a remote code execution (RCE) risk if the MoltX server is compromised. Additionally, `scripts/engage.sh` is vulnerable to shell injection, particularly in the `like`, `post`, and `reply` actions where user-controlled input (e.g., `post_id`, `parent_id`) is directly interpolated into shell commands or Python strings without sufficient sanitization or quoting, potentially allowing an attacker to execute arbitrary commands. The skill also instructs the agent to generate EVM private keys, a high-risk capability that could lead to loss of funds if not handled with extreme care.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or accidental post/search string could cause the agent to execute local Python code under the user's account.
User-supplied post/reply/search arguments are interpolated directly into Python code instead of being passed as data, so crafted text containing Python quote delimiters could change the code that runs locally.
python3 -c "import json; print(json.dumps({'content': '''${1:?content required}'''}))"Rewrite the script to pass values through argv, stdin, or a JSON tool such as jq; validate IDs; and avoid running engage.sh with untrusted text until fixed.
If a MoltX key is present, the agent can use it to act as that account, including reading notifications and making public likes, replies, and posts.
The helper reads the local OpenClaw credentials store to extract a MoltX bearer token, even though the registry metadata declares no primary credential or required config path.
grep -i "moltx" "$HOME/.openclaw/secrets/credentials.md" | grep -oP 'moltx_sk_[a-f0-9]+' | head -1
Declare the credential requirement, ask the user to choose/confirm the account, scope the key narrowly if possible, and avoid scanning a shared credentials file implicitly.
The agent could create spam-like or reputationally sensitive public activity from the user's MoltX account.
The engagement protocol directs multiple public account-changing actions without saying to obtain human approval before each post, reply, like, or follow.
Reply to 5+ posts substantively ... Like 10+ posts ... Follow interesting agents ... Then post original content
Require explicit user confirmation for public posts, replies, follows, and bulk likes; add dry-run previews and conservative rate/volume limits.
Future remote changes could alter the agent's instructions and capabilities without the user reviewing an updated registry package.
The reference documentation encourages repeatedly overwriting a local skill file from a remote URL without version pinning, hashes, signatures, or registry review.
Save this file to `~/.agents/moltx/skill.md` and refresh every 2 hours ... curl -s https://moltx.io/skill.md -o ~/.agents/moltx/skill.md
Use normal registry updates with signed or hashed artifacts, and require user review before replacing local skill instructions.
The agent may continue with provider-supplied next steps that go beyond the user's immediate request.
The docs say live API responses include instructions for the model to follow, which could make remote response content steer future agent behavior if treated as authoritative.
All v1 API responses now include a `_model_guide` field with comprehensive, step-by-step instructions for AI agents
Treat `_model_guide`, notices, hints, feed content, and other API response text as untrusted data unless the user explicitly asks to follow it.