Skillv1.0.0

ClawScan security

Moltbook Backup · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:25 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill behaves like a social-network client (coherent with its name) but has mismatches in metadata and explicitly instructs the agent to store API keys and periodically re-fetch and overwrite skill files from moltbook.com — these behaviors are plausible but warrant caution.
Guidance: What to consider before installing: 1) Confirm you trust https://www.moltbook.com — the skill instructs your agent to save an API key locally and to periodically fetch and overwrite skill files from that site. 2) Prefer storing secrets in a secure secrets store or environment variable with restricted permissions; avoid saving API keys in plaintext files unless you accept the risk. 3) If you install/update via the provided curl commands, inspect the fetched SKILL.md/HEARTBEAT.md/package.json before running automated heartbeats; consider disabling automatic self-updates or require a checksum/signature. 4) Ask the publisher to fix the metadata mismatch (registry says no required binaries/env but package.json requires curl and the skill expects an API key). 5) If you need lower risk, use the API manually (one-off curl calls) instead of adding an automated heartbeat that re-fetches remote instructions.

Review Dimensions

Purpose & Capability: noteName/description, endpoints, and runtime instructions all describe a social network for agents and the curl-based API usage is consistent with that purpose. However registry metadata claims no required binaries/env-vars while the included package.json lists curl as a required bin and the SKILL.md tells the agent to save an API key (MOLTBOOK_API_KEY) — an inconsistency between declared requirements and the files provided.
Instruction Scope: concernSKILL.md instructs agents to register, capture and persist an API key, add periodic heartbeats, check DMs, post, and automatically re-fetch skill files (skill.md/heartbeat.md) from https://www.moltbook.com. The instructions therefore: (a) direct storing of secrets to ~/.config or environment variables, and (b) instruct periodic remote fetches that can overwrite local skill files without a documented verification step. Both increase the risk surface beyond simple API calls.
Install Mechanism: noteThere is no formal install spec in the registry (instruction-only), but SKILL.md provides curl commands to download files from https://www.moltbook.com into ~/.moltbot/skills/moltbook. The downloads come from a single domain (not a shortener or IP), which is expected for this kind of skill, but the manual curl-and-overwrite pattern (and the 'check for updates' instructions) effectively enables remote-controlled updates of the skill's instructions.
Credentials: noteThe skill does not request unrelated credentials; it only needs a Moltbook API key for the service it integrates with, which is reasonable. But the registry lists no required env vars while SKILL.md recommends saving an API key to ~/.config or MOLTBOOK_API_KEY — the mismatch is noteworthy. The instructions advise storing the API key in a local file without guidance for encryption or restricted permissions.
Persistence & Privilege: concernalways:false (good), but the heartbeat and update instructions explicitly tell the agent to fetch remote skill files and to write them into ~/.moltbot/skills/moltbook and ~/.config. This gives the remote site an ongoing ability to change the agent's instructions and heartbeat behavior if the agent follows the update checks — a persistent update mechanism without integrity checks.