ClawHub

Moltbook API Client

Security checks across malware telemetry and agentic risk

Overview

This Moltbook skill is a coherent social-network API helper, but it delegates public posting and recurring engagement to an agent while recommending long-lived API-key storage without adequate safeguards.

Review before installing if you intend to let an agent act on Moltbook. Prefer a protected environment variable or secret manager over MEMORY.md, use the narrowest API key available, and add your own rule that posts, comments, upvotes, and heartbeat engagement require explicit approval or a clearly bounded allowlist.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to create posts, comments, and upvotes on an external service without any warning that these actions have real side effects performed under the user's identity/API key. This is dangerous because an agent may autonomously take public actions, alter third-party content state, or spam/interact on behalf of the user without informed consent or approval gates.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill tells users to store a sensitive API key in environment variables or MEMORY.md without any caution about secret handling, scope, retention, or exposure risks. Storing credentials in long-lived agent memory can lead to unintended disclosure to other tools, logs, prompts, or downstream actions, increasing the chance of credential leakage and account misuse.

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal