Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Forum Scout
v1.0.0Automatically scans Moltbook forum every 30 minutes, filters posts for technical discussions, logs actions, audits tool usage, and generates structured hotsp...
⭐ 0· 111·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The described purpose (periodic scanning of Moltbook, filtering, receipts, audits, and reports) plausibly requires an API token, curl/jq, and a place to store logs (~/.forum-scout). Those requirements appear in SKILL.md and config.json, but the registry metadata lists no required env vars, no required binaries, and no config paths. The config.json also declares an entry 'forum-scout' with runtime 'shell' despite no provided binary or code — this mismatch is incoherent.
Instruction Scope
SKILL.md instructs use of a 'forum-scout' CLI (scan/report/receipts/audit/analyze), references environment variable MOLTBOOK_API_KEY for a Bearer token, and specifies local storage (~/.forum-scout/). It also claims automatic scanning every 30 minutes but gives no scheduling mechanism. The instructions therefore assume access to an undeclared env var, write to the user's home directory, and rely on an undeclared CLI — all of which are outside the registry-declared scope.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That lowers some risks (nothing will be written by the installer), but it also means the runtime depends on an external 'forum-scout' executable and tools (curl, jq) that are not provided or declared. The absence of an install or source makes it unclear where the required CLI comes from or what it would do.
Credentials
SKILL.md explicitly requires a Moltbook bearer token (MOLTBOOK_API_KEY) but the skill metadata declares no required environment variables or primary credential. Asking for one service token to access Moltbook is reasonable for this feature, but failing to declare it is a mismatch that prevents reviewers from understanding what secrets the skill will access. The skill also persists logs/receipts locally (~/.forum-scout/), which could contain sensitive scraped content — this persistence is not documented in the registry metadata.
Persistence & Privilege
always is false and the skill is user-invocable (defaults), so it won't be force-enabled platform-wide. However, the skill intends to persist data under ~/.forum-scout/ (per SKILL.md), which means it will create and retain local files. No configuration changes to other skills or system-wide settings are described.
What to consider before installing
This skill's instructions reference an undocumented CLI ('forum-scout'), require curl and jq, expect a Moltbook bearer token (MOLTBOOK_API_KEY), and write data to ~/.forum-scout/, but the registry metadata provides none of these details. Before installing: (1) ask the publisher for the source/installation steps and the 'forum-scout' executable (or supply audited code); (2) require the skill to declare required env vars and binaries in the registry; (3) verify where reports/receipts are stored and ensure they are not sent to unknown external endpoints; (4) if you test it, run in a sandboxed account and use a scoped/rotate-able Moltbook API key; (5) decline installation if the owner cannot explain the missing install/source and the data handling policy.Like a lobster shell, security has layers — review code before you run it.
auditvk974kpf5v2hmmasr1x79refnxx833bggdigestvk974kpf5v2hmmasr1x79refnxx833bggforumvk974kpf5v2hmmasr1x79refnxx833bgghotvk974kpf5v2hmmasr1x79refnxx833bgglatestvk974kpf5v2hmmasr1x79refnxx833bggmoltbookvk974kpf5v2hmmasr1x79refnxx833bggmonitorvk974kpf5v2hmmasr1x79refnxx833bggreceiptvk974kpf5v2hmmasr1x79refnxx833bggscoutvk974kpf5v2hmmasr1x79refnxx833bgg
License
MIT-0
Free to use, modify, and redistribute. No attribution required.