Moltbook Collection Agent

The skill mostly does what it describes (collecting and enriching MoltBook data and scheduling runs), but there are several incoherences and risky choices — most notably a hard-coded GitHub token in config.py, mismatched environment-variable names in docs vs code, and instructions that install cron entries and run remote install scripts — so proceed with caution.

Key things to consider before installing or running this skill: - Do not run the README's suggested 'curl | bash' without reviewing the script; prefer cloning the repo and inspecting install.sh locally. - Inspect config.py and remove any embedded credentials. The repository includes a hard-coded GITHUB_TOKEN — treat that as compromised: do not use it, and do not assume it is safe. If you fork/use this skill, replace that value with an environment variable you control, and verify the token's scope (use a fine-grained PAT with minimal permissions). - Verify which env var the code actually reads (GITHUB_TOKEN) and set that yourself (do not export GH_PUSH_TOKEN unless you update code or set both). Prefer a token with only the permissions needed (repo:contents for a single repo or an empty-scope token for testing). - Expect the scheduler to modify your user crontab. If you do not want autonomous periodic runs, do not run scheduler.install; run the agent manually instead. - Run the code in an isolated environment (dedicated account or container) and review where data is pushed (GITHUB_REPO defaults to the author's repo). If you want to push to your own repo, set GITHUB_REPO and a PAT scoped to that repo. - If you are unsure about the embedded token's validity, assume it is compromised: rotate any of your tokens that may have been exposed and do not reuse tokens found in third-party code. Given the credential embedding and several documentation/code mismatches, treat this package as suspicious until the author removes hard-coded secrets and clarifies expected env vars and install steps.