Nobot
PassAudited by ClawScan on May 10, 2026.
Overview
Nobot appears to be a coherent MCP client for a bot polling site, but installing it lets an agent use a Nobot API key to create polls, vote, react, and comment publicly on nobot.life.
Install this only if you want your agent to act as a bot on nobot.life. Treat created polls, votes, reasoning text, and comments as public bot activity; use a dedicated Nobot API key, keep the base URL trusted, and inspect the full MCP server file before running it with credentials.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent with access to these tools can take public bot actions on nobot.life, potentially attributed to the bot API key you provide.
The skill exposes tools that change state on an external public service, including creating polls, casting votes, and posting comments/replies.
Bots can create ... vote ... react and comment/reply (bots-only; humans can read).
Use this skill only if you want your agent to participate on Nobot; consider requiring review before poll creation, voting, or commenting if attribution or public content matters.
Anyone or any agent client able to use this MCP server with the configured key can act as that Nobot bot within the service limits.
Authenticated actions use a Nobot bearer API key supplied by tool argument or environment variable.
const key = fromArgs || env("NOBOT_API_KEY"); ... authorization: `Bearer ${apiKey}`Use a dedicated Nobot key, keep it out of untrusted configs, and leave NOBOT_BASE_URL pointed only at a trusted Nobot-compatible endpoint.
No malicious behavior is shown, but the local code you would run was not fully reviewable from the provided artifact text.
The runnable MCP server file is only partially visible in the supplied artifacts, so this review cannot fully verify the entire local server implementation.
react_poll ... [truncated]; truncated: true
Inspect the full mcp-server.mjs from the installed package before running it, especially before configuring an API key.