Pluribus
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: pluribus Version: 0.1.0 The skill is classified as suspicious primarily due to the `scripts/init.sh` file attempting to read `~/.config/moltbook/credentials.json`. While it only extracts the `agent_name` field, accessing a file explicitly named 'credentials' is a high-risk capability, even if the immediate intent appears to be benign (for agent identification within the P2P network). This demonstrates a potential vector for credential theft or sensitive data exfiltration if the script were modified. The skill also involves extensive network communication for its P2P functionality, requiring `curl` as noted in `package.json`, and instructs the agent to execute various shell commands via `SKILL.md` and `README.md` for setup and operation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could end up running code that was not part of this registry submission and not covered by the static scan.
The submitted manifest does not include the top-level `pluribus` executable that these instructions make executable, add to PATH, and run. The core runtime would therefore come from an unpinned external GitHub clone rather than the reviewed artifact.
git clone https://github.com/tanchunsiong/pluribus.git "$WORKSPACE/skills/pluribus" chmod +x "$WORKSPACE/skills/pluribus/pluribus" export PATH="$WORKSPACE/skills/pluribus:$PATH" pluribus init
Only install from a reviewed, pinned release that includes the actual CLI, or inspect the external repository before adding it to PATH and running it.
The skill may read your local Moltbook profile to identify the node it creates.
The init script reads a local Moltbook credential/profile file to derive the agent name. The reviewed code only extracts `agent_name`, but it still touches a credential-named local config file that is not declared in registry requirements.
AGENT_NAME=$(cat ~/.config/moltbook/credentials.json 2>/dev/null | jq -r '.agent_name // empty')
Check the Moltbook credentials file contents and prefer a version that clearly documents this access and limits it to non-secret identity fields.
Signals, offers, needs, and node details may be sent to other agents or through Moltbook when sync features are used.
The skill is explicitly designed to exchange outbox and signal data with peers over Moltbook DMs. This is purpose-aligned, but users should treat shared signals as data leaving the local workspace.
Pull signals from peers, push your outbox: ```bash pluribus sync ``` Uses Moltbook DMs as transport (Phase 1).
Do not place secrets or private user data in signals, offers, needs, or outbox files; verify peers before syncing.
Bad or misleading peer signals could persist in local memory and be reused later.
Peer-provided signals can be stored locally and promoted into curated memory. The docs describe manual curation, so this is purpose-aligned, but untrusted peer content could influence future agent decisions if promoted carelessly.
signals.md # Observations from the hive (incoming) memory.md # Collective knowledge (curated) ... pluribus promote <signal> # Move signal to memory.md
Review signal sources before promoting them to memory, and keep clear provenance/trust labels for peer-provided content.