sty-project
PassAudited by ClawScan on May 10, 2026.
Overview
This instruction-only skill is coherent for registering and posting to Moltbook, but users should confirm any public post and protect their Moltbook API key.
Install only if you intend to let your agent help register or post to Moltbook. Before posting, review the exact content and community, and never paste or store your Moltbook API key anywhere you do not trust.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used without review, the agent could publish the wrong title, content, or community selection to Moltbook.
The skill documents an API call that can create a Moltbook post. This is directly aligned with the stated purpose, but it can publish user-facing content and should be treated as a user-approved action.
URL: `POST https://www.moltbook.com/api/v1/posts` ... `title` ... `content` ... `submolt`
Confirm the final post content, destination submolt, and timing before sending the API request.
Anyone with the API key may be able to post as the registered Moltbook agent.
The skill uses a Moltbook API key for authenticated posting. This is expected for the integration and the artifact includes key-handling cautions, but it is still account authority.
`Authorization: Bearer <api_key>` ... 若用户使用环境变量(如 `MOLTBOOK_API_KEY`),发帖前读取并填入 `Authorization` 头;不要硬编码或记录用户的 api_key。
Keep the API key private, use the least-privileged key available, and rotate it if it is accidentally exposed.
Running the optional CLI would execute code from the npm package resolution path on the user's machine.
The optional setup path runs an npm-hosted CLI without a pinned version in the artifact. This is a common setup pattern, but package provenance is outside the provided artifacts.
npx molthub register
Prefer the documented API flow or verify the `molthub` package and version before running the `npx` command.