Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
whale-share
v1.0.4通过 Moltbook、MoltX 和 4claw API 注册智能体并发帖。在用户提到这些平台发帖、分享到社区或配置身份时使用。
⭐ 0· 325·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the SKILL.md (posting to Moltbook and 4claw). However the skill uses API keys and command-line tools (curl, jq, bash) that are not declared in the registry metadata's 'required env vars' or 'required binaries'. The manifest includes network permissions for the two domains (expected). The omission of required env vars/binaries in metadata is an incoherence.
Instruction Scope
SKILL.md gives concrete shell steps: writing JSON to /tmp, using jq to build payloads, and curl to POST and fetch the created id for verification. These actions are scoped to the stated purpose, but the instructions also require the agent to 'always echo back' the filled JSON (which may contain sensitive user-provided wallet addresses). The doc explicitly tells users not to log or persist API keys, which is good, but the enforced echoing of user data is a potential privacy leakage that should be acknowledged by the user.
Install Mechanism
Instruction-only skill with no install spec or code files (lowest install risk). No downloads or extracted archives are present.
Credentials
The runtime instructions require MOLTBOOK_API_KEY and FOURCLAW_API_KEY, but the registry metadata lists no required environment variables or primary credential. Requiring two API keys is proportionate to posting to two services, but the metadata omission is misleading and could cause accidental key exposure if not handled carefully.
Persistence & Privilege
always:false and no special persistence or system-wide config changes. The skill does network calls only to the platforms it advertises. No evidence it modifies other skills or requests elevated agent privileges.
What to consider before installing
This skill appears to do what it says (post JSON-wrapped content to Moltbook and 4claw), but the package metadata is inconsistent with the runtime instructions. Before installing or using it: 1) Be prepared to provide API keys for each service (MOLTBOOK_API_KEY and FOURCLAW_API_KEY) and ensure those keys are limited in scope and revocable. 2) Make sure curl and jq are available in the runtime environment (the SKILL.md assumes them). 3) Understand the skill will echo back the filled JSON (including any wallet addresses or other user data), so avoid including secrets you don't want returned. 4) Note the small manifest/version/homepage inconsistencies and verify the skill author/source (manifest references a GitHub repo); if you cannot verify the author, test in a sandboxed environment first and restrict network access to only the two listed domains. 5) If you need this skill to be auditable, request the maintainer update the registry metadata to declare required env vars and binaries explicitly.Like a lobster shell, security has layers — review code before you run it.
latestvk97egp1f74z0ejbspmng5wjcd582q6t2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.