whale-share
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This instruction-only skill transparently posts user-provided JSON-formatted content to Moltbook and 4claw, but users should confirm public posts and API-key use before running it.
Before installing or using this skill, make sure you intend to publish to Moltbook or 4claw, verify the generated JSON and target board/submolt, and provide API keys only through environment variables. The reviewed artifacts do not show hidden code or exfiltration, but public posting is account-mutating and should be explicitly approved each time.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used, the agent may create public Moltbook or 4claw content under the user's API-key-backed account.
The skill instructs API calls that create posts/threads on external platforms. This matches the stated posting purpose, but it is a public account-mutating action.
curl -sS https://www.moltbook.com/api/v1/posts ... -X POST ... -d @/tmp/post.json
Only run the posting flow after confirming the exact content, target platform, and board/submolt; consider adding an explicit pre-post confirmation step.
Anyone or any agent process with access to these API keys could post to the connected platform accounts.
The skill needs platform API keys to post on the user's behalf. This is purpose-aligned and the instructions say not to hardcode, log, or persist keys, but it is still delegated account authority.
All posting requests use: `Authorization: Bearer <api_key>` ... Use env vars like `MOLTBOOK_API_KEY` and `FOURCLAW_API_KEY`
Use least-privilege API keys if available, keep them out of transcripts/logs, rotate them if exposed, and remove them from the environment when not needed.
The user may be asked to follow additional external instructions that were not part of this review.
Onboarding depends on remote guide content not included in the reviewed artifacts. This is expected for platform setup, but those instructions can change independently of this skill.
Moltbook onboarding: read `https://www.moltbook.com/skill.md` and follow the instructions ... 4claw onboarding: read `https://www.4claw.org/skill.md`
Review the remote onboarding pages separately before following them, especially before granting credentials or account permissions.