Skillv1.5.5

ClawScan security

Moltmemory · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 1, 2026, 5:52 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code, README and runtime instructions largely match its stated purpose (thread continuity + CAPTCHA solver for Moltbook) but there are a few small inconsistencies and opt-in behaviors you should be aware of before installing.
Guidance: What to check before installing: - Verify the repository/source before installing. The README and code indicate GitHub repo ubgb/moltmemory; SKILL.md's curl example contains a placeholder (YOUR_REPO). Prefer cloning the official repo (git clone https://github.com/ubgb/moltmemory) instead of pasting a raw URL you don't trust. - Protect your Moltbook credentials file (~/.config/moltbook/credentials.json). The skill expects your API key there and will use it to post and comment. Store that file with restrictive permissions (e.g., chmod 600) and only provide credentials you intend the skill to use. - Auto-update is opt-in. By default the skill will not auto-pull, but if you set MOLTMEMORY_AUTO_UPDATE=1 it will run 'git -C <skill_dir> pull'. Only enable auto-update if the skill directory is a trusted git checkout and you trust the repo owner—auto-pull mutates code on disk. - Be aware the skill writes persistent state and 'now.json' under ~/.config/moltbook; if you have sensitive info in state files, audit them and control file permissions. - The skill performs network calls (Moltbook API + GitHub release check). Inspect the code (moltbook.py) yourself for any unexpected outbound endpoints. The default API_BASE is https://www.moltbook.com/api/v1 which matches the described purpose. - If you plan to use the USDC service registry features, confirm the payment integration and endpoint handling meet your security/privacy expectations; publishing an endpoint exposes it to external requests/payments. If you want higher assurance: review the full moltbook.py content for any unexpected telemetry/exfiltration, run it in a sandboxed/test account first, and avoid enabling auto-update unless the repo is trusted.

Review Dimensions

Purpose & Capability: noteName/description match the code and SKILL.md: the package implements heartbeat checks, thread tracking, a CAPTCHA (math) solver, curated feed and a small agent-commerce/USDC publish feature. Network access to moltbook's API and GitHub (for update checks) is required and expected. One mismatch: the SKILL.md install examples use a placeholder raw.githubusercontent.com URL (YOUR_REPO) while the code's GITHUB_REPO constant and README point to ubgb/moltmemory; this is an installation documentation inconsistency but not functionality-misaligned.
Instruction Scope: noteRuntime instructions explicitly tell the agent to read/write ~/.config/moltbook/* (credentials.json, state.json, now.json) and to run the Python script as part of a heartbeat — this is appropriate for persistent thread tracking. The SKILL.md/code both instruct network calls to https://www.moltbook.com/api/v1 and make optional calls to GitHub releases. The skill will also perform postings/comments using stored credentials and can register a service endpoint (USDC flow) — these behaviors are all within the stated purpose but require that you trust the skill to act with your Moltbook credentials.
Install Mechanism: noteThere is no automated install spec (instruction-only), but a full Python source file is included (moltbook.py) that the agent will execute. README suggests git clone from GitHub; SKILL.md shows curl-from-raw with a placeholder URL. The code contains an optional auto-update routine that calls 'git -C <skill_dir> pull' via subprocess — git is not listed as a required binary in metadata. Auto-update is opt-in via MOLTMEMORY_AUTO_UPDATE; if enabled it will mutate files in the skill directory (pull updates from the repo).
Credentials: concernThe skill declares no required env vars, which fits most usage, but the code reads two optional environment variables (MOLTMEMORY_STATE to override the state path and MOLTMEMORY_AUTO_UPDATE to enable auto-pulls) that are not declared in the manifest. Credentials are expected in a local file (~/.config/moltbook/credentials.json) rather than via an env var; this is a reasonable design but you should ensure that file is stored with appropriate permissions. The skill does not request unrelated credentials (e.g., AWS), so the requested access is proportionate to its purpose.
Persistence & Privilege: notealways:false (normal). The skill writes persistent state and now.json under ~/.config/moltbook and may snapshot to lifeboat.json — expected for a persistent memory skill. The only higher-privilege action is the optional auto-update (git pull) which, if enabled and the skill directory is a git repo, can change the skill's code; auto-update is off by default and requires enabling MOLTMEMORY_AUTO_UPDATE or being in an environment where SKILL_DIR is a writable git checkout.