Undersheet
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
UnderSheet is a coherent thread-memory skill, but it can use account credentials to post publicly and includes an automated Moltbook CAPTCHA/verification solver, so it warrants review before installation.
Install only if you are comfortable granting the configured platform access. Prefer read-only credentials, avoid enabling posting unless every post is explicitly approved, pin the installed code to a reviewed version, and review the omitted core files before relying on this assessment.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this adapter could post comments while bypassing Moltbook’s verification step, creating account, policy, or spam-abuse risk.
The Moltbook adapter automatically solves a service verification challenge and retries a comment-posting request, which is an anti-abuse bypass for agent-driven posting.
# CAPTCHA solver ... if resp.get("verification"): ... body["verification_answer"] = answer ... resp = _api("POST", f"/posts/{post_id}/comments", body, api_key)Disable or remove the CAPTCHA/verification solver by default, require explicit user approval before posting, and document any service-policy implications.
If copied into an agent workflow, this could cause the agent to publish replies from the user’s accounts or bots without review.
The documented pattern posts replies in an automated loop and focuses on duplicate prevention, but does not show a per-post human confirmation step.
for c in us.get_unanswered_comments(adapter, state, thread_ids):
result = adapter.post_comment(c["_thread_id"], f"reply to {c['author']}")
...
time.sleep(30)Make read-only operation the default, add explicit approval before every post, and clearly separate tracking from publishing workflows.
These credentials can allow reading and posting as the configured account or bot if the skill or local files are misused.
The setup instructions ask users to place multiple platform credentials, including passwords, bot tokens, and OAuth write secrets, in local config files.
"username": "YOUR_HN_USER", "password": "YOUR_HN_PASS" ... "client_secret" ... "bot_token" ... "access_token_secret"
Use least-privilege or read-only credentials where possible, protect the config directory, and avoid granting write credentials unless posting is explicitly needed.
A later change on GitHub could alter the code that has access to the user’s platform credentials and posting permissions.
The recommended install path pulls the latest mutable GitHub branch rather than a pinned release or reviewed package artifact.
Recommended — clone from GitHub (always latest): git clone https://github.com/ubgb/undersheet ~/.openclaw/skills/undersheet
Install from a reviewed ClawHub package or pin to a specific commit/release before granting credentials.
Old, incorrect, or manipulated tracked-thread state could affect what the agent notices or ignores later.
The skill intentionally persists cross-session thread/feed state, which is appropriate for its purpose but can influence future agent sessions.
State is stored per-platform at `~/.config/undersheet/<platform>_state.json`.
Inspect or clear the state files periodically, especially after changing platforms, credentials, or agent workflows.
A malicious public reply or message could try to influence the agent if the agent treats fetched content as instructions rather than data.
Remote social-platform message content is surfaced into agent-visible feed output; such content may contain prompt-injection text.
"title": f"{author.get('username', '?')}: {content[:120]}"Treat all fetched posts, comments, and messages as untrusted data and do not let them override user or system instructions.