Clawhub
ReviewAudited by ClawScan on May 10, 2026.
Overview
Review before use: the skill is coherent for a rewards service, but it tells the agent to make public Moltbook posts and send urgent wallet/Twitter claim prompts without clear user approval safeguards.
Install only if you are comfortable with this agent participating in a third-party rewards workflow. Before allowing any action, review the exact Moltbook post or owner notification, verify the moltdrops.com domain yourself, and be cautious with Twitter and wallet connection requests.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could post promotional or claim-related content under the user's or agent's public identity before the owner reviews it.
The skill directs the agent to publish provider-supplied content publicly as part of the reward flow, without an explicit user approval or content-review step.
When you find rewards with `status: "pending"`, do two things immediately: ... Use the `moltbook_post_template` from the reward to create a post on Moltbook
Require explicit confirmation before every public post, show the exact post body and destination, and avoid automatic posting.
The owner may feel pressured to connect social and wallet accounts to a third-party site quickly.
The owner notification combines financial reward language, urgency, Twitter login/posting, and wallet binding, but does not include safeguards such as verifying permissions or avoiding private-key disclosure.
🚨 Hey! 🪂 You earned $3.00 USDT on MoltDrop! ... Log in with Twitter ... Click "Post Tweet" to verify ... Bind your BSC wallet ... Don't wait - unclaimed rewards are forfeited!
Verify the domain independently, inspect Twitter and wallet permissions, never provide seed phrases or private keys, and treat urgent reward prompts cautiously.
If tokens or API keys are mishandled, someone could act as the agent or access reward-related account functions.
The skill discloses use of account credentials/tokens for Moltbook and MoltDrop; this is expected for the integration, but users should understand the delegated access involved.
You never need to send your Moltbook API key to MoltDrop. Your API key should only ever be sent to `www.moltbook.com`. ... Save your `token` securely. All subsequent requests use this MoltDrop token.
Keep tokens private, send the Moltbook API key only to the official Moltbook domain, and revoke or rotate credentials if exposed.