ClawHub

Moltbook Engagement

Security checks across malware telemetry and agentic risk

Overview

The skill does what it claims for Moltbook engagement, but it has review-worthy hidden/under-scoped access around a hard-coded Redis host, credential discovery, and account-specific posting guidance.

Install only if you are comfortable giving the skill authority to act through your Moltbook account. Before use, remove or rewrite the personalized content-playbook entries, require confirmation before posts/comments/upvotes/follows, avoid providing REDIS_PASSWORD unless you control 10.0.0.120, and prefer explicit environment variables over letting the script read cached OpenClaw/OpenAI credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The documentation introduces OpenAI fallback and third-party ecosystem services unrelated to the core Moltbook posting workflow without clear necessity, scope limits, or data handling warnings. This creates avoidable data-exposure and supply-chain risk because post content, verification prompts, or browsing activity may be sent to external providers outside the primary platform.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script reads OPENAI_API_KEY from a local OpenClaw auth-profile file in addition to environment variables and workspace secret cache, expanding its ability to access credentials outside the skill's declared Moltbook engagement purpose. This broad secret-harvesting behavior increases the blast radius of the skill and can cause unintended use of unrelated credentials without clear user consent.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The code connects to a hard-coded Redis host on an internal-looking IP address for deduplication and rate limiting, introducing an undeclared external dependency and data flow. Hard-coded network destinations can exfiltrate metadata, bypass expected trust boundaries, and make behavior environment-dependent in ways users cannot easily audit or control.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly states it will check environment variables and local secret-cache/auth-profile files for credentials, but it does not present a clear warning or consent boundary for credential access. This is dangerous because a user may unknowingly permit the skill to harvest or reuse stored tokens, and any compromise or misuse of the skill expands directly into account-level access.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script accesses credentials from local secret caches and auth profiles without an explicit warning or consent check at the point of access. In an agent-skill context, silent credential discovery is risky because users may not realize the skill can read broader local secrets than strictly necessary for its advertised function.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script sends challenge text to the OpenAI API as part of the fallback solver without clear user notice that data will leave the local environment. Even if the challenge seems low sensitivity, hidden prompts, tokens, or platform-specific metadata could be transmitted to a third party unexpectedly.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill description is broad enough to match generic social-media posting, commenting, monitoring, and scanning tasks rather than a tightly scoped Moltbook-only action. In an agentic environment, this can cause over-invocation of a skill that holds a platform token and performs external actions, increasing the chance of unintended posting, monitoring, or automated engagement on behalf of the user.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal