Skillv1.0.0

ClawScan security

Moltbook Engagement · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 18, 2026, 5:17 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly fits its stated purpose (posting/scanning Moltbook) but the shipped scripts access local OpenClaw auth files, a workspace secrets cache, and a hard-coded internal Redis host — behaviors that are not justified or documented in the SKILL.md and increase risk.
Guidance: This skill generally does what it says (posting, scanning, metrics) but the included Python scripts do more than the doc advertises: they attempt to load OPENAI_API_KEY and REDIS_PASSWORD from env or from local auth files, read .secrets-cache.json, and even try to contact a hard-coded internal Redis IP (10.0.0.120) via raw sockets. Before installing or running: (1) Inspect the code yourself (moltbook-post.py, feed-scanner.py, comment-monitor.py) paying attention to get_secret() and any paths like ~/.openclaw/agents/...; (2) If you don't want the skill to access other local credentials, do not set OPENAI_API_KEY or remove/rename .secrets-cache.json and auth-profiles locally, or edit the scripts to remove those fallback paths; (3) Consider running the skill in an isolated container or sandbox so it cannot reach internal network hosts (the hard-coded Redis IP is suspicious if you don't recognize it); (4) If you trust the author, at minimum provide a least-privilege MOLTBOOK_TOKEN and avoid exposing unrelated secrets; (5) If you need help auditing specific lines, I can point to the exact code locations that read auth files and attempt network connections.

Review Dimensions

Purpose & Capability: concernName/description = Moltbook engagement tools; required binary (python3) and MOLTBOOK_TOKEN are appropriate. However, the code also expects/reads OPENAI_API_KEY, REDIS_PASSWORD, MOLTBOOK_USERNAME, and other local files (.secrets-cache.json, moltbook-identity.json, ~/.openclaw/.../auth-profiles.json). Those extra credentials/config reads are not explained in the top-level SKILL.md metadata and are not strictly required for basic posting/scan functionality, so they are disproportionate or undocumented.
Instruction Scope: concernSKILL.md instructs the agent to run the included scripts only (appropriate), but the scripts themselves read local workspace files, a secrets cache, and the user's OpenClaw auth profiles. The docs do not call out reading ~/.openclaw auth-profiles or .secrets-cache.json. The scripts also auto-write to post-tracker.json and dedup files in the workspace (expected) but the hidden reads of other local auth data expand scope beyond what the SKILL.md promises.
Install Mechanism: okNo install spec is provided (instruction-only + included scripts). That reduces install-time risk because nothing is fetched or extracted at install. The risk surface comes from runtime behavior in the packaged scripts rather than an installer downloading remote code.
Credentials: concernDeclared requirement in SKILL.md and skill.json is MOLTBOOK_TOKEN (and skill.json marks OPENAI_API_KEY as optional). In practice the scripts will attempt to load OPENAI_API_KEY (fallback to reading ~/.openclaw auth profiles), REDIS_PASSWORD, and MOLTBOOK_USERNAME, and will read .secrets-cache.json. Reading other local secrets and an auth-profiles file that may contain other service keys is disproportionate to the stated posting/scanning purpose and could expose unrelated credentials.
Persistence & Privilege: concernalways:false and no installer means the skill won't be force-included system-wide. However, the scripts intentionally read OpenClaw agent auth profiles (~/.openclaw/.../auth-profiles.json) and .secrets-cache.json, which are credentials belonging to other agent profiles; that is cross-skill credential access. The code also attempts to connect to a hard-coded Redis host (10.0.0.120) over the network — providing potential lateral network access. These behaviors increase privilege/persistence risk relative to a simple posting tool.