ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Moltbook Fanboy

Automatically browse Moltbook to get trending posts, generate comments and likes, and create daily summary reports. Use when user asks about Moltbook trends,...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 549 · 2 current installs · 2 all-time installs
byYonghao Zhao@yonghaozhao722
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md claims the skill will 'automatically ... generate comments and likes' on Moltbook and 'send directly to Telegram' and sync bidirectionally via GitHub. The code, however, only fetches posts (public API) and locally records simulated like/comment actions in data/actions.json and writes reports to an Obsidian path. There are no POST calls to Moltbook to actually perform likes/comments, and there is no Telegram integration implemented. Also the skill performs a git push to /root/clawd/obsidian-vault without declaring any GitHub credentials — these capabilities/requirements are inconsistent with the stated "no configuration needed" claim.
!
Instruction Scope
SKILL.md instructs the agent to run scripts that will fetch posts, generate interactions, save reports, push to GitHub, and send reports to Telegram. The actual scripts fetch public data and generate local actions and reports, then unconditionally attempt to git add/commit/push from /root/clawd/obsidian-vault. The SKILL.md also instructs to "send directly to Telegram" but no code or declared env var supports that. The skill also writes outside its own directory (into /root/clawd/obsidian-vault) and will attempt network pushes — instructions therefore reference external endpoints and filesystem locations that are not declared or authorized in metadata.
Install Mechanism
There is no install spec (low install risk). However the Python scripts use third-party modules (requests) and rely on system git being configured; these dependencies are not declared in the registry metadata. No remote download URLs or extract steps are used, which is good, but missing dependency declarations mean the runtime environment assumptions are not explicit.
!
Credentials
The registry declares no required environment variables or credentials, yet the scripts attempt to push to GitHub (via git) and write into /root/clawd/obsidian-vault. Successful push depends on existing git credentials (SSH key or stored credentials) which are effectively used, despite not being declared. The skill also assumes access to a specific Obsidian vault path which could contain private files. This is disproportionate to a 'read public Moltbook and summarize' description and risks exposing local/remote content via git pushes.
!
Persistence & Privilege
The skill does not set always:true, but it writes files outside its own directory (obsidian-vault reports) and attempts to commit and push changes to a remote repository. That means it will alter user data and attempt remote writes without explicit configuration fields or prompts. While not requesting elevated platform privileges, this behavior is significant because it may cause automatic commits/pushes of generated content or unintentionally included files (potential secrets) to a remote GitHub repo.
What to consider before installing
This skill is partially coherent but contains several mismatches you should understand before installing: 1) It claims to post likes/comments on Moltbook and send reports to Telegram, but the code only simulates interactions locally and does not implement Telegram posting — if you expect real posting, the skill is incomplete and could mislead you. 2) The generator script will write to /root/clawd/obsidian-vault and attempt git add/commit/push — that will use whatever git credentials are configured on the host (SSH keys or stored credentials) even though no credentials are declared. If your obsidian vault or git repo contains private data, running this skill could push it to the remote. 3) There are undeclared runtime assumptions (python 'requests' package, git installed & configured). Consider the following before using: run the scripts in a sandboxed environment, inspect and/or remove the git push block (in generate_daily_report.py) or require an explicit GITHUB credential/config, add explicit TELEGRAM_TOKEN/TELEGRAM_CHAT env vars if you want Telegram posting and implement secure handling, and change the output path to a skill-local directory if you don’t want it modifying your Obsidian vault. If you are unsure, do not enable autonomous/cron execution or grant the skill write access to your real vault/repo until you harden these behaviors.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.4
Download zip
latestvk979yn1j5v84wzpnwqqat3mttx81e4gn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Moltbook Fanboy Skill

This skill automates interactions with Moltbook by browsing trending posts of the day, analyzing content, autonomously generating comments and likes, and finally generating a daily summary report.

Workflow

When this skill is triggered, the Agent must execute the following steps:

  1. Fetch trending posts: Run scripts/fetch_top_posts.py to get the top 5 trending posts from the past 24 hours sorted by likes. Data is saved to data/top_posts.json.

  2. Autonomous content analysis:

    • Read each post's title, body, and metadata
    • Understand the post's topic, tone, and content quality
    • Evaluate whether the post deserves a like or comment

  3. Autonomous interaction generation:

    • Like decision: Based on post content quality, relevance, creativity, etc., autonomously decide whether to like. Not every post needs a like - decisions should be based on genuine value judgment.
    • Comment generation: For posts worth commenting on, autonomously generate natural, meaningful comments. Comments should:
      • Be relevant and valuable to the post content
      • Have a natural tone fitting the community vibe
      • Can be agreement, questions, additional viewpoints, or constructive feedback
      • Avoid templated or repetitive comments
    • Record all actions: Save like and comment actions to data/actions.json in the following format: 
      [
  {
    "post_title": "Post Title",
    "action": "like" or "comment",
    "content": "Comment content (if comment)",
    "time": "ISO 8601 timestamp"
  }
]

  4. Generate daily summary:

    • Use templates/summary.md as template
    • Generate a summary containing:
      • Daily Top 5 posts list (sorted by likes)
      • Each post's title, publish time, likes count, comments count
      • Post content summary
      • Action statistics (likes count, comments count)
      • Interaction summary (explain why certain posts were liked/commented)
      • Daily insights (trends or interesting findings from trending posts)

Key Principles

  • Autonomy: Don't use hardcoded templates or fixed replies. Generate comments based on actual post content each time.
  • Authenticity: Interactions should be based on genuine understanding and judgment of content, not mechanical execution.
  • Diversity: Comments should be diverse, avoiding repetition or templating.
  • Value-oriented: Only interact with posts that are truly valuable or interesting - don't force interactions just to complete tasks.

Configuration Requirements

No configuration needed: Moltbook API v1 is public and requires no API key to fetch post data.

Resource Files

  • scripts/fetch_top_posts.py: Fetch trending posts (using v1 API, 24-hour window, sorted by likes)
  • scripts/generate_daily_report.py: Generate daily report and save to Obsidian
  • templates/summary.md: Daily summary template
  • data/top_posts.json: Post data storage
  • data/actions.json: Interaction action records

Obsidian Sync

Generated reports are automatically saved to Obsidian vault:

  • Save path: /root/clawd/obsidian-vault/reports/moltbook/YYYY-MM-DD.md
  • Filename format: YYYY-MM-DD.md
  • Sync method: Bidirectional sync to your Obsidian vault via GitHub

Execution

When this skill is triggered, the Agent must execute the following steps:

  1. Fetch trending posts:

    cd /root/clawd/skills/moltbook-fanboy && python3 scripts/fetch_top_posts.py

  2. Generate daily report (includes interaction generation and Obsidian save):

    cd /root/clawd/skills/moltbook-fanboy && python3 scripts/generate_daily_report.py

  3. Read and send: The script outputs the report content, send directly to Telegram

Files

9 total
Select a file
Select a file to preview.

Comments

Loading comments…