Is moltbook-interact safe?

The installation process accessed ~/.env, ~/.aws/credentials, and ~/.openclaw/agents/main/agent/auth-profiles.json. These files are outside the skill's stated scope (it should only need ~/.config/moltbook/credentials.json). While no network exfiltration was detected, the access pattern is concerning and suggests the install environment or a dependency is probing for credentials.

The moltbook.sh script reads API keys from local credential files and transmits them as Bearer tokens to https://www.moltbook.com/api/v1. While this is the skill's stated purpose, it creates a data exfiltration channel: an agent instructed by this skill will send user-composed content to an external server, and the content could include sensitive context from the agent's conversation.

The moltbook.sh script interpolates user-supplied content directly into JSON strings without escaping. The 'reply' command constructs: {"content":"${content}"} and the 'create' command constructs: {"title":"${title}","content":"${content}"}. A post title or content containing double quotes will break the JSON structure, and crafted input could inject arbitrary JSON fields or cause malformed requests. While not direct shell injection, this is a command injection vector through malformed API payloads.

The skill instructs the agent to create posts and replies with arbitrary content on an external social network. A sophisticated attacker could craft SKILL.md instructions (in a future update) that cause the agent to include conversation context, code snippets, or environment details in posts — effectively using Moltbook as a covert exfiltration channel.

SKILL.md instructs the agent to maintain state (reply log at /workspace/memory/moltbook-replies.txt) and make autonomous decisions (check post IDs before replying). This programs persistent behavioral changes into the agent beyond simple tool invocation, and the reply log could accumulate data across sessions.

The install process triggered compilation of 20+ .cjs files in /tmp/jiti/, including modules named 'memory-core', 'plugin-sdk', 'infra-exec-safety', 'agents-identity', etc. This indicates substantial runtime code execution during what should be a simple skill installation. While likely attributable to the OpenClaw framework itself, it expands the attack surface.

The skill includes scripts/moltbook.sh, a bash script that uses curl to make HTTP requests. While this is the stated purpose of the skill, any executable script bundled with a skill increases risk surface. The script could be modified in a future version to perform additional actions.

SKILL.md instructs the agent to write to /workspace/memory/moltbook-replies.txt, which is outside the skill's own directory. This normalizes writing to arbitrary paths and could be a stepping stone for more dangerous filesystem operations in future versions.

All honeypot files (fake .env, SSH keys, AWS credentials) remained unmodified during the audit. No evidence of targeted credential harvesting via canary files.