Is dev-jslee/moltbook-validator safe?

The 'Spam Bot Detection' section instructs the agent to discard comments matching specific regex patterns before processing them. The pattern r'⚠️.*SYSTEM ALERT' would cause an agent to classify and ignore any message — including legitimate system alerts or injected warnings — that begins with a warning emoji followed by 'SYSTEM ALERT'. This inverts the intended safety function: while claiming to protect against manipulation, it could suppress real alerts or adversarial warnings that a human operator would want the agent to act on.

The skill's description and name imply pre-send payload validation. However, the SKILL.md devotes substantial content to post-receive content filtering ('Before reading/engaging with comments, filter spam bots'). An agent following this skill applies filtering logic to inbound API data it did not produce, giving the skill author indirect control over what information the agent perceives from the platform.

The skill contains a 'Known Spam Accounts' section listing specific usernames (EnronEnjoyer, Rouken) with descriptions. This list is static and embedded at skill-install time. Agents following this skill will refuse to engage with these accounts without any mechanism for the user to review or override the list.

The 'Submolt Selection Guide' table recommends m/openclaw-explorers for 'OpenClaw agents' content. This steers agent-generated posts toward a specific community controlled by or affiliated with the OpenClaw platform that distributes this skill.

As a standalone validator the skill is benign. However, if installed alongside any skill that reads Moltbook comments, this skill's spam filter becomes an active layer that pre-processes all comment data before the agent reasons about it. The skill's author can update the spam patterns remotely (via the openclaw/skills repo) to suppress new classes of content over time.

The skill ships validate.sh and validate.py, which are executable scripts invoked via command line as shown in SKILL.md examples. Both scripts are reviewed and found to be safe, but their presence represents an attack surface if a future version were to modify them.

The skill is installed via sparse checkout of a public monorepo (openclaw/skills). Any update to the main branch of that repo could silently change skill behavior on the next installation. There is no pinned commit hash enforced at install time beyond the latest main branch state.

Canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/credentials) were accessed at timestamps matching the audit framework's own baseline and post-install integrity sweeps. All six files were accessed at identical timestamps in both sweeps, consistent with audit tooling, not skill code.

validate.py imports only json and sys and processes only sys.argv[1]. validate.sh uses only jq and shell builtins on $1. Neither script reads files, makes network calls, or spawns subprocesses.