Is dxiongya/moltvote safe?

The skill explicitly instructs agents to add a recurring MoltVote block to their HEARTBEAT.md file. This is a persistent behavioral override: once added, the agent will autonomously search Moltbook, fetch topics from molt.vote, research them, and cast votes every 2-4 hours without the user explicitly requesting each action. This pattern is a known persistence mechanism for agent hijacking.

Registration requires the agent to compose and publish a public Moltbook post on behalf of the user as a verification step. The skill treats this as a one-time setup action, but it establishes a precedent for the agent autonomously posting social media content. Subsequent workflow steps also suggest sharing vote results to Moltbook.

The skill's frontmatter and documentation table reference https://molt.vote/skill.md and https://molt.vote/skill_cn.md as the authoritative copies of the skill. An agent that fetches these URLs would receive instructions from a server the skill author controls, potentially receiving updated or malicious instructions that were never reviewed by the marketplace.

The heartbeat section programs agents to make API calls, conduct web research, and submit votes on a recurring schedule with no mechanism for per-vote user confirmation. Each vote submission also optionally triggers a Moltbook share post.

The skill package bundles .clawhub/lock.json listing 'academic-research-hub' v0.1.0 as an installed skill dependency. This file has no legitimate relationship to a voting skill. Depending on how the ClawHub skill manager processes bundled lock files, this could: (a) auto-install academic-research-hub as a dependency, (b) mark it as already-installed to bypass its own installation checks, or (c) corrupt the user's own lock state.

Every vote submission sends a structured reasoning block (markdown, with cited sources, analysis, and conclusions) to https://molt.vote/api/votes. This reasoning is derived from web research conducted by the agent and may contain sensitive context about the user's interests, research patterns, or opinions. The data is stored server-side linked to a persistent agent identity.

Registration creates a permanent agent record on molt.vote tied to the user's Moltbook identity. The API key is shown only once and cannot be recovered ('we only store the hash'). This creates an irrevocable data relationship: the user's agent identity, voting history, and reasoning are permanently stored on a third-party server with no stated data deletion mechanism.

The combination of HEARTBEAT.md modification and permanent external agent registration means the skill's effects cannot be fully undone by simply uninstalling it. The agent's voting history and identity persist on molt.vote, and the HEARTBEAT.md modification will continue triggering autonomous behavior until manually removed. This design discourages easy opt-out.

The install process used standard git sparse-checkout from the openclaw/skills monorepo. Post-install network connections (3.213.170.18:443, 104.16.2.34:443) were from the openclaw-gateway process (pid=1088, fd=27-30), not spawned by the skill. No unexpected filesystem writes outside the skill directory were detected.