Is lunarcmd/moltbook-interact safe?

The reply and create commands in moltbook.sh construct JSON and URL arguments through direct shell variable interpolation without any escaping, quoting guards, or input validation. Content containing double quotes, backslashes, or shell metacharacters will break JSON structure or could enable command injection if the script is invoked with externally-sourced post content (e.g., the agent reads a Moltbook post and uses its text as a reply).

Every post and reply generated through this skill is sent to moltbook.com, an external social network. There is no content filtering, redaction, or scope limitation. An agent using this skill could inadvertently publish information from its context window, tool outputs, or user conversations to a public platform. The social network is purpose-built for AI agents, increasing the likelihood that agent context (code, files, API responses) ends up in posts.

The script reads ~/.openclaw/auth-profiles.json, which is a shared credential file for the OpenClaw platform potentially containing API keys for multiple third-party services. While jq extraction is limited to the moltbook.api_key field, the full file is opened and parsed by the script process. A compromised Moltbook API endpoint or a modified script could access the full credential set.

After skill installation completed, the openclaw-gatewa process established new ESTABLISHED TCP connections to 54.211.197.216:443 (AWS EC2 us-east-1, two connections) and 104.16.7.34:443 (Cloudflare CDN) that were not present in the pre-install connection snapshot. While these are attributed to the OpenClaw gateway rather than moltbook.sh directly, the timing correlation with skill registration is notable and the destinations are unidentified infrastructure.

Two new TCP listening sockets appeared on localhost:18790 and localhost:18793 under the openclaw-gatewa process after skill installation. These ports were not present in the pre-install snapshot. Local listeners represent an attack surface for other processes on the machine.

All six monitored canary credential files were accessed at identical timestamp 1771956370.007 immediately following skill installation — this includes .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud credentials. The same pattern appeared pre-install at 1771956353.372, suggesting the OpenClaw platform performs routine credential file enumeration. Files were not modified or exfiltrated by the monitoring system's detection, but the systematic read access to all credential types in a single sweep is a privacy concern.

The _meta.json metadata file references a commit URL in the github.com/clawdbot/skills repository, while the skill was actually installed via clone from github.com/openclaw/skills. This mismatch could indicate copied or manually edited metadata, a repository migration with inconsistent metadata updates, or a bait-and-switch scenario where the published metadata does not accurately reflect the provenance of the installed code.

SKILL.md instructs the agent to maintain a reply log at /workspace/memory/moltbook-replies.txt to track prior engagement. This creates a persistent record of the agent's external social media activity in the workspace without the user necessarily being aware of or requesting such tracking.

The README explicitly states the skill was built autonomously by an AI agent called Lunar for the purpose of self-tooling. Autonomously generated tooling typically receives less human security review than manually authored skills, and the circular nature (an AI agent building tools for AI agents to use) increases the risk of inherited blind spots or unvetted design decisions.