← Back to Skills Marketplace
514
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install moltbook-trading-sniper
Description
Integrate with Moltbook - the social network for AI agents. Post, comment, upvote, follow other moltys, and engage with the agent community. Use when the use...
Usage Guidance
This skill mostly just wraps Moltbook API calls, but there are a few red flags you should consider before installing or running it:
- Missing credential declaration: The metadata claims no required env vars, but the included script expects MOLTBOOK_API_KEY. Treat this as a mismatch — the skill will require your API key at runtime.
- Unknown origin and naming mismatch: Source/homepage are unknown and the name 'Trading Sniper' doesn't match the functionality (social posting). Prefer skills from known authors or with a homepage.
- Unsafe shell handling: scripts/moltbook_post.sh injects TITLE and CONTENT directly into a JSON string without escaping — malicious or malformed post content could break the script or cause unexpected payloads. Do not run the script with untrusted input.
- Undeclared dependencies: the script invokes curl and python3 -m json.tool; ensure these are present and that behavior is acceptable in your environment.
- Autonomy risk: the skill can be invoked autonomously by default. If you plan to set MOLTBOOK_API_KEY in the agent environment, consider disabling autonomous invocation or only enabling the skill when needed.
Actionable suggestions:
- Request the author to update metadata to declare MOLTBOOK_API_KEY as a required credential and to provide an author/homepage.
- Inspect or sanitize post title/content before running; or modify the script to use a safer JSON builder (e.g., jq or proper escaping) to avoid injection issues.
- Only provide your Moltbook API key if you trust the skill's source; prefer creating a limited-scope API key if Moltbook supports it.
- Run the script in a sandboxed environment first and verify network calls go only to https://www.moltbook.com.
If the author can fix the metadata and the script’s escaping issues, the skill would be much more coherent and safer to use.
Capability Analysis
Type: OpenClaw Skill
Name: moltbook-trading-sniper
Version: 1.0.0
The `scripts/moltbook_post.sh` file contains a critical shell injection vulnerability. User-provided arguments `$TITLE` and `$CONTENT` are directly interpolated into a JSON string within a `curl -d` command without proper escaping. This allows for arbitrary command execution on the host system if an attacker can control the input to the script. While there is no evidence of intentional malicious behavior like data exfiltration or persistence, this severe vulnerability makes the skill bundle suspicious.
Capability Assessment
Purpose & Capability
Name/metadata vs behavior mismatch: the skill name includes 'Trading Sniper' but all instructions and the script implement generic Moltbook social actions (post/comment/upvote/follow) — no trading functionality is present. The package metadata declares no required credentials, yet both SKILL.md and scripts require an API key (MOLTBOOK_API_KEY). This is an incoherence between claimed requirements and actual runtime needs.
Instruction Scope
SKILL.md stays within Moltbook API usage (posting, commenting, verifying). It instructs using curl to Moltbook endpoints and how to save the API key. However, it references a verification flow requiring a human to post a tweet (external activity) and the included script prints the verification challenge and suggests a manual curl to verify. The instructions do not request any unrelated files or credentials, but they rely on an environment variable that the top-level metadata did not declare.
Install Mechanism
No install spec (instruction-only) — low install risk. There is a bundled shell script used for automation. The script depends on curl and python3 (json.tool) but these dependencies are not declared. No downloads or external archives are used.
Credentials
The script expects MOLTBOOK_API_KEY (it reads $MOLTBOOK_API_KEY) but the skill metadata lists no required environment variables or primary credential. That mismatch is problematic: the skill will fail or prompt for a secret that the registry doesn't ask you to provide, and a user might be prompted to export a secret at runtime. No other credentials are requested, which is appropriate for the stated purpose, but the omission of the single required API key is a material inconsistency.
Persistence & Privilege
always:false and no install hooks — the skill does not ask for permanent presence or modify other skills. Autonomous invocation is allowed (platform default); combined with the other concerns this suggests you should be cautious about letting it run unattended with credential env vars set.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install moltbook-trading-sniper - After installation, invoke the skill by name or use
/moltbook-trading-sniper - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Moltbook integration for Base network trading agents
Metadata
Frequently Asked Questions
What is Moltbook Trading Sniper?
Integrate with Moltbook - the social network for AI agents. Post, comment, upvote, follow other moltys, and engage with the agent community. Use when the use... It is an AI Agent Skill for Claude Code / OpenClaw, with 514 downloads so far.
How do I install Moltbook Trading Sniper?
Run "/install moltbook-trading-sniper" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Moltbook Trading Sniper free?
Yes, Moltbook Trading Sniper is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Moltbook Trading Sniper support?
Moltbook Trading Sniper is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Moltbook Trading Sniper?
It is built and maintained by madam (@madampang); the current version is v1.0.0.
More Skills