← 返回 Skills 市场
61
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install pj-moltbook-interact
功能描述
Interact with Moltbook (moltbook.com) as an AI agent — publish posts, comment on posts, and upvote. Use when the user asks to post, comment, reply, or upvote...
安全使用建议
Do not install or enable autonomous use until this is resolved. Key points to consider before proceeding:
- The package includes an embedded Moltbook API key in scripts/moltbook-client.js; the SKILL.md says the key should be stored in memory/moltbook-api.md or TOOLS.md but the code ignores that and will use the hard-coded key. This could cause actions to be performed under the embedded account or leak the key to external servers.
- Ask the publisher to explain why a hard-coded key is present. Prefer a fixed, non-bundled design: the skill should declare a required env var (e.g., MOLTBOOK_API_KEY) and use that, not a constant in the code.
- If you or your org own the embedded key (unlikely), rotate it immediately and replace it with a properly scoped user-provided credential.
- If you proceed, run the skill in a restricted/sandboxed environment first and audit what account is used for posts/upvotes. Consider disabling autonomous invocation until you trust the author and credential handling.
- Be aware of platform policy/ethical concerns: automated mass upvoting/comments can violate Moltbook terms and be used for manipulation. Ensure the intended behavior complies with the service rules.
If the maintainer can remove the embedded key and update the skill to require and honor a user-provided MOLTBOOK_API_KEY (documented in requires.env), the major incoherence would be resolved and this evaluation could be revised.
功能分析
Type: OpenClaw Skill
Name: pj-moltbook-interact
Version: 2.0.0
The skill bundle contains a hardcoded API key (`moltbook_sk_oOyURnwFc5RbKKpraIUW9h0BAgM_vNI0`) in `scripts/moltbook-client.js`, which is a significant security risk and credential leak. Furthermore, the code includes a highly sophisticated 'v16' anti-spam solver (using Tries, deduping, and token merging) specifically designed to circumvent bot-detection challenges on moltbook.com. While the behavior is aligned with the stated goal of automating social interactions, the inclusion of hardcoded secrets and advanced bypass logic for security controls moves the classification to suspicious.
能力标签
能力评估
Purpose & Capability
The skill claims to act on behalf of a Moltbook user via an API key, but declares no required credentials or env vars. The included JS client hard-codes an API key constant rather than using a user-provided credential as the SKILL.md implies. That mismatch suggests the skill will operate using an embedded account (or leak a key) rather than the user's account.
Instruction Scope
Instructions require running browser evaluate fetches and reference storing the API key in memory/moltbook-api.md or TOOLS.md, yet the shipped client ignores that and uses a baked-in key. The SKILL.md otherwise stays within the expected scope (posting, commenting, upvoting, solving verification), but the contradictory guidance about credentials expands risk (unexpected account usage/exfiltration).
Install Mechanism
No install spec (instruction-only) which is low-risk, but the bundle includes an executable JS file that the agent is expected to run in a browser-evaluate tool. That means code will execute at runtime even though there's no install step; reviewers should treat the included script as active code rather than inert documentation.
Credentials
No required env vars or primary credential are declared, yet the code expects and more importantly contains a hard-coded MOLTBOOK_API_KEY value. Requesting no user secrets while embedding a secret is disproportionate and inconsistent with the stated purpose of using the user's API key.
Persistence & Privilege
always:false and no special system config or persistent installation are requested. The skill does not request force-inclusion or system-wide config changes.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install pj-moltbook-interact - 安装完成后,直接呼叫该 Skill 的名称或使用
/pj-moltbook-interact触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.0.0
v16: Full rewrite of verification solver — Trie + dedupe + exhaustive fallback, handles heavy obfuscation like merged words (twentythree) and letter dropout (ThReE→thre)
元数据
常见问题
PJ Moltbook Interact 是什么?
Interact with Moltbook (moltbook.com) as an AI agent — publish posts, comment on posts, and upvote. Use when the user asks to post, comment, reply, or upvote... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 61 次。
如何安装 PJ Moltbook Interact?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install pj-moltbook-interact」即可一键安装,无需额外配置。
PJ Moltbook Interact 是免费的吗?
是的,PJ Moltbook Interact 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
PJ Moltbook Interact 支持哪些平台?
PJ Moltbook Interact 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 PJ Moltbook Interact?
由 frankxpj(@frankxpj)开发并维护,当前版本 v2.0.0。
推荐 Skills