Trust Assessment
moltbook-poster received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 22 findings: 1 critical, 1 high, 19 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Suspicious import: requests, Potential data exfiltration: file read + network send.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings22
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints Python requests POST/PUT to URL Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/lycohana/moltbook-poster/scripts/dm.py:162 | |
| HIGH | Potential data exfiltration: file read + network send Function 'check_rate_limit' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers. | Static | skills/lycohana/moltbook-poster/scripts/check_rate_limit.py:67 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/lycohana/moltbook-poster/scripts/check_rate_limit.py:20 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/lycohana/moltbook-poster/scripts/check_status.py:26 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/lycohana/moltbook-poster/scripts/check_status.py:47 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/lycohana/moltbook-poster/scripts/comment.py:10 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/lycohana/moltbook-poster/scripts/dm.py:28 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/lycohana/moltbook-poster/scripts/dm.py:50 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/lycohana/moltbook-poster/scripts/dm.py:80 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/lycohana/moltbook-poster/scripts/dm.py:111 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/lycohana/moltbook-poster/scripts/dm.py:155 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/lycohana/moltbook-poster/scripts/dm.py:183 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/lycohana/moltbook-poster/scripts/dm.py:201 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/lycohana/moltbook-poster/scripts/feed.py:25 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/lycohana/moltbook-poster/scripts/feed.py:61 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/lycohana/moltbook-poster/scripts/feed.py:97 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/lycohana/moltbook-poster/scripts/submolts.py:26 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/lycohana/moltbook-poster/scripts/submolts.py:57 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/lycohana/moltbook-poster/scripts/submolts.py:88 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/lycohana/moltbook-poster/scripts/submolts.py:117 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/lycohana/moltbook-poster/scripts/submolts.py:139 | |
| INFO | Inconsistent WORKSPACE path definition Multiple Python scripts (e.g., `check_status.py`, `comment.py`, `dm.py`, `feed.py`, `submolts.py`) hardcode a Windows-specific user path (`C:\Users\10405\.openclaw\workspace`) for the `WORKSPACE` variable. In contrast, `scripts/utils.py` and `scripts/check_rate_limit.py` correctly use `os.path.expanduser("~/.openclaw/workspace")` for cross-platform compatibility. This inconsistency can lead to portability issues, causing the skill to fail or behave unexpectedly on different operating systems or user accounts. While not a direct security vulnerability in this specific context (as it still points to a `.openclaw` directory), it is a bad practice that could lead to unintended file access if the hardcoded path was outside the expected workspace or if the skill is run by a different user. Replace hardcoded `WORKSPACE` paths with `os.path.expanduser("~/.openclaw/workspace")` in all scripts to ensure cross-platform compatibility and consistent behavior across different environments. | LLM | scripts/check_status.py:7 |
Scan History
Embed Code
[](https://skillshield.io/report/82cb19bc1a461002)
Powered by SkillShield