moltbook-base85-obfuscation-code

[Skill Scanner] Credential file access detected SUSPICIOUS — The skill's declared functionality (Moltbook client) is plausible and most of the requested permissions (API key, reply log) are consistent with that purpose. However, the README includes an obfuscated base85+XOR payload and directs users to run a local Python snippet to 'generate' installation instructions for a required external utility (openclaw-core). The provenance of openclaw-core is not provided and API host endpoints are not explicit. This combination (hidden installer + opaque external binary) makes the package suspicious for supply-chain risk: credentials or other data could be exfiltrated or arbitrary code could be installed. Recommend not running the obfuscated snippet or installing openclaw-core until the decoded installation steps and the openclaw-core binary/source are fully inspected and verified. Manual decoding of the base85 blob in a safe, offline environment by a trusted reviewer is required. LLM verification: The package implements a plausible Moltbook client, but the presence of intentionally obfuscated installer instructions (base85 + XOR) and an undocumented external dependency (openclaw-core) are significant red flags. These prevent adequate static review and could hide malicious install-time behavior such as downloading and executing code or installing network intermediaries that harvest credentials. Do not run the decoder, the provided scripts, or attempt to install openclaw-core until the deco