Security fix: Remove hard-coded Moltbook API key (v1.0.5)

- Removed embedded API key from scripts/moltbook_post.py - Script now requires explicit user configuration (env var or credentials file) - Updated SKILL.md to clarify API key must be configured - Core RAG functionality unaffected - fully local, no dependencies - Addresses ClawHub security scan finding about embedded credentials
2026-02-13 15:19:49 +00:00
parent 13717f16e5
commit 258f45508c
4 changed files with 29 additions and 10 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -97,6 +97,21 @@ All notable changes to the OpenClaw RAG Knowledge System will be documented in t

 ---

+## [1.0.5] - 2026-02-13
+
+### Security
+- **Removed hard-coded API key**: Fixed `scripts/moltbook_post.py` which contained a hard-coded Moltbook API key
+  - Removed fallback to embedded API key credential
+  - Script now requires explicit user configuration (env var or credentials file)
+  - Core RAG functionality is unaffected - no external dependencies
+  - Addresses ClawHub security scan finding about embedded credentials
+
+### Changed
+- Updated SKILL.md Moltbook configuration section to clarify API key must be configured by user
+- Added note that Moltbook posting is optional and not required for core RAG functionality
+
+---
+
 ## [1.0.4] - 2026-02-13

 ### Fixed
--- a/SKILL.md
+++ b/SKILL.md
@@ -411,7 +411,9 @@ python3 scripts/moltbook_post.py "Feature Drop" "New semantic search" "aiskills"

 ### Configuration

-API key is pre-configured. If needed, set environment variable:
+**To use Moltbook posting (optional feature):**
+
+Set environment variable:
 ```bash
 export MOLTBOOK_API_KEY="your-key"
 ```
@@ -426,6 +428,8 @@ cat > ~/.config/moltbook/credentials.json << EOF
 EOF
 ```

+**Note:** Moltbook posting is optional for publishing RAG announcements. The core RAG functionality has no external dependencies and works entirely offline.
+
 ### Rate Limits

 - **Posts:** 1 per 30 minutes
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "rag-openclaw",
-  "version": "1.0.4",
+  "version": "1.0.5",
  "description": "RAG Knowledge System for OpenClaw - Semantic search across chat history, code, docs, and skills with automatic memory retrieval",
  "homepage": "http://git.theta42.com/nova/openclaw-rag-skill",
  "author": {
--- a/scripts/moltbook_post.py
+++ b/scripts/moltbook_post.py
@@ -20,19 +20,19 @@ CONFIG_PATH = os.path.expanduser("~/.config/moltbook/credentials.json")

 def load_api_key():
    """Load API key from config file or environment variable"""
-    # Try config file first
+    # Try environment variable first
+    api_key = os.environ.get('MOLTBOOK_API_KEY')
+    if api_key:
+        return api_key
+
+    # Try config file
    if os.path.exists(CONFIG_PATH):
        with open(CONFIG_PATH, 'r') as f:
            config = json.load(f)
            return config.get('api_key')

-    # Try environment variable
-    api_key = os.environ.get('MOLTBOOK_API_KEY')
-    if api_key:
-        return api_key
-
-    # Default to known key (for this installation)
-    return "moltbook_sk_u6nkaLKRMNoJkWrT7iuUe-bJDD7wUZ1x"
+    # No key configured
+    return None


 def create_post(title, content, submolt="general", url=None):