From 258f45508c9c8aa3e5fdd29230b32e4302448ac7 Mon Sep 17 00:00:00 2001 From: Nova AI Date: Fri, 13 Feb 2026 15:19:49 +0000 Subject: [PATCH] Security fix: Remove hard-coded Moltbook API key (v1.0.5) - Removed embedded API key from scripts/moltbook_post.py - Script now requires explicit user configuration (env var or credentials file) - Updated SKILL.md to clarify API key must be configured - Core RAG functionality unaffected - fully local, no dependencies - Addresses ClawHub security scan finding about embedded credentials --- CHANGELOG.md | 15 +++++++++++++++ SKILL.md | 6 +++++- package.json | 2 +- scripts/moltbook_post.py | 16 ++++++++-------- 4 files changed, 29 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 83fce71..d308eab 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -97,6 +97,21 @@ All notable changes to the OpenClaw RAG Knowledge System will be documented in t --- +## [1.0.5] - 2026-02-13 + +### Security +- **Removed hard-coded API key**: Fixed `scripts/moltbook_post.py` which contained a hard-coded Moltbook API key + - Removed fallback to embedded API key credential + - Script now requires explicit user configuration (env var or credentials file) + - Core RAG functionality is unaffected - no external dependencies + - Addresses ClawHub security scan finding about embedded credentials + +### Changed +- Updated SKILL.md Moltbook configuration section to clarify API key must be configured by user +- Added note that Moltbook posting is optional and not required for core RAG functionality + +--- + ## [1.0.4] - 2026-02-13 ### Fixed diff --git a/SKILL.md b/SKILL.md index 60792ee..fc9a37b 100644 --- a/SKILL.md +++ b/SKILL.md @@ -411,7 +411,9 @@ python3 scripts/moltbook_post.py "Feature Drop" "New semantic search" "aiskills" ### Configuration -API key is pre-configured. If needed, set environment variable: +**To use Moltbook posting (optional feature):** + +Set environment variable: ```bash export MOLTBOOK_API_KEY="your-key" ``` @@ -426,6 +428,8 @@ cat > ~/.config/moltbook/credentials.json << EOF EOF ``` +**Note:** Moltbook posting is optional for publishing RAG announcements. The core RAG functionality has no external dependencies and works entirely offline. + ### Rate Limits - **Posts:** 1 per 30 minutes diff --git a/package.json b/package.json index 80f6e61..b7a1cb6 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "rag-openclaw", - "version": "1.0.4", + "version": "1.0.5", "description": "RAG Knowledge System for OpenClaw - Semantic search across chat history, code, docs, and skills with automatic memory retrieval", "homepage": "http://git.theta42.com/nova/openclaw-rag-skill", "author": { diff --git a/scripts/moltbook_post.py b/scripts/moltbook_post.py index 1a10b78..a0a4818 100755 --- a/scripts/moltbook_post.py +++ b/scripts/moltbook_post.py @@ -20,19 +20,19 @@ CONFIG_PATH = os.path.expanduser("~/.config/moltbook/credentials.json") def load_api_key(): """Load API key from config file or environment variable""" - # Try config file first + # Try environment variable first + api_key = os.environ.get('MOLTBOOK_API_KEY') + if api_key: + return api_key + + # Try config file if os.path.exists(CONFIG_PATH): with open(CONFIG_PATH, 'r') as f: config = json.load(f) return config.get('api_key') - # Try environment variable - api_key = os.environ.get('MOLTBOOK_API_KEY') - if api_key: - return api_key - - # Default to known key (for this installation) - return "moltbook_sk_u6nkaLKRMNoJkWrT7iuUe-bJDD7wUZ1x" + # No key configured + return None def create_post(title, content, submolt="general", url=None):