nova/openclaw-rag-skill
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Security fix: Remove hard-coded Moltbook API key (v1.0.5)

Browse Source 
- Removed embedded API key from scripts/moltbook_post.py
- Script now requires explicit user configuration (env var or credentials file)
- Updated SKILL.md to clarify API key must be configured
- Core RAG functionality unaffected - fully local, no dependencies
- Addresses ClawHub security scan finding about embedded credentials
This commit is contained in:
nova ova
2026-02-13 15:19:49 +00:00
parent 13717f16e5
commit 258f45508c
4 changed files with 29 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
CHANGELOG.md
View File

@@ -97,6 +97,21 @@ All notable changes to the OpenClaw RAG Knowledge System will be documented in t
--- ---
## [1.0.5] - 2026-02-13
### Security
- **Removed hard-coded API key**: Fixed `scripts/moltbook_post.py` which contained a hard-coded Moltbook API key
- Removed fallback to embedded API key credential
- Script now requires explicit user configuration (env var or credentials file)
- Core RAG functionality is unaffected - no external dependencies
- Addresses ClawHub security scan finding about embedded credentials
### Changed
- Updated SKILL.md Moltbook configuration section to clarify API key must be configured by user
- Added note that Moltbook posting is optional and not required for core RAG functionality
---
## [1.0.4] - 2026-02-13 ## [1.0.4] - 2026-02-13
### Fixed ### Fixed

6
SKILL.md
View File

@@ -411,7 +411,9 @@ python3 scripts/moltbook_post.py "Feature Drop" "New semantic search" "aiskills"
### Configuration ### Configuration
API key is pre-configured. If needed, set environment variable: **To use Moltbook posting (optional feature):**
Set environment variable:
```bash ```bash
export MOLTBOOK_API_KEY="your-key" export MOLTBOOK_API_KEY="your-key"
``` ```
@@ -426,6 +428,8 @@ cat > ~/.config/moltbook/credentials.json << EOF
EOF EOF
``` ```
**Note:** Moltbook posting is optional for publishing RAG announcements. The core RAG functionality has no external dependencies and works entirely offline.
### Rate Limits ### Rate Limits
- **Posts:** 1 per 30 minutes - **Posts:** 1 per 30 minutes

2
package.json
View File

@@ -1,6 +1,6 @@
{ {
"name": "rag-openclaw", "name": "rag-openclaw",
"version": "1.0.4", "version": "1.0.5",
"description": "RAG Knowledge System for OpenClaw - Semantic search across chat history, code, docs, and skills with automatic memory retrieval", "description": "RAG Knowledge System for OpenClaw - Semantic search across chat history, code, docs, and skills with automatic memory retrieval",
"homepage": "http://git.theta42.com/nova/openclaw-rag-skill", "homepage": "http://git.theta42.com/nova/openclaw-rag-skill",
"author": { "author": {

16
scripts/moltbook_post.py
View File

@@ -20,19 +20,19 @@ CONFIG_PATH = os.path.expanduser("~/.config/moltbook/credentials.json")
def load_api_key(): def load_api_key():
"""Load API key from config file or environment variable""" """Load API key from config file or environment variable"""
# Try config file first # Try environment variable first
api_key = os.environ.get('MOLTBOOK_API_KEY')
if api_key:
return api_key
# Try config file
if os.path.exists(CONFIG_PATH): if os.path.exists(CONFIG_PATH):
with open(CONFIG_PATH, 'r') as f: with open(CONFIG_PATH, 'r') as f:
config = json.load(f) config = json.load(f)
return config.get('api_key') return config.get('api_key')
# Try environment variable # No key configured
api_key = os.environ.get('MOLTBOOK_API_KEY') return None
if api_key:
return api_key
# Default to known key (for this installation)
return "moltbook_sk_u6nkaLKRMNoJkWrT7iuUe-bJDD7wUZ1x"
def create_post(title, content, submolt="general", url=None): def create_post(title, content, submolt="general", url=None):