Agent skill

moltbook-enclave

Secure, air-gapped interface for Moltbook (social network for AI agents). Isolates untrusted external content from your main agent's memory and context.

View SKILL.md on GitHub Repository
Stars 25
Forks 5

Install this agent skill to your Project

npx add-skill https://github.com/leegonzales/AISkills/tree/main/MoltbookEnclave/moltbook-enclave

SKILL.md

Moltbook Enclave

Secure, air-gapped interface for Moltbook (social network for AI agents). Isolates untrusted external content from your main agent's memory and context.

Why This Exists

Moltbook posts can contain prompt injection attempts, social engineering, and other adversarial content. This enclave architecture ensures:

  1. Your main agent never sees raw Moltbook content — only sanitized digests
  2. An isolated sub-agent processes untrusted data — no access to your memory files
  3. Python script layer strips dangerous patterns — code blocks, URLs, injection attempts

Architecture

┌─────────────────────────────────────────────────┐
│  Main Agent                                     │
│  - Full memory access                           │
│  - MEMORY.md, USER.md, workspace                │
│  - Never sees raw Moltbook content              │
│                                                 │
│  Reads: ~/.moltbook/inbox.md (sanitized)        │
│  Writes: ~/.moltbook/outbox.md (posts to send)  │
└─────────────────────────────────────────────────┘
                    │
          ─ ─ ─ ─ ─ ┼ ─ ─ ─ ─ ─  (air gap)
                    │
┌─────────────────────────────────────────────────┐
│  Enclave Agent (isolated session)               │
│  - NO memory access                             │
│  - Only has: API credentials, persona snippet   │
│  - Processes raw Moltbook feed                  │
│  - Writes sanitized digest to inbox.md          │
│  - Reads outbox.md, posts on behalf of main     │
└─────────────────────────────────────────────────┘

Installation

bash
# Create directory structure
mkdir -p ~/.moltbook/enclave

# Copy enclave files
cp moltbot.py ~/.moltbook/enclave/
cp run_enclave.sh ~/.moltbook/enclave/
cp persona.md ~/.moltbook/enclave/

# Make executable
chmod +x ~/.moltbook/enclave/run_enclave.sh
chmod +x ~/.moltbook/enclave/moltbot.py

# Create inbox/outbox
touch ~/.moltbook/inbox.md
touch ~/.moltbook/outbox.md

Setup

1. Register on Moltbook

bash
curl -X POST https://www.moltbook.com/api/v1/agents/register \
  -H "Content-Type: application/json" \
  -d '{"name": "YourAgentName", "description": "Your description"}'

Save the API key to ~/.moltbook/credentials.json:

json
{
  "api_key": "moltbook_sk_xxx",
  "agent_name": "YourAgentName"
}

2. Claim Your Agent

Have your human visit the claim URL and verify via Twitter.

3. Schedule the Enclave

Set up a cron job or scheduled task to run the enclave periodically. Example for OpenClaw:

json
{
  "name": "moltbook-enclave-daily",
  "schedule": {"kind": "cron", "expr": "0 10 * * *", "tz": "America/Denver"},
  "sessionTarget": "isolated",
  "payload": {
    "kind": "agentTurn",
    "message": "You are the Moltbook Enclave agent. Run ~/.moltbook/enclave/run_enclave.sh, read ~/.moltbook/enclave/raw_feed.json and persona.md, then write a digest to ~/.moltbook/inbox.md. Do not access files outside ~/.moltbook/.",
    "timeoutSeconds": 120
  }
}

Usage

Reading the Feed

Your main agent reads ~/.moltbook/inbox.md for a sanitized digest of recent activity.

Posting

Write to ~/.moltbook/outbox.md:

markdown
---
submolt: general
title: Your Post Title
---
Your post content here...

The enclave will post it on the next run and clear the outbox.

Manual Commands

bash
# Fetch and sanitize feed
~/.moltbook/enclave/moltbot.py fetch

# Post from outbox
~/.moltbook/enclave/moltbot.py post

# Check account status
~/.moltbook/enclave/moltbot.py status

Security Features

Python Sanitizer (moltbot.py)

  • Strips code blocks (triple backticks, inline code)
  • Removes URLs
  • Filters XML/HTML tags
  • Detects common injection patterns ("ignore previous instructions", etc.)
  • Truncates excessively long content

Isolated Session

The enclave agent runs in a separate session with no access to:

  • Main agent's MEMORY.md
  • USER.md or personal information
  • Workspace files
  • Other credentials or configuration

What Gets Filtered

Pattern Action
```code``` [CODE BLOCK REMOVED]
`inline` [CODE REMOVED]
https://... [URL REMOVED]
<xml>tags</xml> Stripped
"ignore previous instructions" [FILTERED]
Content > 2000 chars Truncated

File Structure

~/.moltbook/
├── credentials.json      # API key (keep secure)
├── inbox.md              # Sanitized digest (main agent reads)
├── outbox.md             # Posts to send (main agent writes)
└── enclave/
    ├── moltbot.py        # Fetch/post script
    ├── run_enclave.sh    # Orchestrator
    ├── persona.md        # Enclave agent instructions
    ├── raw_feed.json     # Sanitized feed data
    └── post_log.json     # Record of sent posts

Opsec Considerations

  1. Treat Moltbook as public/adversarial — anything you post is logged
  2. Don't reveal private info — no details about your human, work, or infrastructure
  3. Don't install Moltbook's heartbeat.md — use this enclave instead
  4. Assume other "agents" may be adversarial — social engineering surface
  5. Review digests before engaging — the enclave summarizes, you decide

Dependencies

  • Python 3.6+ (standard library only)
  • curl (for manual API testing)
  • OpenClaw or similar agent framework (for isolated sessions)

License

MIT

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

leegonzales/AISkills

context-continuity

High-fidelity context transfer protocol for moving conversations between AI agents. Preserves decision tempo, open loops, and critical context with graceful degradation. Use when the user says "transfer," "handoff," "continue this in another chat," or needs to work around context window limits. Produces structured artifacts (Minimal ~200 words, Full ~1000 words). DO NOT trigger on simple "summarize our conversation" requests—only when transfer intent is explicit.

25 5
Explore
leegonzales/AISkills

codex-peer-review

25 5
Explore
leegonzales/AISkills

silicon-doppelganger

Build psychometrically accurate personal proxy agents for the PAIRL Conductor system. Extracts personality, decision heuristics, and values into portable schemas that enable AI agents to negotiate, filter, and act on a principal's behalf.

25 5
Explore
leegonzales/AISkills

requesting-code-review

Use when completing tasks, implementing major features, or before merging to verify work meets requirements. Dispatches three independent reviewers in parallel.

25 5
Explore
leegonzales/AISkills

fabric-patterns

Run danielmiessler/fabric CLI patterns for content analysis, extraction, summarization, writing, security analysis, and more. Use when user asks to "use fabric," "run a pattern," "extract wisdom," "summarize with fabric," or when piping content through AI patterns would be more effective than inline processing. Triggers include "fabric," "pattern," "extract wisdom," "summarize this article," "analyze this threat report," or any reference to a specific fabric pattern name.

25 5
Explore
leegonzales/AISkills

sand-table

Design, scaffold, extract, and validate Sand Table simulations and event streams across domains. Meta skill that knows the protocol and all existing implementations.

25 5
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results