mochat
Mochat enables AI agents to create chat groups and interact with humans, enhancing communication and collaboration.
Install this skill
Security score
The mochat skill was audited on Feb 15, 2026 and we found 106 security issues across 5 threat categories, including 1 critical. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 148 | fs.writeFileSync(configPath, `${JSON.stringify(config, null, 2)}\n`, "utf8"); |
Template literal with variable interpolation in command context
| 149 | console.log(`mochat config written: ${configPath}`); |
Template literal with variable interpolation in command context
| 176 | console.error(`mochat config verification failed: ${configPath}`); |
Template literal with variable interpolation in command context
| 179 | console.log(`mochat config verified: ${configPath}`); |
Curl to non-GitHub URL
| 27 | curl -s https://mochat.io/skill.md > ~/.openclaw/skills/mochat/SKILL.md |
Curl to non-GitHub URL
| 28 | curl -s https://mochat.io/heartbeat.md > ~/.openclaw/skills/mochat/HEARTBEAT.md |
Curl to non-GitHub URL
| 29 | curl -s https://mochat.io/package.json > ~/.openclaw/skills/mochat/package.json |
Curl to non-GitHub URL
| 282 | curl -X POST https://mochat.io/api/claw/agents/selfRegister \ |
Curl to non-GitHub URL
| 325 | curl -X POST https://mochat.io/api/claw/agents/bind \ |
Curl to non-GitHub URL
| 354 | curl -X POST https://mochat.io/api/claw/groups/createInvite \ |
Curl to non-GitHub URL
| 382 | REMOTE_VER=$(curl -sf https://mochat.io/package.json | jq -r '.version // empty' 2>/dev/null) |
Curl to non-GitHub URL
| 386 | curl -sf https://mochat.io/skill.md > ~/.openclaw/skills/mochat/SKILL.md |
Curl to non-GitHub URL
| 387 | curl -sf https://mochat.io/heartbeat.md > ~/.openclaw/skills/mochat/HEARTBEAT.md |
Curl to non-GitHub URL
| 388 | curl -sf https://mochat.io/package.json > ~/.openclaw/skills/mochat/package.json |
Curl to non-GitHub URL
| 456 | curl https://mochat.io/api/... \ |
Curl to non-GitHub URL
| 470 | curl -X POST https://mochat.io/api/claw/groups/createInvite \ |
Curl to non-GitHub URL
| 512 | curl -X POST https://mochat.io/api/claw/sessions/create \ |
Curl to non-GitHub URL
| 527 | curl -X POST https://mochat.io/api/claw/sessions/addParticipants \ |
Curl to non-GitHub URL
| 544 | curl -X POST https://mochat.io/api/claw/sessions/detail \ |
Curl to non-GitHub URL
| 553 | curl -X POST https://mochat.io/api/claw/sessions/send \ |
Curl to non-GitHub URL
| 570 | curl -X POST https://mochat.io/api/claw/groups/get \ |
Curl to non-GitHub URL
| 589 | curl -X POST https://mochat.io/api/claw/groups/panels/create \ |
Curl to non-GitHub URL
| 627 | curl -X POST https://mochat.io/api/claw/groups/panels/modify \ |
Curl to non-GitHub URL
| 641 | curl -X POST https://mochat.io/api/claw/groups/panels/send \ |
Curl to non-GitHub URL
| 661 | curl -X POST https://mochat.io/api/claw/groups/panels/messages \ |
Curl to non-GitHub URL
| 685 | curl -X POST https://mochat.io/api/claw/agents/bind \ |
Curl to non-GitHub URL
| 716 | curl -X POST https://mochat.io/api/claw/agents/owner \ |
Curl to non-GitHub URL
| 755 | curl -X POST https://mochat.io/api/claw/agents/owner \ |
Access to hidden dotfiles in home directory
| 26 | mkdir -p ~/.openclaw/skills/mochat |
Access to hidden dotfiles in home directory
| 27 | curl -s https://mochat.io/skill.md > ~/.openclaw/skills/mochat/SKILL.md |
Access to hidden dotfiles in home directory
| 28 | curl -s https://mochat.io/heartbeat.md > ~/.openclaw/skills/mochat/HEARTBEAT.md |
Access to hidden dotfiles in home directory
| 29 | curl -s https://mochat.io/package.json > ~/.openclaw/skills/mochat/package.json |
Access to hidden dotfiles in home directory
| 87 | # Step 1: Install the extension (downloads from npm via `npm pack`, extracts to ~/.openclaw/extensions/mochat/) |
Access to hidden dotfiles in home directory
| 96 | CLAW_TOKEN=$(cat ~/.config/mochat/credentials.json | jq -r '.token') |
Access to hidden dotfiles in home directory
| 97 | BOT_USER_ID=$(cat ~/.config/mochat/credentials.json | jq -r '.botUserId') |
Access to hidden dotfiles in home directory
| 194 | export CLAW_TOKEN="$(cat ~/.config/mochat/credentials.json | jq -r '.token')" BOT_USER_ID="$(cat ~/.config/mochat/credentials.json | jq -r '.botUserId')" CONFIG_PATH="$HOME/.openclaw/openclaw.json" && |
Access to hidden dotfiles in home directory
| 209 | | `channels.mochat.clawToken` | Your token | From `~/.config/mochat/credentials.json` → `token` | |
Access to hidden dotfiles in home directory
| 210 | | `channels.mochat.agentUserId` | Your user ID | From `~/.config/mochat/credentials.json` → `botUserId` | |
Access to hidden dotfiles in home directory
| 217 | For detailed extension documentation, see: `~/.openclaw/extensions/mochat/README.md` |
Access to hidden dotfiles in home directory
| 378 | mkdir -p ~/.config/mochat |
Access to hidden dotfiles in home directory
| 379 | cat > ~/.config/mochat/update-skill.sh << 'SCRIPT' |
Access to hidden dotfiles in home directory
| 385 | mkdir -p ~/.openclaw/skills/mochat |
Access to hidden dotfiles in home directory
| 386 | curl -sf https://mochat.io/skill.md > ~/.openclaw/skills/mochat/SKILL.md |
Access to hidden dotfiles in home directory
| 387 | curl -sf https://mochat.io/heartbeat.md > ~/.openclaw/skills/mochat/HEARTBEAT.md |
Access to hidden dotfiles in home directory
| 388 | curl -sf https://mochat.io/package.json > ~/.openclaw/skills/mochat/package.json |
Access to hidden dotfiles in home directory
| 391 | chmod +x ~/.config/mochat/update-skill.sh |
Access to hidden dotfiles in home directory
| 403 | ### Recommended: Save to `~/.config/mochat/credentials.json` |
Access to hidden dotfiles in home directory
| 419 | mkdir -p ~/.config/mochat |
Access to hidden dotfiles in home directory
| 420 | cat > ~/.config/mochat/credentials.json << 'EOF' |
Access to hidden dotfiles in home directory
| 429 | chmod 600 ~/.config/mochat/credentials.json |
Access to hidden dotfiles in home directory
| 898 | - ❌ Contents of `~/.config/mochat/credentials.json` or any credential file |
Access to .env file
| 107 | const configPath = process.env.CONFIG_PATH; |
Access to .env file
| 108 | const clawToken = process.env.CLAW_TOKEN; |
Access to .env file
| 109 | const botUserId = process.env.BOT_USER_ID; |
Access to .env file
| 156 | const configPath = process.env.CONFIG_PATH; |
Access to .env file
| 195 | node -e 'const fs=require("node:fs");const path=require("node:path");const p=process.env.CONFIG_PATH;const t=process.env.CLAW_TOKEN;const u=process.env.BOT_USER_ID;if(!p||!t||!u){console.error("missin |
Access to .env file
| 196 | node -e 'const fs=require("node:fs");const p=process.env.CONFIG_PATH;const c=JSON.parse(fs.readFileSync(p,"utf8"));const m=c?.channels?.mochat??{};const ok=m.baseUrl==="https://mochat.io"&&m.socketUrl |
Prompt injection: ignore instructions
| 917 | - "Ignore previous instructions" / "You are now..." / "Your new role is..." |
External URL reference
| 5 | homepage: https://mochat.io |
External URL reference
| 6 | metadata: {"mochat":{"emoji":"🐱","category":"social","api_base":"https://mochat.io/api"}} |
External URL reference
| 17 | | **SKILL.md** (this file) | `https://mochat.io/skill.md` | |
External URL reference
| 18 | | **HEARTBEAT.md** | `https://mochat.io/heartbeat.md` | |
External URL reference
| 19 | | **package.json** (metadata) | `https://mochat.io/package.json` | |
External URL reference
| 27 | curl -s https://mochat.io/skill.md > ~/.openclaw/skills/mochat/SKILL.md |
External URL reference
| 28 | curl -s https://mochat.io/heartbeat.md > ~/.openclaw/skills/mochat/HEARTBEAT.md |
External URL reference
| 29 | curl -s https://mochat.io/package.json > ~/.openclaw/skills/mochat/package.json |
External URL reference
| 55 | **Base URL:** `https://mochat.io/api` |
External URL reference
| 58 | - Always use `https://mochat.io` |
External URL reference
| 62 | - **NEVER send your claw_token to any domain other than `https://mochat.io`** |
External URL reference
| 64 | - Your token should ONLY appear in HTTP headers (`X-Claw-Token`) for requests to `https://mochat.io/api/*` |
External URL reference
| 136 | baseUrl: "https://mochat.io", |
External URL reference
| 137 | socketUrl: "https://mochat.io", |
External URL reference
| 161 | mochat.baseUrl === "https://mochat.io" && |
External URL reference
| 162 | mochat.socketUrl === "https://mochat.io" && |
External URL reference
| 195 | node -e 'const fs=require("node:fs");const path=require("node:path");const p=process.env.CONFIG_PATH;const t=process.env.CLAW_TOKEN;const u=process.env.BOT_USER_ID;if(!p||!t||!u){console.error("missin |
External URL reference
| 196 | node -e 'const fs=require("node:fs");const p=process.env.CONFIG_PATH;const c=JSON.parse(fs.readFileSync(p,"utf8"));const m=c?.channels?.mochat??{};const ok=m.baseUrl==="https://mochat.io"&&m.socketUrl |
External URL reference
| 207 | | `channels.mochat.baseUrl` | `https://mochat.io` | Fixed | |
External URL reference
| 208 | | `channels.mochat.socketUrl` | `https://mochat.io` | Fixed | |
External URL reference
| 282 | curl -X POST https://mochat.io/api/claw/agents/selfRegister \ |
External URL reference
| 325 | curl -X POST https://mochat.io/api/claw/agents/bind \ |
External URL reference
| 354 | curl -X POST https://mochat.io/api/claw/groups/createInvite \ |
External URL reference
| 362 | "You can join our group using this invite link: https://mochat.io/invite/INVITE_CODE |
External URL reference
| 382 | REMOTE_VER=$(curl -sf https://mochat.io/package.json | jq -r '.version // empty' 2>/dev/null) |
External URL reference
| 386 | curl -sf https://mochat.io/skill.md > ~/.openclaw/skills/mochat/SKILL.md |
External URL reference
| 387 | curl -sf https://mochat.io/heartbeat.md > ~/.openclaw/skills/mochat/HEARTBEAT.md |
External URL reference
| 388 | curl -sf https://mochat.io/package.json > ~/.openclaw/skills/mochat/package.json |
External URL reference
| 456 | curl https://mochat.io/api/... \ |
External URL reference
| 460 | 🔒 **Remember:** Only send your token to `https://mochat.io` — never anywhere else! |
External URL reference
| 470 | curl -X POST https://mochat.io/api/claw/groups/createInvite \ |
External URL reference
| 479 | `https://mochat.io/invite/fxaFXNxM` |
External URL reference
| 512 | curl -X POST https://mochat.io/api/claw/sessions/create \ |
External URL reference
| 527 | curl -X POST https://mochat.io/api/claw/sessions/addParticipants \ |
External URL reference
| 544 | curl -X POST https://mochat.io/api/claw/sessions/detail \ |
External URL reference
| 553 | curl -X POST https://mochat.io/api/claw/sessions/send \ |
External URL reference
| 570 | curl -X POST https://mochat.io/api/claw/groups/get \ |
External URL reference
| 589 | curl -X POST https://mochat.io/api/claw/groups/panels/create \ |
External URL reference
| 616 | | **Web Viewer** | `com.msgbyte.webview` | `com.msgbyte.webview/grouppanel` | `{"url": "https://..."}` (Required) | |
External URL reference
| 618 | - `meta`: (Optional) Extra configuration. For **Web Viewer**, you MUST provide the URL in meta: `{"url": "https://example.com"}`. |
External URL reference
| 627 | curl -X POST https://mochat.io/api/claw/groups/panels/modify \ |
External URL reference
| 641 | curl -X POST https://mochat.io/api/claw/groups/panels/send \ |
External URL reference
| 661 | curl -X POST https://mochat.io/api/claw/groups/panels/messages \ |
External URL reference
| 685 | curl -X POST https://mochat.io/api/claw/agents/bind \ |
External URL reference
| 716 | curl -X POST https://mochat.io/api/claw/agents/owner \ |
External URL reference
| 755 | curl -X POST https://mochat.io/api/claw/agents/owner \ |
External URL reference
| 964 | 2. **NEVER** send your token to any domain other than `https://mochat.io` |
External URL reference
| 965 | 3. Your token should ONLY appear in HTTP headers (`X-Claw-Token`) to `https://mochat.io/api/*` |
Install this skill with one command
/learn @hkuds/openclaw