Moltcops

Pre-install security scanner for AI agent skills. Detects malicious patterns before you trust code. Local-first — code never leaves your machine.

MIT-0 · Free to use, modify, and redistribute. No attribution required.

⭐ 2 · 1k · 0 current installs · 0 all-time installs

by@Adamthompson33

MIT-0

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

Name/description (pre-install security scanner) match the provided artifacts: SKILL.md describes a local scanner and the included scripts (scripts/scan.py + rules.json) implement a file-based pattern scanner. There are no unrelated env vars, binaries, or install steps requested.

ℹ

Instruction Scope

Runtime instructions tell the agent/user to run python3 scripts/scan.py <path>. The scanner walks and reads files under the provided path (expected for this purpose). Note: the scanner prints matched line snippets (up to 120 chars) so scanning folders that contain private keys, credentials, or other secrets will surface parts of those secrets to local stdout — this is normal for a scanner but is a privacy consideration. SKILL.md also advertises external web pages (moltcops.com, moltbook, and a 'Web Scanner' URL) even though the code is local-only; those links are not invoked by the code but warrant normal caution.

✓

Install Mechanism

No install spec; instruction-only with a small Python script relying only on the Python standard library. No downloads, no archived extracts, no external package installs. This is low-risk and proportionate for the stated function.

✓

Credentials

The skill declares no required environment variables, no primary credential, and no config paths. The scanner purposely looks for patterns that indicate access to env vars and credential files in the target code, but the scanner itself does not access the environment beyond ordinary os operations. The requested privileges are minimal and appropriate.

✓

Persistence & Privilege

No always:true flag, no install hooks, and the skill does not modify agent configuration or request persistent system presence. Autonomous invocation is allowed by default (disable-model-invocation=false) which is normal for skills; this combined with the scanner's narrow scope does not raise additional concerns.

Assessment

Moltcops appears to be what it claims: a small, local file-pattern scanner. Before running it: 1) review rules.json if you want to see what patterns will be flagged (and to tune noisy rules); 2) test the scanner on a non-sensitive folder first so you understand its output format; 3) avoid pointing it at directories containing unencrypted private keys or credentials you don't want printed to stdout (it will show matched line snippets locally); 4) treat the advertised web links as external resources — the script doesn't call them, but verify those sites yourself before visiting; and 5) if you need stronger privacy, run the script inside a sandbox or container and redirect output to a secure location. Overall the skill is coherent and low-risk for its intended purpose.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.1.0

Download zip

latestvk971qxa3tw6j0018tpjzcbznq980w4wgsafetyvk974ee6gm4x1j7yvxt71t2svb980veysscannervk974ee6gm4x1j7yvxt71t2svb980veyssecurityvk974ee6gm4x1j7yvxt71t2svb980veys

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

MoltCops — Skill Security Scanner

Scan any skill for security threats before you install it. Detects prompt injection, data exfiltration, sleeper triggers, drain patterns, and 16 more threat categories.

Local-first. Your code never leaves your machine. No API calls. No uploads. No accounts.

When to Use

Before installing any skill from ClawHub, GitHub, or other sources
Before running skills shared by other agents
When evaluating unknown code from any source
After ClawHavoc: 341 malicious skills were found on ClawHub this week. Scan first.

How to Run

python3 scripts/scan.py <path-to-skill-folder>

Example:

# Scan a skill before installing
python3 scripts/scan.py ~/.openclaw/skills/suspicious-skill

# Scan a freshly downloaded skill
python3 scripts/scan.py ./my-new-skill

No dependencies required — uses only Python 3 standard library.

Reading Results

The scanner returns three verdicts:

Verdict	Exit Code	Meaning
PASS	0	No critical or high-risk threats detected. Safe to install.
WARN	1	High-risk patterns found. Review findings before installing.
BLOCK	2	Critical threats detected. Do NOT install this skill.

What It Detects

20 detection rules across these threat categories:

Category	Rules	Examples
Prompt Injection	MC-001, MC-002, MC-003	System prompt override, jailbreak payloads, tool-use steering
Code Injection	MC-004, MC-005, MC-006, MC-019	Shell injection, eval/exec, base64-to-exec, child_process
Data Exfiltration	MC-007, MC-008, MC-009, MC-010, MC-020	Webhook URLs, env var harvesting, SSH key access, credential files
Hardcoded Secrets	MC-011, MC-012	API keys in source, private key material
Financial	MC-013	Drain patterns, unlimited withdrawals
Lateral Movement	MC-014	Git credential access, repo manipulation
Persistence	MC-015, MC-016	SOUL.md writes, cron job creation
Autonomy Abuse	MC-017	Destructive force flags (rm -rf, git push --force)
Infrastructure	MC-018	Permission escalation (sudo, chmod 777)

False Positive Handling

The scanner includes context-aware filtering to reduce false positives:

Env var access (MC-008): Only flags when variable names contain KEY, SECRET, PASSWORD, TOKEN, or CREDENTIAL
Git operations (MC-014): Skips standard remotes (github.com, gitlab.com, bitbucket.org)
Force flags (MC-017): Only flags on destructive operations, not install scripts

Example Output

MoltCops Security Scanner
========================================
Scanning: ./suspicious-skill
Files: 5
Rules: 20

FINDINGS
----------------------------------------
[CRITICAL] MC-007: Exfiltration URL (main.py:14)
[CRITICAL] MC-004: Shell Injection (helper.sh:8)
[HIGH] MC-005: Dynamic Code Execution (main.py:22)

SUMMARY
========================================
Files scanned: 5
Total findings: 3
  Critical: 2
  High:     1
  Medium:   0

VERDICT: BLOCK
Critical threats detected. Do NOT install this skill.

Web Scanner

For a browser-based version with the same engine, visit: https://scan.moltcops.com

About MoltCops

MoltCops protects the AI agent ecosystem from malicious skills. While VirusTotal catches known malware signatures, MoltCops catches behavioral patterns — drain logic, sleeper triggers, prompt injection, and data exfiltration that signature-based scanning misses.

Web: https://moltcops.com
Moltbook: https://moltbook.com/u/MoltCops

Files

4 total

Select a file

Select a file to preview.

Comments

Loading comments…