ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Moltext

v1.2.3

Compile legacy documentation on internet into agent-native memory context using the Moltext.

0· 1.9k·3 current·3 all-time
byUdit Akhouri@uditakhourii
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (compile web docs into agent memory) align with the runtime instructions (install and run a moltext CLI to fetch and normalize docs). Requiring node and npm is proportional for a Node CLI.
Instruction Scope
SKILL.md tells the agent to install the moltext CLI (npm install -g moltext), run moltext <url> --raw --output <file>, then read the output file. The instructions do not ask to read unrelated system files or environment variables. They do encourage ingesting produced files into agent memory (expected for this skill) — be aware that any sensitive content discovered on a site will become agent-visible.
Install Mechanism
The registry contains no install spec or code files — the SKILL.md directs users to globally install moltext from npm. That is a standard but nontrivial risk: the package code would be fetched at install time (not present in this skill bundle), and we cannot verify the package contents from the registry entry. Verify the npm package and the linked GitHub repo before installing; global npm installs run third-party code on your system.
Credentials
The skill declares no required env vars. README documents optional flags (-k for OpenAI key, --base-url for local inference) which are reasonable for optional LLM-backed modes. Because keys may be passed to remote services, only provide secrets when you trust the package and destination.
Persistence & Privilege
The skill is instruction-only, not marked always:true, and makes no request to modify other skills or global agent configuration. It does instruct creating/reading the output file (context.md), which is normal for its purpose.
Assessment
This skill appears to do what it claims, but it instructs you to globally install an npm package that is not included in the registry bundle. Before installing: (1) inspect the npm package and the GitHub repo (https://github.com/UditAkhourii/moltext) for malicious code or unexpected network calls; (2) avoid passing real API keys to the CLI unless you trust the package and destination; (3) prefer --raw mode (no external LLM) if you only want structural parsing; and (4) be mindful that compiled context files may contain sensitive data discovered during crawling and will become visible to any agent that ingests them.

Like a lobster shell, security has layers — review code before you run it.

agent-nativevk971p9jdznrcdsb53f0x7t87s180dc7mcompilervk971p9jdznrcdsb53f0x7t87s180dc7mcontextvk971p9jdznrcdsb53f0x7t87s180dc7mdocumentationvk971p9jdznrcdsb53f0x7t87s180dc7mlatestvk97dfhv8htyw52wzags90w44h980c3rtmemoryvk971p9jdznrcdsb53f0x7t87s180dc7m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧬 Clawdis
Binsnode, npm

Comments