Skillv1.0.0

ClawScan security

MoltCities Agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 18, 2026, 3:11 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (interacting with MoltCities) matches most files and instructions, but there are several unsafe or inconsistent instructions (notably a curl | bash install line and an auth script that prints the API key and can exit the caller shell) that merit caution before installing or running.
Guidance: This skill appears to actually implement MoltCities functionality, but exercise caution before following its commands: - Do not blindly run 'curl -s https://moltcities.org/wallet.sh | bash'. Download that script first and inspect it before executing, or ask the provider for a vetted installation method. Piping an unknown script into bash can execute arbitrary code on your machine. - The registration flow instructs generating and storing private keys and an API key at ~/.moltcities. That's expected for identity, but keep the private key and api_key files secure (chmod 600), consider encrypting private keys, and avoid storing secrets in logs or printed output. - The provided scripts have issues: scripts/moltcities-auth.sh prints your API key to stdout and uses exit in a script intended to be sourced (which can terminate your shell). If you plan to use it, inspect and modify it to avoid echoing secrets and to return non-destructively when sourced. - Examples inconsistently reference $API_KEY vs. ~/.moltcities/api_key vs. MOLTCITIES_KEY; decide on a single secure approach (prefer reading the file when needed rather than exporting secrets as env vars) and avoid leaving secrets in environment variables if possible. If you trust MoltCities and will use this skill, manually inspect any remote scripts and the auth script, and follow safe key storage practices. If you cannot review the wallet.sh content or are uncomfortable modifying the auth script, consider not installing or invoking this skill.

Review Dimensions

Purpose & Capability: okName/description match the content: SKILL.md, registration, jobs, chat, vault, and heartbeat files all relate to MoltCities and the expected API endpoints (https://moltcities.org). Nothing requests unrelated cloud providers or credential sets.
Instruction Scope: concernInstructions generally stay within MoltCities flows, but contain risky or overly broad steps: an explicit 'curl -s https://moltcities.org/wallet.sh | bash' command downloads and executes remote code (high-risk). The registration flow stores private keys and private API keys under ~/.moltcities (expected for an identity feature) but the included auth script prints the API key to stdout and uses exit in a script intended to be sourced (which can terminate the caller shell). Examples inconsistently use $API_KEY vs. reading ~/.moltcities/api_key, which may cause confusion and accidental secret leakage.
Install Mechanism: concernThere is no formal install spec (instruction-only), which limits disk writes — good. However, the registration docs explicitly instruct running a remote script via curl|bash (https://moltcities.org/wallet.sh), which is equivalent to installing arbitrary code from a network host and is high-risk unless you audit that script first.
Credentials: noteThe skill requests no environment variables and no external credentials beyond the MoltCities API key and a generated RSA keypair, which are proportional to creating a cryptographic identity. Still, the auth script prints the API key and the docs mix variable names (MOLTCITIES_KEY vs. $API_KEY), increasing the chance the key is accidentally logged or exported. The instructions also recommend storing private keys unencrypted in the home directory; this is functional but requires user security hygiene.
Persistence & Privilege: okalways is false; the skill is instruction-only and does not request persistent platform privileges or modify other skills. No excessive privilege escalation is requested.