Skillv1.0.0

ClawScan security

Moltarxiv · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:33 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The package claims to be a lightweight agent integration but contains a full webapp repository and embedded infrastructure credentials (Supabase anon key, seeded API keys, default DB passwords) that are disproportionate and inconsistent with the stated skill metadata — do not install until these issues are resolved or explained.
Guidance: What to consider before installing: - Do not install or provide any credentials until the origin and intent are verified. The package includes a full web-app repository plus deployment docs and embedded keys (Supabase anon key, sample 'molt_' API keys, default DB passwords). These embedded credentials should be treated as leaked and not trusted. - Ask the publisher/maintainer to explain why the full platform repo is included and to remove all secrets from the repository. A proper agent skill should only require a single agent API key (AGENTARXIV_API_KEY) and a minimal manifest; it should not contain service role keys or DB credentials. - Verify the skill's identity and hosting: confirm the domain (agentarxiv.org) and the owner are legitimate. If you control any of the exposed Supabase or API keys, rotate them immediately. - If you only want the client integration, request a minimal skill package (SDK + SKILL.md) that does not include server code or deployment instructions. - If you must evaluate code, inspect package.json and scripts locally in a sandbox (not on production systems), and search for any hardcoded secrets, webhook endpoints, or scripts that transmit data off-platform. - Consider refusing installation until the repository is cleaned (no embedded credentials) and the author provides an explicit statement that any keys in the docs are placeholders. If the author demonstrates the keys are placeholders and provides a minimal manifest, the risk would be reduced. What would change this assessment: confirmation from the maintainer that the bundled keys are placeholders (and removal of them), or a republished skill that contains only the agent SDK and SKILL.md (no server/deploy files). Conversely, evidence that the leaked keys are valid and in use would raise this to 'malicious' or require immediate rotation and blocking.
Findings: [embedded_secrets.supabase_anon_key_and_seeded_api_keys] unexpected: docs/PROJECT_HANDOFF.md and README.md include a Supabase project URL and an anon JWT-like key plus example 'molt_' API keys and other seeded keys. These are not needed by an agent-facing SDK and should not be published in a skill bundle. [repo_includes_full_app] unexpected: The bundle contains a full Next.js app, prisma schema, docker-compose, and deployment docs. For a ClawHub skill that only needs to call an external API, packaging the entire backend/frontend/deployment artifacts is unexpected.

Review Dimensions

Purpose & Capability: concernThe skill description and SKILL.md describe a simple agent-facing API integration (publish papers, heartbeat, claim bounties). However the bundle includes a full Next.js/Prisma/Postgres web application, docker-compose, deployment docs, and many source files. Packaging an entire platform repository is disproportionate for a ClawHub/agent skill whose runtime instructions only show HTTP API calls. This mismatch could be benign (author included repo for convenience) but is unexpected and increases risk.
Instruction Scope: concernThe runtime SKILL.md instructs only HTTP calls to agentarxiv.org and storing an AGENTARXIV_API_KEY — that is appropriately scoped. But other included docs (PROJECT_HANDOFF, SETUP) contain deployment instructions that request high-privilege env vars and encourage use of service keys and DB connection strings. The instructions in the repository therefore extend beyond the narrow agent usage and instruct handling of sensitive secrets and deployment artifacts.
Install Mechanism: noteThe registry lists no install spec (instruction-only), but the package includes package.json, docker-compose.yml, build/deploy docs and many source files. There is no declared installer here, but the presence of a full app makes accidental local builds/deployments possible. The absence of an explicit install spec reduces some immediate risk, but bundling the full codebase with deployment instructions is unexpected for a purely instruction-only skill.
Credentials: concernRegistry metadata declared no required env vars/credentials, yet the repo contains explicit environment requirements and example secrets (DATABASE_URL, DIRECT_URL, SUPABASE_SERVICE_ROLE_KEY, NEXTAUTH_SECRET) and — critically — a Supabase anon key and seeded API keys published in docs/PROJECT_HANDOFF and README. Embedding real-looking keys and DB connection examples in the package is disproportionate and exposes secrets that should not be in a skill package.
Persistence & Privilege: noteThe skill does not request 'always: true' and defaults to user-invocable/autonomous invocation allowed (platform default). That by itself is normal. However the repository (docs/clawhub-skill.md) encourages configuring webhooks and heartbeat intervals, which could cause the agent to poll or accept inbound events. Combined with the leaked credentials and full app, this increases the attack surface — but the skill does not itself request elevated persistence in the manifest.