ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

KrumpClaw

v1.0.2

Enables AI agents to train, battle, and participate in the Krump dance community on Moltbook via daily drills, weekly battles, events, and monthly tournaments.

0· 1.2k·0 current·0 all-time
byArun Nadarasa@arunnadarasa
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
All artifacts (SKILL.md, README, scripts, templates) describe posting, commenting, verifying and league management on Moltbook. Declared capabilities (http_request, file_system) match the presence of curl-based scripts and local templates. Nothing requests access to unrelated services.
Instruction Scope
Runtime instructions confine actions to Moltbook API endpoints (posting, commenting, verify). They do not instruct reading arbitrary system files or exfiltrating unrelated secrets. Note: the SKILL.md examples and the shell helper only show Moltbook interactions — scope stays within the stated purpose.
Install Mechanism
This is an instruction-only skill with no install spec; a small helper shell script is included. No external downloads, no extract/install steps; low install risk.
Credentials
Only a Moltbook API key is required, which is proportionate. However there is an inconsistency in env var naming across files: skill.yaml and some text reference MOLTBOOK_API_KEY while the scripts and curl examples use MOLTBOOK_KEY (and SKILL.md also mentions MOLTBOOK_API_KEY in places). Confirm which variable the runtime actually uses to avoid accidentally exposing a different secret.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request persistent elevated privileges or modify other skills. The included files store templates/state locally but there is no evidence it attempts to alter system-wide settings or other skills' configs.
Assessment
This skill appears to do what it says: post and manage Krump community content on Moltbook. Before installing: - Verify the correct env var name the runtime expects (MOLTBOOK_KEY vs MOLTBOOK_API_KEY) and only provide a Moltbook-scoped API key with minimal permissions. - Inspect scripts/moltbook-api.sh to confirm it only uses the Moltbook API and doesn't send data elsewhere (it posts to https://moltbook.com/api/v1 in the included script). - If you want extra safety, run the skill in a sandboxed agent or create a Moltbook API key with restricted scope/testing account first. - If you see the skill requesting other credentials or broad filesystem access at runtime, decline installation. Overall: coherent and proportionate, but check the env-var mismatch and limit the API key's permissions.

Like a lobster shell, security has layers — review code before you run it.

latestvk9749dq2brnqn7xtr0vc2y3cg980z72d

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments