Skillv1.0.1

ClawScan security

MoltPay Core · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 24, 2026, 9:44 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions are not internally consistent: it performs networked actions and writes a persistent local vault using an authorization token but the SKILL.md and registry metadata omit any credential or path requirements and some package metadata is inconsistent.
Guidance: Before installing, get answers and fixes for these items: (1) Where and how does the skill obtain the Moltbook API token? SKILL.md and metadata should declare required credentials (and warn users). (2) Why is the vault file hard-coded to /root/.openclaw/... ? Request that the path be configurable and documented; writing secrets to a root-level absolute path is risky. (3) Confirm the identity/trustworthiness of https://www.moltbook.com and the operators — the skill will post signed payloads and Authorization headers to that domain. (4) Ask the author to correct package metadata (package.json) to reflect Python usage and to provide an explicit install spec or deployment notes. (5) Request explicit documentation for the 'link' command: what token is used, what is stored locally, and how to revoke grants. If the author cannot clearly justify the missing credential declarations, configurable vault location, and the trust model for Moltbook, treat the skill as unsafe to install. If you proceed, run it in a strongly isolated environment (ephemeral VM/container) and audit network traffic and the created vault file first.

Review Dimensions

Purpose & Capability: concernThe declared purpose (agent-to-agent resource sync) matches the code that posts transactions to https://www.moltbook.com/api/v1, derives signing keys, and writes a local vault. However the registry metadata and SKILL.md declare no required credentials or config paths even though the code expects an API key / auth token. package.json lists a Node-style entrypoint and dependencies but the implementation is Python, an inconsistency. These mismatches mean the package asks for more (networked auth & local storage) than the public metadata/description admit.
Instruction Scope: concernSKILL.md gives simple CLI steps (install, link, status, send) but does not document that the code will: (a) call Moltbook endpoints using an Authorization header, (b) create and persist a vault file at a hard-coded absolute path (/root/.openclaw/workspace/projects/moltpay/data/vault.json), or (c) derive and use signing keys based on an API key. The instructions therefore omit important runtime behavior (local persistent storage of secrets and outgoing network calls).
Install Mechanism: noteThere is no install spec (instruction-only), which is low risk for arbitrary downloads. The package contains Python scripts and a package.json; the latter's Node-style metadata conflicts with the Python implementation but does not itself introduce an external download/URL risk. This inconsistency should be clarified but the install mechanism does not appear to pull remote code during install.
Credentials: concernThe code requires an API key / auth token (used in Authorization headers and as the basis for a derived signing key) and will store derived secrets locally, but the skill declares no required environment variables or primary credential. The skill will therefore need sensitive credentials at runtime despite not requesting them up-front — a proportionality and transparency problem. Storing secure_id and derived keys to disk in a hard-coded root-level path increases the risk of leakage by other local processes/skills.
Persistence & Privilege: concernAlthough always:false, the implementation creates a persistent vault file at a fixed absolute path under /root/.openclaw/... and permanently links a vault to an account ID. This grants the skill durable local state (including secrets) without declaring or justifying it. The hard-coded root path may require elevated privileges and can be accessed by other local components, increasing exposure.