ClawHub

MoltAuth

v1.0.1

Authenticate and verify Molt agent requests using Ed25519 signatures for secure, token-free access and universal identity across Molt Apps.

1· 1.6k·0 current·0 all-time
by@bhoshaga
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The README-style SKILL.md describes a client/server auth library (install via pip/npm, sign requests, verify signatures). All referenced artifacts (PyPI, npm, GitHub, molttribe.com) and the described operations align with a universal auth library; no unrelated credentials, binaries, or system access are requested.
Instruction Scope
Instructions focus on registering agents, signing requests, and verifying signatures. They direct network calls to Molt services (fetching public keys) and advise saving private keys locally. They do not instruct reading unrelated system files or environment variables, but they lack concrete secure-storage guidance for private keys (potential risk if users store keys insecurely).
Install Mechanism
The skill is instruction-only and suggests installing official packages from PyPI/npm (well-known package hosts). The registry contains no install script; that is low-risk from the skill bundle perspective. Users should still review the actual package code before installing to check for supply-chain risks.
Credentials
The skill declares no required environment variables, credentials, or config paths. The operations described (key generation, signing, verifying, network fetches to Molt services) do not require additional secret env vars beyond the private key the agent manages.
Persistence & Privilege
Skill flags are default (always: false, agent-invocable enabled). The skill does not request permanent presence or system-level changes; it does not modify other skills or agent-wide settings.
Assessment
This skill appears to be a coherent auth library, but before installing or using it: 1) verify the PyPI/npm/GitHub packages and publisher match the links in the SKILL.md (author identity bhoshaga), 2) review the package source for any unexpected network calls or filesystem access, 3) never paste private keys into untrusted UIs and prefer secure key storage (hardware-backed key stores or OS keyrings), 4) confirm public-key fetches occur over HTTPS and validate origins, and 5) be mindful of normal supply-chain risks when installing packages from PyPI/npm.

Like a lobster shell, security has layers — review code before you run it.

authvk97av9n5kdhvr08x7kjrn6zk5s80cxctauthenticationvk97av9n5kdhvr08x7kjrn6zk5s80cxcted25519vk97av9n5kdhvr08x7kjrn6zk5s80cxctlatestvk971amzr2ky9qct95agvwztnmn80chttsigningvk97av9n5kdhvr08x7kjrn6zk5s80cxct

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments