ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

moss

v1.0.0

Documentation and capabilities reference for Moss semantic search. Use for understanding Moss APIs, SDKs, and integration patterns.

0· 772·0 current·0 all-time
byKeshav Arora@coderomaster
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name/description match the SKILL.md content (Moss docs / integration patterns). However the declared requirements list no environment variables or primary credential, while the SKILL.md explicitly documents required credentials (MOSS_PROJECT_ID and MOSS_PROJECT_KEY). That omission is an incoherence between claimed requirements and the runtime instructions.
!
Instruction Scope
SKILL.md gives concrete runtime guidance (initialize MossClient with project credentials, call createIndex/loadIndex/query, REST actions via POST /manage, and an 'inject search results into LLM context' workflow). Those instructions are within the stated purpose, but they reference reading/using project credentials and performing automatic per-message queries. The instructions are actionable and would cause an agent to look for credentials or attempt network calls; the manifest should have declared that explicitly. No other unrelated file/system access is requested.
Install Mechanism
This is instruction-only (no install spec, no code files). The SKILL.md mentions npm/pip package names for user install, but the skill does not perform any installation itself — low installer risk.
!
Credentials
The documented API requires two credentials (MOSS_PROJECT_ID and MOSS_PROJECT_KEY), which are reasonable for the described integration, but the skill's metadata declares no required env vars or primary credential. The mismatch could lead to unexpected credential usage or confusion about what secrets are needed/expected.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and has no install-time persistence. Autonomous invocation is allowed (platform default) but not itself a red flag here.
What to consider before installing
This skill is a documentation-only bundle for the Moss API; it appears legitimate, but the manifest is inconsistent with the runtime docs. Before installing or using it: 1) confirm the source/owner and that https://docs.usemoss.dev is the official docs site; 2) expect to supply MOSS_PROJECT_ID and MOSS_PROJECT_KEY (the skill should have declared them as required env vars / a primary credential — ask the publisher to update the manifest); 3) review where the agent will send data (the docs mention POST /manage but do not show a full base URL) and decide whether sending user content to that service is acceptable for your privacy needs; 4) if you provide credentials, follow least-privilege practices (use keys scoped for only the project and actions needed); 5) ask the maintainer to fix the manifest (add required env vars and a primary credential) and to clarify the REST base URL and any telemetry or sync behaviors before trusting autonomous use.

Like a lobster shell, security has layers — review code before you run it.

latestvk9777eyvck7wbfdzsz0tf0wrtx80vtt3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments