Moss
PassAudited by ClawScan on May 1, 2026.
Overview
This is a documentation-only Moss reference; it is not obviously malicious, but it describes credentialed APIs that can store, sync, modify, or delete project search data.
This skill appears safe as documentation, but do not provide a Moss project key or let an agent call create, update, or delete APIs unless you intend it. Avoid indexing sensitive documents unless you understand Moss storage, retention, and cloud-sync settings.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the key is supplied, the agent may be able to act within the associated Moss project depending on the key's permissions.
The skill declares a Moss project access key as a secret credential, which is expected for using Moss APIs but gives the agent/integration access to a Moss project.
"primaryCredential": "MOSS_PROJECT_KEY" ... "name": "MOSS_PROJECT_KEY" ... "secret": true
Provide a Moss key only when you intend to use the integration, prefer least-privilege or project-scoped keys, and rotate the key if it is exposed.
If used with credentials, these APIs could change or delete search indexes and documents.
The documentation includes management operations that can mutate or delete Moss project data. This is coherent for an API reference, but users should notice the potential impact before letting an agent call these actions.
`deleteIndex` | Remove an index record and assets ... `addDocs` | Upsert documents into an existing index ... `deleteDocs` | Remove documents by ID
Require explicit user confirmation for create, upsert, and delete actions, and keep backups or recovery procedures for important indexes.
Documents added to Moss may persist in indexes and could later be retrieved into agent context.
Moss stores searchable representations of documents and may sync them to the cloud, which is normal for a semantic search service but relevant for sensitive or private content.
The platform handles embedding generation, index persistence, and optional cloud sync
Index only data you are comfortable storing in Moss, understand whether cloud sync is enabled, and treat retrieved document text as untrusted context when agents use it.