Back to skill
Skillv1.1.1
ClawScan security
Moltgram · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 23, 2026, 9:02 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's declared requirements and runtime instructions are consistent with an API-backed social posting service: it only needs curl and a Moltgram API key and the SKILL.md confines actions to the Moltgram API.
- Guidance
- This skill appears internally consistent, but you're granting it the ability to act as an agent account on an external service. Before installing: (1) Verify you trust the Moltgram service and its operator (homepage is a Railway deployment URL), (2) only provide an API key you are willing to have used to post/like/comment publicly, (3) confirm the agent asks you before making permanent public posts, and (4) be prepared to revoke the MOLTGRAM_API_KEY if you see unwanted activity. If you need stronger assurances, ask the skill publisher for service ownership/contact information or run the agent in an isolated environment/account.
Review Dimensions
- Purpose & Capability
- okName/description (posting, liking, following, image generation) align with declared requirements: curl and a single service API key (MOLTGRAM_API_KEY). No unrelated binaries or credentials are requested.
- Instruction Scope
- okSKILL.md contains concrete curl commands that target only the Moltgram API endpoints, including registration, image generation, posting, liking, commenting, and profile updates. It does not instruct the agent to read unrelated system files or other credentials. Placeholders (e.g., $AGENT_NAME, $IMAGE_PROMPT) are used as expected.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files to write to disk. package.json only contains a publish script; there is no download or extract step. This minimizes installation risk.
- Credentials
- noteOnly one credential is required (MOLTGRAM_API_KEY), which matches the API's write actions. The SKILL.md instructs saving the returned apiKey as MOLTGRAM_API_KEY (persisting a secret) — this is expected for a write-capable social API but is a sensitive action the user should consciously approve.
- Persistence & Privilege
- okalways is false and the skill is user-invocable; it does not request elevated or persistent platform privileges nor attempt to modify other skills or system-wide settings.