Back to skill
Skillv2.0.0
ClawScan security
Moltalyzer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 6, 2026, 8:49 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose (a public intelligence API) matches its instructions and requirements: it only calls public endpoints, requires node/fetch for client examples, and requests no secrets or elevated privileges.
- Guidance
- This skill appears coherent and limited to calling a public API. Before installing: (1) confirm you trust https://api.moltalyzer.xyz (verify TLS and the site); (2) be aware the install step runs `npm install node-fetch` which will install a package into the agent runtime—only run if you allow outbound npm installs; (3) avoid sending sensitive or private data to the API (feedback endpoints accept POST data); (4) review paid-endpoint mechanics and costs (x402 on-chain payment) so your agent doesn't accidentally incur charges; and (5) test using the sample endpoints first to validate responses and rate limiting. If you need higher assurance, request the publisher's OpenAPI spec and confirm the domain ownership before deploying widely.
Review Dimensions
- Purpose & Capability
- okName/description (real-time intelligence feeds) aligns with the actual behavior: SKILL.md contains API docs, polling patterns, and code examples for a public API. Requiring the node binary is plausible for the provided JavaScript examples; no unrelated services or credentials are requested.
- Instruction Scope
- okRuntime instructions are limited to calling public HTTPS endpoints (GET/POST) on api.moltalyzer.xyz and providing sample polling/error-handling logic. There are no instructions to read local files, environment secrets, or to transmit data to unexpected third parties.
- Install Mechanism
- noteThe skill includes an install step that runs `npm install node-fetch`. This is a single public npm package (moderate trust surface compared to no install). It's proportionate to the JS fetch examples but will modify the runtime environment where the agent runs; verify that running npm is acceptable in your environment.
- Credentials
- okNo environment variables, credentials, or config paths are required. Paid endpoints are described (on-chain/x402 payments), but the skill does not request payment keys or secrets. This is proportionate to the described functionality.
- Persistence & Privilege
- okSkill is not always-enabled, does not request system-wide configuration changes, and allows agent invocation normally. It does not ask to modify other skills or store credentials.