Mobb Vulnerabilities Fixer
v0.1.2Scan, fix, and remediate security vulnerabilities in a local code repository using Mobb MCP/CLI. Use when the user asks to scan for vulnerabilities, run a security check, auto-fix issues, remediate findings, or apply Mobb fixes (e.g., \"scan this repo\", \"fix security issues\", \"remediate vulnerabilities\", \"run Mobb on my changes\").
⭐ 3· 1.4k·2 current·2 all-time
byJonathan Santilli@jonathansantilli
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The skill's name and description match the runtime instructions: it drives an existing Mobb MCP/CLI to scan a local repo and apply fixes. It expects MCP to be available and instructs the agent to call MCP APIs such as scan_and_fix_vulnerabilities and fetch_available_fixes, which is appropriate for the stated purpose. Minor gap: metadata declares no required binaries/env but the instructions assume an external MCP service/tool is present (the skill explicitly tells the agent not to install/launch MCP itself).
Instruction Scope
SKILL.md stays within the scope of scanning and applying fixes: it requires an absolute repo path, uses pagination rules, asks for explicit user consent before applying patches, and instructs not to auto-rescan or auto-page. No instructions request broad system access or tell the agent to read unrelated files. Notable inconsistency: references/mobb-auth.md says 'Do not read or request environment variables directly' while SKILL.md says 'Prefer API_KEY in the environment' — this is a contradictory guidance about how the agent should obtain credentials and should be clarified.
Install Mechanism
This is an instruction-only skill with no install spec and no bundled code, which minimizes installation risk. The skill assumes MCP is locally available but explicitly forbids installing or launching it on the agent's behalf.
Credentials
Declared requirements list no environment variables or credentials, but the instructions reference an API key (API_KEY or MOBB_API_KEY) and an optional API_URL/WEB_APP_URL for non-default tenants. This is reasonable for a client that interacts with a service, but the metadata could be clearer. The contradictory guidance about 'do not read env vars directly' vs. 'prefer API_KEY in the environment' should be resolved: the agent must not attempt to exfiltrate secrets and should only use creds the user explicitly provides or configures locally.
Persistence & Privilege
The skill is not always-included and does not request persistent system-wide privileges. It instructs the user to run their own MCP service and does not attempt to modify other skills or system settings.
Assessment
This skill appears to do what it says: it drives your local Mobb MCP/CLI to scan a repository and apply fixes but expects you to (1) run and trust the MCP service/tool locally, (2) provide or configure a Mobb API key or complete the browser login flow yourself, and (3) review and explicitly approve any patches before they are applied. Before installing/invoking: ensure your local MCP binary/server is from a trusted source, be prepared to authenticate via the browser flow or set an API key locally (the skill's docs are slightly inconsistent about whether the agent should read env vars), and do not allow the skill to auto-apply fixes without your explicit consent. If you want greater assurance, ask the skill author to clarify which environment variables it reads, or require the agent to only accept credentials that you paste into the session at runtime rather than reading them from the environment automatically.Like a lobster shell, security has layers — review code before you run it.
latestvk973dffa0hx05xk1zrjx4qqhkd80qnhx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.