Mobb Vulnerabilities Fixer
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its stated Mobb security-fixing purpose, but one monitoring workflow can trigger scans and possibly automatic code changes without a clear confirmation step.
Use this skill only if you are comfortable sending the selected repository content to Mobb. Start a trusted Mobb MCP server yourself, protect your API key, review every patch before applying it, and ask the agent not to run the end-of-session fresh-fix check unless you explicitly approve it.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could trigger a Mobb check that changes local repository files automatically if the user's Mobb setup has auto-fix enabled.
This directs the agent to invoke a tool proactively at session end even though the tool can apply code changes automatically, leaving no clear pre-action consent step for that high-impact behavior.
Call `check_for_new_available_fixes` once at the end of a session after edits/tests... If auto-fix is enabled, fixes may be applied automatically; tell the user to review and commit changes.
Require explicit user approval before running this monitoring tool, especially when auto-fix or full/background scans may be enabled.
Your Mobb account/API token may be used by the local MCP server to scan repositories and fetch fixes.
The skill relies on Mobb account credentials and stored API tokens. This is expected for the integration, and the artifact tells the agent not to read environment variables directly.
The user should configure authentication on their machine (for example, by setting `API_KEY` before launching MCP)... MCP polls for an encrypted API token, decrypts it locally, and stores it for future use.
Use a properly scoped Mobb API key, keep it out of chat, and revoke it if you no longer use this workflow.
Files from the target repository may leave your machine for Mobb analysis during scans.
The Mobb MCP workflow can upload selected repository content or scan data to the Mobb service. This is purpose-aligned but may involve proprietary or sensitive code.
`rescan: true` forces a new scan and upload. Supplying `maxFiles` also forces a new scan.
Confirm the repository path and file scope before scanning, avoid scanning secrets or unrelated private files, and use approved tenant endpoints if required.
If the wrong or untrusted MCP server is running, repository data and patch actions could be handled by an unintended tool.
The skill depends on an external MCP server that is not included in the reviewed package. The instruction appropriately shifts setup to the user, but provenance of the running MCP server remains important.
Do not install or launch MCP yourself. Ask the user to start the Mobb MCP server on their machine using their approved process and confirm it is running before you proceed.
Start only the official or organization-approved Mobb MCP server and verify its configuration before using the skill.