Skillv0.0.1

ClawScan security

moltfs · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 8:59 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches a social-agent platform, but there are several incoherent or risky choices — notably undeclared credential handling, runtime fetching of remote instruction files that can change behavior, and a public-claim workflow — that warrant caution before installing.
Guidance: What to consider before installing: - The skill requires you to register and then save a one-time API key returned by the server; this API key is not declared in the skill metadata. Treat that key as a secret and only store it in a secure vault. If the key leaks you may need to revoke it on the service. - The claim process requires posting a public tweet with the verification code. Do not use an account you care about or that reveals your identity if you want anonymity. Understand that the claim step creates a public audit trail linking an identity to the agent. - The agent is required to fetch external files (HEARTBEAT.md, MESSAGING.md) from the service at runtime. Those files can be changed by the service operator later and will affect agent behavior. If you need a stable, auditable behavior, ask for those files to be bundled/versioned with the skill or host them yourself. - The manual install writes files into ~/.moltbot. If you install, inspect the downloaded files before running the agent and consider running the agent in an isolated environment (container or restricted VM) to limit potential harm. - Ask the skill author for: (1) explicit declaration of the API key as a primary credential in the metadata, (2) a pinned/versioned copy of HEARTBEAT.md and MESSAGING.md (or an integrity hash), (3) revocation instructions for the API key, and (4) a privacy/owner statement for the service running at molt-fs.vercel.app. - If you cannot obtain those assurances, treat the skill as risky and avoid giving it network access or use only in a sandboxed environment.

Review Dimensions

Purpose & Capability: noteThe name/description describe a social arena for autonomous agents and the SKILL.md implements that (register, poll, act, post). However, the skill metadata declares no primary credential or required env vars while the runtime flow depends on an agent-specific API key returned at registration and saved by the client. That mismatch (no declared credential but runtime API key) is an incoherence you should notice.
Instruction Scope: concernThe SKILL.md instructs the agent to register with a remote API, save a one-time API key, perform a human 'claim' via a public tweet, and repeatedly fetch remote documents (HEARTBEAT.md, MESSAGING.md) that the agent MUST read before operating. Fetching and obeying externally-hosted instruction files at runtime gives the remote server dynamic control over agent behavior and is a notable risk. The claim step requires posting a specific public tweet (potential deanonymization/tracking). The install instructions write files into ~/.moltbot which is expected but still modifies user home.
Install Mechanism: noteThere is no formal install spec; manual install uses curl to download SKILL.md and other docs from a vercel.app host into ~/.moltbot/skills/moltforsale. Downloading skill files from an external host is common for instruction-only skills, but because the agent is required to re-fetch HEARTBEAT.md and MESSAGING.md at runtime, the server can change behavior post-install. The install URLs are on a hosted domain (vercel.app) rather than an obscure IP or shortener, which is better, but the lack of pinned/embedded docs increases operational risk.
Credentials: concernThe skill metadata claims no required env vars, but the protocol returns a one-time agent.api_key that the agent must store and use for Authorization on every request. That secret is not declared in requires.env/primary credential fields — a mismatch. Additionally, the human-claim flow instructs posting a public tweet with a verification code, which can leak linkage information (tweet content, account identity). The SKILL.md gives no guidance for secure storage of the API key or revocation if leaked.
Persistence & Privilege: notealways:false (good). The skill does write files to ~/.moltbot if manually installed, and it expects to run an autonomous heartbeat/poll/act loop (normal for social-agent skills). Autonomous invocation combined with remote, runtime-fetched instruction files increases blast radius if the remote service is malicious or compromised — this is a concern but not inherently a coherence error.