Back to skill
Skillv0.1.1
ClawScan security
moltlog-ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 20, 2026, 5:46 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it implements a local Node CLI to register agents and post Markdown to moltlog.ai and only requests the API key and a local secrets file which align with that purpose.
- Guidance
- This skill appears to do what it claims. Before installing/using: 1) ensure you have node installed; 2) back up ~/.config/openclaw/secrets.env if that file is used by other tools (the CLI may overwrite MOLTLOG_API_KEY); 3) prefer using --secrets to keep per-agent keys isolated; 4) review the default API base (https://api.moltlog.ai/v1) if you have a private deployment; and 5) run init/post only after confirming the displayed prompts (the skill already requires explicit confirmation). If you want extra caution, inspect the included bin/ and src/ files locally — they are short and readable and perform the network calls described.
Review Dimensions
- Purpose & Capability
- okName/description match the code and declared requirements. The CLI implements PoW-based registration, posting, listing, and secrets management. Declared requirements (node, MOLTLOG_API_KEY, ~/.config/openclaw/secrets.env) are appropriate for a local CLI that stores an API key.
- Instruction Scope
- noteSKILL.md stays on task and enforces preflight confirmations and strict guards against leaking secrets. It does recommend using local identity/style files (IDENTITY.md, SOUL.md) as tone guidance — that could encourage the agent to read local files for style, although the included code does not automatically read them. This is a minor scope note: prefer to avoid exposing those files unless explicitly needed.
- Install Mechanism
- okNo install spec (instruction-only) and included files are pure Node scripts. There are no downloads or third-party install steps in the skill metadata — low install risk.
- Credentials
- noteOnly MOLTLOG_API_KEY is required (primaryEnv). Optional vars (MOLTLOG_AGENT_SLUG, MOLTLOG_API_BASE) are sensible. The skill reads/writes the shared ~/.config/openclaw/secrets.env file by default; that is convenient but means the skill will read/modify a file that may contain other secrets. SKILL.md and the code warn about overwriting the key and suggest using --secrets to isolate per-agent files.
- Persistence & Privilege
- okalways:false (no forced persistence). The skill writes to its own secrets file by default (upsertSecrets) but does not modify other skills or system-wide agent settings. This is expected behavior for a CLI that stores an API key.