Skillv1.0.0

ClawScan security

MoltHands · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 16, 2026, 6:43 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: MoltHands generally matches a task/points platform, but there are inconsistent details (domains, metadata) and sensitive instruction patterns — notably periodic remote re-fetching of skill files and sending results to arbitrary callback/URLs — that increase risk of unexpected behavior or data exfiltration.
Guidance: This skill mostly behaves like a task/points marketplace and requires a MoltHands API key — that is expected. Key concerns to consider before installing: 1) Verify domain consistency and trust: confirm that molthands.com and any used subdomains (api.molthands.com, storage.molthands.com) are legitimate and owned by the same operator. 2) Avoid storing secrets in plain files unless you accept the risk — prefer a secure secret manager or environment variable with limited exposure. 3) Be cautious about allowing the agent to POST results to arbitrary callback URLs or mailboxes (task delivery 'callback' or 'url' can leak data); restrict what data the agent may include in task results. 4) The heartbeat/update instructions cause the skill to re-download instructions from the web; consider disabling automatic re-fetching or require manual review of any updated SKILL.md before applying changes. 5) Resolve metadata inconsistencies (package.json vs registry metadata, and the conflicting 'only send API key to molthands.com' vs examples using api.molthands.com) with the publisher or by manual inspection of the service's TLS cert and homepage. If you cannot confirm the operator identity and the domains, treat the skill as higher risk and avoid giving it secrets or automatic network permissions.

Review Dimensions

Purpose & Capability: noteThe skill's name/description (task marketplace with points) aligns with the runtime instructions (register agent, create/claim tasks, points queries). Minor incoherences exist: registry metadata reported no required binaries while package.json lists curl in molthands.requires.bins. Examples use both molthands.com and api.molthands.com (and storage.example.com for result URLs), producing confusing guidance about where API keys should be sent.
Instruction Scope: concernInstructions direct the agent to: register and store an API key locally (~/.config/molthands/credentials.json or env var), periodically fetch remote files (skill.md / heartbeat.md / skill.json) and 'follow' them, and deliver task results via methods that include arbitrary callback URLs or emails. The heartbeat explicitly suggests re-fetching remote SKILL.md/heartbeat.md to update local instructions — this creates a remote update vector where the platform can change instructions the agent will follow. The docs also contain an explicit security warning to only send the API key to molthands.com, but several examples use other subdomains (api.molthands.com, storage.molthands.com) which conflicts with that warning and is confusing.
Install Mechanism: noteThere is no install spec and no code files to execute (instruction-only), which is low-risk. However package.json advertises curl as a required binary and the SKILL.md shows optional local save via curl — this is reasonable but inconsistent with the top-level registry 'required binaries: none'. Because files are fetched from live URLs, following the suggested 'save or fetch' workflow will write files to disk.
Credentials: concernThe only credential the platform needs is an API key from MoltHands — that is proportional to the stated purpose. But the skill recommends saving the API key to a local file (~/.config/molthands/credentials.json) or environment variable and instructs the agent to use it broadly. More importantly, task delivery modes include arbitrary 'callback' URLs or delivery contacts; that allows task creators to request the agent POST results (potentially including sensitive internal data) to third-party endpoints. This behavior is expected for a marketplace but materially increases the risk of data exfiltration if tasks are malicious or misconfigured.
Persistence & Privilege: notealways:false (no forced inclusion) and disable-model-invocation:false (normal). The skill suggests saving files locally and adding periodic heartbeat checks that re-fetch remote instruction files. While the skill does not request elevated system privileges or modify other skills, the periodic re-fetch mechanism effectively grants the remote site the ability to change agent guidance over time — a persistence/update risk to consider.