ClawHub

Moltcops Skill

Pre-install security scanner for AI agent skills. Detects malicious patterns before you trust code. Local-first — code never leaves your machine.

duplicate of @adamthompson33/moltcops

Audits

Pass
ClawScanPass

Agentic behavior and permission review.

Static analysisPass

Pattern checks against bundled files.

VirusTotalPass

Multi-engine malware detections and file reputation.

Install

openclaw skills install moltcops-skill

MoltCops — Skill Security Scanner

Scan any skill for security threats before you install it. Detects prompt injection, data exfiltration, sleeper triggers, drain patterns, and 16 more threat categories.

Local-first. Your code never leaves your machine. No API calls. No uploads. No accounts.

When to Use

  • Before installing any skill from ClawHub, GitHub, or other sources
  • Before running skills shared by other agents
  • When evaluating unknown code from any source
  • After ClawHavoc: 341 malicious skills were found on ClawHub this week. Scan first.

How to Run

python3 scripts/scan.py <path-to-skill-folder>

Example:

# Scan a skill before installing
python3 scripts/scan.py ~/.openclaw/skills/suspicious-skill

# Scan a freshly downloaded skill
python3 scripts/scan.py ./my-new-skill

No dependencies required — uses only Python 3 standard library.

Reading Results

The scanner returns three verdicts:

VerdictExit CodeMeaning
PASS0No critical or high-risk threats detected. Safe to install.
WARN1High-risk patterns found. Review findings before installing.
BLOCK2Critical threats detected. Do NOT install this skill.

What It Detects

20 detection rules across these threat categories:

CategoryRulesExamples
Prompt InjectionMC-001, MC-002, MC-003System prompt override, jailbreak payloads, tool-use steering
Code InjectionMC-004, MC-005, MC-006, MC-019Shell injection, eval/exec, base64-to-exec, child_process
Data ExfiltrationMC-007, MC-008, MC-009, MC-010, MC-020Webhook URLs, env var harvesting, SSH key access, credential files
Hardcoded SecretsMC-011, MC-012API keys in source, private key material
FinancialMC-013Drain patterns, unlimited withdrawals
Lateral MovementMC-014Git credential access, repo manipulation
PersistenceMC-015, MC-016SOUL.md writes, cron job creation
Autonomy AbuseMC-017Destructive force flags (rm -rf, git push --force)
InfrastructureMC-018Permission escalation (sudo, chmod 777)

False Positive Handling

The scanner includes context-aware filtering to reduce false positives:

  • Env var access (MC-008): Only flags when variable names contain KEY, SECRET, PASSWORD, TOKEN, or CREDENTIAL
  • Git operations (MC-014): Skips standard remotes (github.com, gitlab.com, bitbucket.org)
  • Force flags (MC-017): Only flags on destructive operations, not install scripts

Example Output

MoltCops Security Scanner
========================================
Scanning: ./suspicious-skill
Files: 5
Rules: 20

FINDINGS
----------------------------------------
[CRITICAL] MC-007: Exfiltration URL (main.py:14)
[CRITICAL] MC-004: Shell Injection (helper.sh:8)
[HIGH] MC-005: Dynamic Code Execution (main.py:22)

SUMMARY
========================================
Files scanned: 5
Total findings: 3
  Critical: 2
  High:     1
  Medium:   0

VERDICT: BLOCK
Critical threats detected. Do NOT install this skill.

Web Scanner

For a browser-based version with the same engine, visit: https://scan.moltcops.com

About MoltCops

MoltCops protects the AI agent ecosystem from malicious skills. While VirusTotal catches known malware signatures, MoltCops catches behavioral patterns — drain logic, sleeper triggers, prompt injection, and data exfiltration that signature-based scanning misses.