ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Mova Contract Writer

v1.0.0

Translate a pre-contract (output of mova-intent-calibration) into a complete, valid MOVA contract — envelope, data schema references, instruction profile, an...

0· 48·0 current·0 all-time
bySergii Miasoiedov@mova-compact
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes translating a pre-contract into a MOVA contract and the instructions align with that purpose (parsing pre-contract, mapping fields, drafting envelope/instruction profile, human review). However, the doc requires access to a local MOVA spec at /home/mova/.openclaw/workspace/mova-spec/ which is not declared in the skill's required config paths or environment; this is an unexplained mismatch.
!
Instruction Scope
Runtime instructions ask the agent to validate against a MOVA spec located at a specific local filesystem path (/home/mova/...), which implies the agent must read files from the host filesystem. The skill metadata declared no required config paths or files, so the instructions reference system state that wasn't disclosed. Apart from that, the instructions solicit the pre-contract from the user (paste), present drafts for human approval, and do not instruct network exfiltration or other broad data collection in the visible portion.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing will be written to disk by an installer. This is the lowest-risk install model.
Credentials
The skill requests no environment variables or credentials (metadata shows none), which is proportionate to its stated function. However, it does implicitly require filesystem access to a specific MOVA spec path; that required config path should have been declared in the metadata but was not.
Persistence & Privilege
The skill is not always-enabled and is user-invocable; it does not request persistent or elevated privileges in the metadata. The instructions do not indicate modifying other skills or global agent settings.
What to consider before installing
This skill appears to perform the advertised translation work, but the SKILL.md explicitly expects a local MOVA spec at /home/mova/.openclaw/workspace/mova-spec/ for validation while the published metadata lists no required config paths. Before installing or using the skill: (1) confirm where the MOVA spec is expected to live and whether the agent will be allowed to read that path; (2) if you don't want the agent to access host files, ask the author to make schema validation optional or allow providing the spec as an uploaded artifact; (3) avoid pasting any sensitive secrets into the pre-contract you provide, and inspect the remainder of SKILL.md (it was truncated here) to ensure it doesn't later instruct network submissions or other file reads; (4) request that the author update the metadata to declare the required config path (or remove the hardcoded path) so the skill's declared requirements match its runtime behavior. Providing the full SKILL.md or clarification from the author would raise confidence and could change this assessment to benign.

Like a lobster shell, security has layers — review code before you run it.

latestvk976w0paewg5n9ajxewzqgf9mx83x22e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments