ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Mova Spec Authoring

v1.0.1

Author a new MOVA-spec contract from a pre-contract — translate intent calibration output into a complete MOVA artifact (envelope, instruction profile, episo...

0· 61·0 current·0 all-time
bySergii Miasoiedov@mova-compact
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name and description match the instructions' goal (translate a pre-contract into a MOVA JSON contract). However the SKILL.md explicitly requires the `openclaw-mova` plugin and a local MOVA spec path (/home/mova/.openclaw/workspace/mova-spec/) that are not declared in the registry metadata (no declared dependency or required config paths). That mismatch suggests the metadata understates what the skill needs.
!
Instruction Scope
The instructions ask the agent to validate against a local filesystem path and to consume a pre-contract produced by another MOVA skill. They instruct the user to paste the pre-contract (acceptable) but also expect access to /home/mova/.openclaw/workspace/mova-spec/ for schema validation and require the `openclaw-mova` plugin. The metadata did not declare file access or plugin dependency. There are no explicit instructions to transmit data externally, but the SKILL.md implies later submission to a MOVA runtime without specifying endpoints or network behaviors (truncated).
Install Mechanism
Instruction-only skill with no install spec and no code files; nothing will be written to disk by an installer. This is the lowest-risk install mechanism, but runtime file access still matters.
!
Credentials
The skill declares no required env vars or config paths in metadata, yet the SKILL.md depends on a specific local path for schema validation and on another plugin. That is disproportionate: either the metadata should declare the required config path and dependency, or the instructions should avoid implicit local access. There are no explicit secrets requested, but undeclared access to a home directory path could expose local schema files.
Persistence & Privilege
always is false and there is no install-time persistence or cross-skill config modification indicated. The skill does not request elevated/system-wide privileges in the metadata.
What to consider before installing
Before installing, ask the skill author to clarify and fix the metadata/instructions mismatch: 1) explicitly declare the dependency on the openclaw-mova plugin and any other required skills; 2) list any local filesystem paths the skill will read (the SKILL.md references /home/mova/.openclaw/workspace/mova-spec/); 3) explain whether the skill will transmit the generated contract to any external runtime (which endpoints and authentication are used). Do not paste sensitive pre-contract data until you verify where and how the skill reads or transmits files. If you proceed, run it in a restricted or sandboxed environment and review all generated artifacts and any network activity. If the author updates the manifest to declare the plugin and config path (or removes implicit filesystem access), this assessment could move to benign.

Like a lobster shell, security has layers — review code before you run it.

latestvk975cq8zgywfgp1nrf1b0mhejd842nv9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments