ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Mova User Contract Setup

v1.0.1

Walk the user through registering their own MOVA contract — from source_url to first successful run. Trigger when the user says "register my contract", "add...

0· 34·0 current·0 all-time
bySergii Miasoiedov@mova-compact
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md repeatedly calls tooling such as mova_register_contract, mova_run_contract, mova_set_contract_visibility, etc., and states it 'Requires the `openclaw-mova` plugin', but the skill metadata provided lists no plugin dependency or required tools. That is an incoherence: the skill cannot operate as described unless the openclaw-mova plugin (or equivalent toolset) is present and authorized.
Instruction Scope
Instructions stay on-task: collecting an HTTPS source_url, manifest fields, registering, changing visibility, and running tests. The skill explicitly forbids manually fetching contract JSON and forbids inventing contract_id/run_id. One operational note: collecting run inputs can involve sensitive data — the skill doesn't instruct where inputs are stored beyond calling MOVA tools, so users should avoid entering secrets unless they trust the MOVA plugin/service.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. Nothing is written to disk by the skill itself.
!
Credentials
The skill requests no environment variables or credentials itself, which is reasonable. However, it assumes an external MOVA plugin will perform authenticated API calls and permission checks; the lack of an explicit declared dependency on that plugin (and no note about required auth or org permissions) is a proportionality mismatch that should be clarified.
Persistence & Privilege
always:false and user-invocable — the skill does not claim permanent/system-wide presence. It does perform state-changing operations (register, set visibility, delete) via MOVA tools, which is consistent with its purpose.
What to consider before installing
This skill's instructions are coherent for registering and testing a MOVA contract, but it relies on the 'openclaw-mova' plugin/tooling to do the real work and that dependency is not declared in the metadata provided. Before installing or using the skill: 1) Confirm the openclaw-mova plugin is installed and trustworthy and that you understand how it authenticates (the skill assumes that plugin will handle credentials). 2) Be cautious about making a contract public — public visibility exposes your contract to all MOVA users. 3) Do not paste secrets into test inputs unless you trust the MOVA backend and know where inputs are stored/audited. 4) Ask the skill publisher to fix metadata so the dependency on openclaw-mova (and any required permissions) is explicit; if they cannot, treat the skill as incomplete and verify tooling manually before proceeding.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d0hcf34p297egq6hcbe9ntn843npq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments