Skillv0.4.6

ClawScan security

Nomtiq · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 23, 2026, 11:38 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and runtime instructions broadly match a restaurant‑finder use case, but there are inconsistencies in declared requirements and a prompt‑injection indicator plus optional external posting that warrant caution before installing.
Guidance: Things to check before installing or enabling Nomtiq: - Clarify env var requirements: SKILL.md expects AMAP_KEY, SERPER_API_KEY and MOLTBOOK_API_KEY but top‑level metadata listed none. Only provide keys you trust and intend to use. Use least‑privilege keys (e.g., restrict referer/IP and quotas). - Review the scripts (search_*.py, profile.py, moltbook.py) yourself (or in a sandbox) to confirm what data is read, written, and sent. Pay attention to what profile data is posted when you enable Moltbook sharing. - Treat Moltbook sharing as potentially exfiltrative: it will send restaurant records externally (claimed anonymous, limited to 2/day); only opt in if comfortable. - Remove or sanitize any unicode control characters in SKILL.md to eliminate prompt‑injection risk before letting an LLM execute skill prompts. - If you want extra safety, run the skill in an environment with network egress controls (or a proxy) so you can observe and limit outbound requests (especially to third‑party endpoints like google.serper.dev and www.moltbook.com). - If you lack the ability to audit Python code, prefer not to install the skill or only enable it with network access restricted and without enabling Moltbook posting. I have medium confidence in this assessment because the code and instructions mostly align with the declared purpose, but the metadata mismatch and prompt‑injection signal raise nontrivial concerns that should be resolved before trusting the skill with keys or private data.
Findings: [unicode-control-chars] unexpected: Unicode control characters found in SKILL.md can be used in prompt injection to alter LLM parsing or to hide text; this is not required for a restaurant finder and should be investigated/removed.

Review Dimensions

Purpose & Capability: noteThe scripts and SKILL.md implement searches (地图/Google/Yelp/Reddit), user taste profile management, and optional anonymous sharing to a Moltbook endpoint — all coherent with a restaurant‑finder. However the registry metadata at the top of the evaluation said “Required env vars: none” while SKILL.md and AGENT_GUIDE list AMAP_KEY, SERPER_API_KEY, and MOLTBOOK_API_KEY; that mismatch is unexpected and should be clarified.
Instruction Scope: concernRuntime instructions and AGENT_GUIDE tell the agent to run many Python scripts that read/write local profile files, call multiple external APIs, and optionally post anonymous reviews to Moltbook. The SKILL.md contains a detected 'unicode-control-chars' injection pattern which could be used to manipulate downstream LLM prompts. Also promotion documentation and scripts discuss broadcasting/marketing the skill (posting examples to social platforms) — this increases the chance user data might be shared if options are enabled. Overall the actions go beyond purely local recommendation text-generation and include external network activity and optional data sharing.
Install Mechanism: okNo package download/install spec; it's instruction+scripts that run with system Python. No remote installers or archive downloads were requested in the manifest, which reduces install risk. The code files are present and executed locally.
Credentials: noteRequested API keys (AMAP_KEY for Amap, SERPER_API_KEY for Serper, MOLTBOOK_API_KEY for Moltbook) are proportionate to the stated external calls. But the top-level registry metadata claiming no required env vars contradicts the SKILL.md's declared env needs; that inconsistency could hide surprising network access. Moltbook posting is opt‑in, but if enabled it would transmit user‑recorded restaurant entries externally (even if claimed 'anonymous').
Persistence & Privilege: okThe skill is not always:true and doesn't request elevated system privileges. It stores and updates local profile JSON files (expected for personalization) and does not declare modifications to other skills or global config.