Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Molt
v1.0.1Snapshot and back up OpenClaw brain files (AGENTS.md, SOUL.md, MEMORY.md, memory/, etc.) to an offsite git repository — like a lobster shedding its shell, le...
⭐ 0· 74·0 current·0 all-time
byMarv@robin-marv
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to be a simple backup to a remote git repo and the included scripts implement that. However the registry metadata lists no required binaries or env vars while the SKILL.md and scripts clearly require git, rsync and (optionally) python3, and rely on git authentication (SSH or HTTPS tokens). That mismatch between declared requirements and actual needs is an inconsistency the user should be aware of.
Instruction Scope
At runtime the scripts copy OpenClaw files (AGENTS.md, SOUL.md, MEMORY.md, memory/), export cron jobs via `openclaw cron list`, and attempt to export config using `openclaw config get` (falling back to reading openclaw.json). These actions are within the stated backup purpose. A noteworthy behavior: the authoritative redaction path uses the OpenClaw CLI, but the fallback uses a regex-based key-name redaction which can miss secrets — that is a privacy risk rather than unexplained scope creep.
Install Mechanism
There is no install spec — the skill is instruction-plus-scripts only. All code is present in the package (no remote downloads). This is low-install risk.
Credentials
Metadata lists no required env/primary credential, but the workflow requires a remote git repo and working git auth (SSH keys or HTTPS token). The tool also reads the workspace and (optionally) openclaw.json and uses the OpenClaw CLI if available. Asking for a repo URL and using the user's existing git credentials is proportionate to the task, but the package should declare this explicitly. The fallback file-redaction approach increases risk of accidental secret inclusion.
Persistence & Privilege
The skill is not always-enabled and does not request elevated agent privileges. It runs as a user-invoked script; nothing indicates it will persist beyond the chosen backup dir or modify other skills/configs.
What to consider before installing
This skill appears to do what it says (copy brain files to a git repo) but there are a few things to check before installing/using it:
- The registry metadata claims no required binaries/env, but the scripts require git and rsync and prefer python3; ensure those are available.
- You must provide a remote git repository you control and have working push credentials (SSH keys or an HTTPS token configured). Do not provide credentials to unknown repos.
- The primary redaction method uses your OpenClaw CLI (recommended). If the CLI is unavailable, the fallback reads openclaw.json and redacts keys by name with a regex — that can miss secrets. Verify config-redacted.json contents before pushing to your remote.
- Run a dry-run first (scripts/molt.sh --dry-run) and review the generated files in the local backup dir (~/.openclaw/molt by default) before pushing.
- Inspect the included scripts yourself (they are small and readable). If you plan to schedule automatic backups, ensure cron jobs run under an account with appropriate (limited) access and monitor the destination repo for unexpected content.
If the author updated the package metadata to declare git/rsync/python3 and to document the redaction fallback risk, my assessment would be higher confidence and less suspicious.Like a lobster shell, security has layers — review code before you run it.
latestvk970z4nsb99aw33rffb6wj8qw983kap0
License
MIT-0
Free to use, modify, and redistribute. No attribution required.