v1.0.1

Molt

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:19 AM.

Analysis

Molt is a disclosed backup tool, but it handles very sensitive OpenClaw memory/config data and has unsafe edge cases around extra-directory syncing and config/credential handling that should be reviewed before install.

GuidanceInstall only if you intend to store your OpenClaw brain, memory, cron, and redacted config data in the configured git repository. Prefer SSH or a credential helper instead of token-in-URL auth, make the remote repo private, run a dry run first, avoid --extra-dirs until path validation is fixed, and verify any cron schedule you create.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

scripts/molt.sh

src="$WORKSPACE/$dir"; ... mkdir -p "$dir"; rsync -a --delete "$src/" "$dir/"

The optional extra directory value is taken from a flag/env var, only has spaces stripped, and is then used as both a source suffix and an unvalidated destination path with rsync --delete.

User impactA mistaken or malicious extra-dirs value could copy unintended folders or write/delete files outside the intended backup repo.

RecommendationReject absolute paths and '..' components, resolve destinations strictly under the backup directory, and require dry-run or confirmation before any rsync --delete operation.

Rogue Agents

SeverityMediumConfidenceHighStatusNote

SKILL.md

To schedule automatic backups, create a cron job pointing at this script. Example for every 6 hours: ... Or use `openclaw cron` to schedule via the assistant.

The skill explicitly supports recurring background execution through cron or assistant-managed scheduling.

User impactAfter setup, sensitive brain backups can continue to run and push changes without a new prompt each time.

RecommendationSchedule it only if recurring offsite backups are intended, review the cron job regularly, and disable it when no longer needed.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

metadata

Source: unknown; Homepage: none; Required binaries (all must exist): none; No install spec — this is an instruction-only skill.

The registry metadata does not declare provenance or the runtime binaries that the included scripts and SKILL.md rely on.

User impactThe installer may not preflight the actual dependencies, and users have limited provenance information for the included scripts.

RecommendationDeclare git, rsync, python3/openclaw usage in metadata and provide a verifiable source repository or homepage.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

scripts/export-config.py

CONFIG_SECTIONS = ["agents", "channels", "auth", ... "session", "gateway", "messages", ...]; ... Falls back to raw config file redaction if the CLI is unavailable.

The config export includes auth/session-related sections and, if authoritative CLI redaction is unavailable, reads the raw OpenClaw config and redacts only by matching sensitive-looking key names.

User impactSecrets, tokens, session details, or private configuration values with unrecognized key names could be committed and pushed to the remote backup repository.

RecommendationSkip config export unless OpenClaw's authoritative redaction succeeds, or require explicit opt-in for auth/session/message sections and use stricter deny-by-default redaction.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusNote

scripts/molt.sh

BRAIN_FILES=(AGENTS.md SOUL.md TOOLS.md IDENTITY.md USER.md HEARTBEAT.md MEMORY.md) ... rsync -a --delete "$WORKSPACE/memory/" memory/

The script intentionally copies persistent identity, instruction, and memory files into the git backup.

User impactPrivate memories, identity files, and prior instructions will leave the local workspace for the configured git repository and could later be restored or reused.

RecommendationUse a private repository, run --dry-run before first use, review the backed-up files, and exclude memories or instructions that should not be stored offsite.