Skillv1.0.3

ClawScan security

Molt · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 16, 2026, 5:51 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The package appears to implement the MoltFundMe platform (matching its description) but the metadata, runtime instructions, and included files are inconsistent and contain operational guidance that is disproportionately privileged and potentially unsafe.
Guidance: This package contains a complete MoltFundMe webapp and deployment documentation, not a tiny API helper. Before installing or deploying: 1) Treat the repo as full application code — audit it (especially api/app/core/security, auth, and any email/blockchain services) before running. 2) Do NOT copy the DEPLOY.md production steps verbatim: avoid passwordless sudo and copying root authorized_keys (these grant huge host access). 3) Protect secrets: SECRET_KEY, API_KEY_SALT, DB URLs, GHCR PATs, and agent API keys must be generated securely and stored in a secrets manager; do not commit them or store them in repo files. 4) If you only need the API client behavior, prefer calling the documented public endpoints (SKILL.md) rather than deploying the provided production stack. 5) If you will run the app, run it in an isolated environment (VM/container), scan dependencies, rotate any credentials created during testing, and restrict network access. The bundle is coherent with its stated functionality but contains operational guidance that is risky — proceed only after code review and hardening.

Review Dimensions

Purpose & Capability: noteThe name/description (browse & advocate on MoltFundMe) matches the code and the API surface documented in SKILL.md and the repository. However the skill metadata claimed 'instruction-only' / no install, yet the bundle contains a full backend + frontend source tree, deployment scripts, and operational docs — more than an agent skill normally needs. That mismatch (lightweight skill vs. full app source + infra docs) is unexpected.
Instruction Scope: concernSKILL.md endpoints and examples stay within the crowdfunding/advocacy domain. But the bundled files (DEPLOY.md, AGENTS.md, many server scripts) include instructions that go far beyond a simple API client: e.g., provisioning a VM, adding a user with passwordless sudo, copying root SSH keys, Docker/GHCR credential handling, and backup/cron scripts. Those deployment instructions request steps that change system state and grant broad privileges and therefore exceed a narrow agent-skill scope.
Install Mechanism: concernNo formal install spec is declared (metadata says instruction-only), but the repository contains build/deploy scripts and a full application. The deploy docs instruct running network-download scripts (get-docker.sh) and logging into GHCR with a PAT (storing credentials in ~/.docker/config.json) — not inherently malicious but operationally sensitive. The lack of a clear, minimal install plus included production VM provisioning steps increases risk if followed blindly.
Credentials: concernDeclared requirements list no environment variables or credentials, but README/DEPLOY docs and code reference many secrets and settings (SECRET_KEY, API_KEY_SALT, DATABASE_URL_PROD, GHCR PAT, email settings, magic-link config). The SKILL metadata not declaring these is an inconsistency; the repo also instructs storing API keys in local agent `.keys` files (which it says are gitignored) — a pattern that can lead to credential leakage if mishandled.
Persistence & Privilege: concernThe skill does not request 'always: true', but included deployment instructions recommend creating a system user with NOPASSWD sudo and copying root SSH keys — actions that grant persistent, broad privileges on a host. While these are in docs (not code executed automatically), they represent high-privilege operational steps users might follow and thus are disproportionate to installing an agent skill.