ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Motie CLI

v1.0.2

Discover and explore APIs on the Motie marketplace using the motie CLI. Use this skill whenever you need to find an API or service to accomplish a task — res...

0· 65·0 current·0 all-time
byCristian Saucedo@saucedocs
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md clearly requires a Motie API key (MOTIE_API_KEY) and instructs use of the '@saucedocs/motie-cli' npm package, but the skill's registry metadata declares no required environment variables, no primary credential, and no install spec. That mismatch is unexpected: a Motie CLI skill legitimately needs the MOTIE_API_KEY and should have declared it.
Instruction Scope
The runtime instructions are narrowly focused on searching, fetching docs, and calling APIs via the motie CLI and do not ask the agent to read unrelated files or credentials. They do instruct checking the MOTIE_API_KEY env var (or passing --api-key) and to install the CLI with npm; that behavior is in-scope but the skill grants broad discretion to invoke arbitrary marketplace APIs (as intended for discovery).
!
Install Mechanism
There is no formal install spec in the skill bundle, but the SKILL.md tells users/agents to run 'npm install -g @saucedocs/motie-cli'. The package scope (@saucedocs) and name are provided but the skill lists no homepage, repository, or source. Asking users/agents to install a third‑party global npm package with no declared source increases risk and should be verified (authentic package, publisher, and package contents).
!
Credentials
The instructions require MOTIE_API_KEY (starts with 'mtk_'), which is the only credential needed for the CLI, but the skill metadata did not declare this env var or a primary credential. This omission reduces transparency and means agents might prompt users for secrets that the registry didn't declare. No other unrelated credentials are requested.
Persistence & Privilege
The skill is instruction-only, has no install behavior in the bundle, and 'always' is false. It does not request permanent presence or elevated platform privileges in the manifest.
What to consider before installing
This skill appears to do what it says (discover and call Motie marketplace APIs) but has two practical issues you should resolve before installing or following its instructions: 1) verify the npm package '@saucedocs/motie-cli' (check its npm page, repository, publisher identity, and recent release history) because the skill bundle provides no homepage or source; 2) be aware the CLI requires your MOTIE_API_KEY — treat that like any API secret: only provide it to a trusted CLI/package, avoid pasting it into untrusted interfaces, and prefer using a scoped key with least privilege. Ask the publisher for a repository/homepage and for the skill metadata to be updated to declare MOTIE_API_KEY explicitly; if you don't trust the npm package, do not run global installs and consider running the CLI in an isolated container or sandbox for testing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dd1e8ssy13zg286dkk2natn84y8vz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments