ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Mobazha Native Install

v0.1.0

Install the Mobazha native binary on Linux, macOS, or Windows. Use when the user wants to run a store without Docker.

0· 18·0 current·0 all-time
by@fengzie
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name, description, and SKILL.md consistently describe installing a native Mobazha binary across platforms. There are no unrelated required env vars, binaries, or config paths; the requested actions (download binary, place in ~/.local/bin, register service) align with an installer.
Instruction Scope
Instructions are focused on installation and runtime management. They recommend piping a remote install script (curl -sSL https://get.mobazha.org/install | bash), verify checksums, register a background service, and enable an auto-update launcher. The script also mentions P2P network usage and optional Tor overlay — network activity and remote-update behavior are expected for this product but expand the attack surface.
Install Mechanism
No install spec in the skill bundle (instruction-only). The SKILL.md instructs users to fetch a remote script from get.mobazha.org which in turn downloads GitHub Releases assets and places binaries in ~/.local/bin. Using a remote install script piped to a shell is common for installers but higher risk than vetted package installs; the doc claims SHA-256 verification but the skill does not provide the verification artifacts itself.
Credentials
The skill declares no required credentials or environment variables and the instructions do not request unrelated secrets. However, the installed service and launcher will run on the host and will open network connectivity (local port 5102, P2P overlays, optional Tor), which may expose data/services externally — this is functional for a store but relevant to privacy and network security.
!
Persistence & Privilege
The installer registers a background service and installs an auto-update launcher (crash recovery + auto-update). Those behaviors create persistent processes and allow remote-updates — legitimate for a self-hosted service, but they increase persistence and the risk of remote code changes if the update channel or signing is not well-protected. macOS notes also mention bypassing Gatekeeper for curl|bash installs.
Assessment
This skill is coherent for installing Mobazha, but exercise caution before running the recommended installer. Do not blindly pipe remote scripts into a shell: fetch the script (curl -sSL https://get.mobazha.org/install -o install.sh), inspect it for unexpected actions, and verify any published SHA-256 checksums against the downloaded assets. Prefer running the installer as a non-root user and in an isolated environment (VM or container) if you want to limit blast radius. Pay attention to auto-update and the launcher: confirm the update channel and signature/verification practices on the Mobazha site. If you run on macOS, note Gatekeeper concerns and avoid bypassing security checks unless you trust the publisher. Finally, firewall or otherwise control network exposure of port 5102 and review P2P/Tor features before enabling them.

Like a lobster shell, security has layers — review code before you run it.

latestvk978cy4ee1y0mq6j79qb4pcbs9858h2f
18downloads
0stars
1versions
Updated 4h ago
v0.1.0
MIT-0
@fengzie
latest
Download

Native Binary Installation

Install Mobazha as a single native binary — no Docker, no runtime dependencies. Works on Linux (x86_64 & ARM64), macOS (Apple Silicon & Intel), and Windows.

Official guide: https://mobazha.org/self-host (Native Binary tab) and https://mobazha.org/download

Quick Install

Linux & macOS

curl -sSL https://get.mobazha.org/install | bash

This downloads the mobazha binary (and the mobazha-launcher for auto-update) to ~/.local/bin/ and starts the store as a background service.

Windows

  1. Go to https://mobazha.org/download
  2. Download the .zip file for Windows
  3. Extract the archive
  4. Double-click mobazha-tray.exe to start

The Windows desktop app includes a system tray icon and auto-opens your browser to the store admin.

What the Installer Does

  1. Detects your OS and architecture (linux/darwin, amd64/arm64)
  2. Downloads the matching binary from GitHub Releases
  3. Verifies the SHA-256 checksum
  4. Places binaries in ~/.local/bin/ (or custom --dir)
  5. Downloads the launcher binary (crash recovery + auto-update) if available
  6. Registers and starts as a background service (unless --no-start is passed)

After install, the store is accessible at http://localhost:5102 (or http://<public-ip>:5102 for VPS).

Running Your Store

Foreground mode

mobazha start

The store API and Web UI are served on port 5102 by default: http://localhost:5102.

Background service (recommended)

The installer registers a service automatically. Manage it with:

mobazha service status     # Check if running
mobazha service stop       # Stop the service
mobazha service start      # Start the service
mobazha service install    # Re-install / re-register the service
mobazha service uninstall  # Remove the service

On Linux this uses systemd (user-mode when possible), on macOS it uses launchd.

With a custom domain

The native binary itself does not include a reverse proxy. To use a custom domain with HTTPS, deploy via the standalone Docker setup instead (see standalone-setup skill), or manually configure a reverse proxy (Caddy, Nginx) in front of port 5102.

Install Options

FlagDescription
--version <tag>Install a specific version (e.g., v0.3.0-beta.15)
--dir <path>Custom install directory (default: ~/.local/bin)
--no-startDownload only, don't register or start the service

Backup

mobazha backup -o ~/mobazha-backup.tar.gz

Uninstall

Remove the binary and service (keeps your store data):

curl -sSL https://get.mobazha.org/install | bash -s -- --uninstall

Remove everything including data:

curl -sSL https://get.mobazha.org/install | bash -s -- --uninstall --purge

Platform Notes

macOS

  • Installs via curl | bash, which bypasses Gatekeeper (no Apple Developer signing required)
  • The launcher registers as a launchd LaunchAgent for auto-start on login
  • Supports both Apple Silicon (arm64) and Intel (amd64)

Linux ARM64

  • Works on Raspberry Pi 4+ and ARM VPS instances
  • Same install command — the script auto-detects architecture

Running Behind NAT

  • No port forwarding needed for basic operation
  • Your store stays reachable via the Mobazha P2P network
  • For a direct public URL, use the standalone Docker setup with a domain, or enable Tor overlay

After Installation

  1. Open http://localhost:5102/admin (or http://<your-ip>:5102/admin for VPS)
  2. Complete the Setup Wizard — set admin password, store name, visibility, region/currency (see store-onboarding skill for the full walkthrough)
  3. Add products and start selling
  4. (Optional) Connect your AI agent to the store via MCP — see store-mcp-connect skill

Troubleshooting

Binary not found after install

Ensure ~/.local/bin is in your PATH:

echo 'export PATH="$HOME/.local/bin:$PATH"' >> ~/.bashrc && source ~/.bashrc

Permission denied

The installer needs write access to the install directory. Use --dir to specify a writable location, or run with appropriate permissions.

macOS "unverified developer" warning

This shouldn't happen with curl | bash install. If running a downloaded binary directly, use:

xattr -d com.apple.quarantine ./mobazha

Check service logs

# Linux
journalctl --user -u mobazha -f

# macOS
tail -f ~/Library/Logs/Mobazha/mobazha.log

Comments

Loading comments...