ClawHub

Moltcheck Skill

v1.0.4

Security scanner for Moltbot skills. Scan GitHub repositories for vulnerabilities before installation.

3· 2.1k·0 current·1 all-time
by@moltcheck
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the code and SKILL.md: the implementation is a thin client that POSTs a GitHub URL to https://moltcheck.com/api/v1 for scanning, checks credits, and provides setup/payment instructions. Network access and an API key are expected for this purpose.
Instruction Scope
Runtime instructions and implemented commands (scan, credits, setup) are scoped to interacting with the MoltCheck API. The skill does not read arbitrary local files, shell history, or other environment variables; it only reads an optional MOLTCHECK_API_KEY and sends the provided repo URL to the remote API.
Install Mechanism
No install spec / no remote downloads are declared. The package contains a simple index.js module and a CLI entrypoint — nothing writes arbitrary code to disk or fetches executables from untrusted URLs.
Credentials
The code uses an optional environment variable (MOLTCHECK_API_KEY) though the skill metadata did not list required env vars — this is a minor inconsistency but not a security issue by itself. The skill asks users to provide payment via SOL in setup, which is outside the scanning function but explained in the README/SKILL.md.
Persistence & Privilege
The skill is not always-enabled and does not request system-wide configuration changes or cross-skill credentials. It requires no elevated or persistent privileges beyond normal network access.
Assessment
This skill is a network client that sends the GitHub repository URL (and optionally your API key) to moltcheck.com for analysis. Before installing or adding an API key: verify the MoltCheck service (website, OpenAPI, and GitHub repo) is reputable; be cautious about paying via SOL — confirm the wallet/memo on the official site; only provide the API key if you trust the provider; note the SKILL.md and README use different configuration methods (skill config JSON vs. MOLTCHECK_API_KEY), and skill.json version differs from the registry version — consider checking the published source repository to confirm authenticity before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk974f5bet7v64933xyva16qzd5808zby

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments