MoltGuard - Security & Antivirus & Guardrails

Security checks across malware telemetry and agentic risk

Overview

MoltGuard has a plausible security purpose, but it directs automatic installation and cloud-backed monitoring with local API-key storage without enough user-control and data-handling detail.

Install only if you intentionally want a cloud-backed OpenClaw security plugin. Before enabling it, review the external plugin and provider terms, confirm what prompts, files, commands, secrets, and PII may be sent to Core, and treat any Agent ID or API key it shows or stores as a secret.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs users to run commands that display an API key and to paste that key during claiming, but it does not warn that the key is sensitive or should not be exposed in shared terminals, logs, screenshots, or streamed sessions. In an agent/plugin context, encouraging disclosure of secrets without handling guidance materially increases the chance of credential leakage and subsequent account abuse.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The onboarding flow states that credentials are automatically saved under a predictable local path, but provides no warning about local secret storage, file permissions, multi-user system risks, or how to secure/remove those credentials. This creates avoidable exposure risk if the host is shared, backed up insecurely, or inspected by other processes/users.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal