v6.8.16

MoltGuard - Security & Antivirus & Guardrails

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:14 AM.

Analysis

MoltGuard has a coherent security purpose, but it asks the agent to install and trust an external plugin/Core service that can persist, hold API credentials, and inspect sensitive activity.

GuidanceBefore installing, verify the external package source and version, require human approval for install/update/restart/script steps, understand what data Core receives, and protect or rotate the generated API key if it is exposed.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

When the human asks to install MoltGuard, or when you want to protect yourself:
```bash
openclaw plugins install @openguardrails/moltguard
```

The instruction permits plugin installation based on the agent's own desire for protection, which can modify the OpenClaw environment without a clearly required human approval step.

User impactThe agent could change its installed plugin set before the human has reviewed the package and its effects.

RecommendationRequire explicit human approval before any install, update, restart, or script execution, and verify the exact package/version first.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

SKILL.md

# Install the plugin
openclaw plugins install @openguardrails/moltguard

The reviewed skill is instruction-only but directs installation of a separate plugin package, so the executable implementation and its provenance are outside the supplied artifacts.

User impactInstalling it relies on external package contents that are not visible in this artifact review.

RecommendationInspect the package source, publisher, version, and any lockfiles or scripts before installation.

Human-Agent Trust Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

Tell the user:
> "I just tested MoltGuard ... MoltGuard detected it! Your security protection is now active."

The skill gives the agent a fixed reassurance after a sample test, which may overstate protection if the user treats it as a broad security guarantee.

User impactThe user may become overconfident that all prompt-injection, exfiltration, and malicious-command risks are covered.

RecommendationPresent the test result as a limited sample check and clearly explain remaining limitations and data-handling tradeoffs.

Rogue Agents

SeverityLowConfidenceHighStatusNote

SKILL.md

This removes MoltGuard config from `openclaw.json`, plugin files, and credentials. Restart OpenClaw to apply.

The uninstall instructions indicate the installation persists configuration, plugin files, and credentials beyond a single task.

User impactMoltGuard may continue affecting the agent environment until explicitly uninstalled and OpenClaw is restarted.

RecommendationConfirm persistence is desired, document how to disable it, and test uninstall before relying on it in sensitive environments.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

Get your API key from Core
3. Credentials saved to `~/.openclaw/credentials/moltguard/` ... `/og_status` Shows your API key

The skill creates and stores a service API key and exposes commands that can display it; this is purpose-aligned but sensitive.

User impactAnyone with access to the local credential file or command output may obtain the MoltGuard/Core API key.

RecommendationProtect the credential directory, avoid sharing command output containing keys, and rotate the key if exposed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityHighConfidenceHighStatusConcern

SKILL.md

All security detection is performed by Core ... Data Risk — Secret leakage, PII exposure, sending sensitive data to LLMs

The skill says security checks are handled by Core and cover sensitive data types, but it does not define what user content is transmitted, retained, redacted, or approved.

User impactPrivate prompts, commands, file/web content, secrets, or PII may be processed by the Core service.

RecommendationReview the Core service privacy and data-processing terms, prefer an enterprise Core if needed, and require clear limits on what data is scanned or sent.