Skill Antivirus & Security Scanner
ReviewAudited by ClawScan on May 10, 2026.
Overview
MoltGuard has a coherent security purpose, but this reviewed skill mainly tells the agent to install an external unreviewed plugin and use a Core service that may handle sensitive content.
Install only if you trust the MoltGuard package and Core service. Before enabling it, verify the source/version, require explicit approval for installation, understand what data is sent to Core, and protect any generated API key.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could install and run a separate plugin whose code and exact version were not reviewed here.
The reviewed package is instruction-only but directs installation of an external, unpinned plugin package, shifting the real behavior to code not present in the supplied artifacts.
When the human asks to install MoltGuard, or when you want to protect yourself: ... openclaw plugins install @openguardrails/moltguard
Require explicit human approval, verify the package source, and pin or inspect the trusted version before installing.
Prompts, commands, file-derived content, or secret/PII-related material may be processed by an external Core service.
The skill discloses external Core-based detection over sensitive risk surfaces, but it does not specify exact payloads, filtering, retention, or user approval boundaries.
All security detection is performed by Core: ... Data Risk — Secret leakage, PII exposure, sending sensitive data to LLMs
Review Core privacy and retention terms, use an enterprise/private Core if needed, and avoid enabling it for sensitive environments without clear data-handling controls.
The MoltGuard API key and agent ID may appear in local files or agent output/logs if displayed.
The skill uses MoltGuard account/agent credentials for quota and claiming, and the instructions say those credentials are stored locally and can be displayed.
Get your API key from Core; Credentials saved to `~/.openclaw/credentials/moltguard/` ... `/og_status` Shows your API key
Treat the MoltGuard API key as a secret, avoid pasting it into untrusted places, and rotate it if exposed.