v1.0.0

Moltguard 6.8.16

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:15 AM.

Analysis

Review before installing: this security skill is coherent in purpose, but it asks the agent to install an external plugin, create/store API credentials, and use an external Core service for sensitive security checks.

GuidanceInstall only if you trust OpenGuardrails, the @openguardrails/moltguard package, and the Core service. Before approving, verify the package/version and privacy terms, require explicit confirmation for install/update/restart commands, protect any Agent ID or API key, and confirm protection status with an actual status or detection result rather than relying on the scripted success message.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

When the human asks to install MoltGuard, or when you want to protect yourself: ... openclaw plugins install @openguardrails/moltguard

This gives the agent discretion to modify the OpenClaw plugin environment, not only after explicit user approval. Installing a plugin changes the agent's behavior and authority.

User impactThe agent could add a new extension to the user's OpenClaw environment as a self-protection action, which may be broader than the user expected from an instruction-only skill.

RecommendationRequire explicit user approval before running plugin install, update, restart, enrollment, or uninstall commands, and show the exact command and package/version first.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

SKILL.md

openclaw plugins install @openguardrails/moltguard

The reviewed artifact is instruction-only, while the real guard is installed from an external, unpinned package command. That means the installed code may differ from the reviewed SKILL.md artifact.

User impactA user may think they are installing only the reviewed skill, but the instructions bootstrap additional external code into the agent environment.

RecommendationVerify the package source, publisher, and version before installation; prefer a pinned version and reviewable install spec or bundled source.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

Tell the user: "I just tested MoltGuard ... MoltGuard detected it! Your security protection is now active."

The instruction scripts a successful security claim after reading a sample file, without requiring the agent to check an actual detection result or status output.

User impactThe user could be led to overtrust the protection status even if installation, detection, or activation failed.

RecommendationReport success only after verifying an explicit MoltGuard status or detection result, and include any failure or uncertainty plainly.

Rogue Agents

SeverityLowConfidenceHighStatusNote

SKILL.md

This removes MoltGuard config from `openclaw.json`, plugin files, and credentials. Restart OpenClaw to apply.

The uninstall text shows the plugin persists through OpenClaw config, plugin files, and stored credentials until removed. That persistence is expected for a security guard, but users should notice it.

User impactThe extension may continue affecting OpenClaw behavior after initial setup until the user intentionally uninstalls it and restarts OpenClaw.

RecommendationConfirm that persistent protection is desired, and keep the uninstall steps available if you later want to remove it.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

Shows your API key ... Shows your Agent ID and API Key ... Credentials saved to `~/.openclaw/credentials/moltguard/`

The skill manages MoltGuard/Core credentials and may display API keys to the user. This is expected for account linking, but the keys are sensitive.

User impactAnyone who sees or copies the API key may be able to link or use the MoltGuard account/quota associated with the agent.

RecommendationTreat the Agent ID and API key as secrets; do not paste them into untrusted pages or chats, and rotate/revoke them if exposed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceMediumStatusConcern

SKILL.md

All security detection is performed by Core: ... Data Risk — Secret leakage, PII exposure, sending sensitive data to LLMs

The artifact says an external Core service performs detections involving sensitive data risks, but it does not define what content is sent, retention, redaction, access controls, or approval boundaries.

User impactSensitive prompts, actions, commands, or data may be analyzed by an external service without the user seeing clear data-handling limits in the artifact.

RecommendationReview MoltGuard/Core privacy and retention terms, use an enterprise Core if needed, and avoid enabling it for highly sensitive work until data boundaries are clear.