Code PluginExecutes codesource-linked

Moltbot Utilities

moltbot-utils

Community code plugin. Review compatibility and verification before install.

@marxbiotech/moltbot-utils · runtime id moltbot-utils

Install

openclaw plugins install clawhub:@marxbiotech/moltbot-utils

Latest Release

Version 1.0.1

Download zip

Compatibility

{
  "builtWithOpenClawVersion": "1.0.0",
  "pluginApiRange": ">=1.0.0"
}

Capabilities

{
  "bundledSkills": [],
  "capabilityTags": [
    "executes-code"
  ],
  "channels": [],
  "commandNames": [],
  "configSchema": true,
  "configUiHints": false,
  "executesCode": true,
  "hooks": [],
  "httpRouteCount": 0,
  "materializesDependencies": false,
  "providers": [],
  "runtimeId": "moltbot-utils",
  "serviceNames": [],
  "setupEntry": false,
  "toolNames": []
}

Security Scan

VirusTotal

Pending

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The name/description (system diagnostics: ws_check, sys_info, net_check) matches the code's behavior: reading system info, checking network endpoints, and inspecting OpenClaw workspace files. However, the skill inspects API-related environment variables and OpenClaw config files even though no required env vars are declared in the metadata — this mismatch is noteworthy but can be explained by diagnostics use.

ℹ

Instruction Scope

Runtime behavior stays within diagnostics: reading hostname, uptime, memory, disk, openclaw.json, installed skills/plugins, presence of API keys, and port connectivity checks. Two concerns: (1) the included shell script version hardcodes /root paths while the TypeScript code prefers OPENCLAW_HOME or the current user's home — this inconsistency may change what is inspected depending on which command implementation runs, and (2) the scripts use node -e and temporary files (/tmp/.ws_check_config), which read/write local files. No external endpoints are contacted to transmit data; network checks only attempt TCP connectivity.

✓

Install Mechanism

There is no download-from-URL or package install step; the plugin is provided as source files. No external install hosts or archive extraction are present. This is lower risk from an install mechanism perspective.

Credentials

The code reads several environment variables (ANTHROPIC_API_KEY, OPENAI_API_KEY, GOOGLE_API_KEY, CLOUDFLARE_AI_GATEWAY_API_KEY, and OPENCLAW_HOME) and inspects OpenClaw config files, but the skill declares no required env vars. While checking for the presence of API keys is reasonable for a diagnostics tool, the metadata does not advertise this, so users may not realize the plugin will probe for API keys and local OpenClaw configuration. This probing can reveal whether credentials exist and may expose config contents (openclaw.json) locally.

✓

Persistence & Privilege

The plugin does not request persistent/always presence and does not modify other skills or system-wide settings. Commands are registered with requireAuth: true, and autonomous invocation is allowed by platform default. It does perform local file reads and a process existence check (process.kill with signal 0) but does not try to persist data or escalate privileges.

What to consider before installing

This plugin appears to be a legitimate local diagnostics tool but it will read local OpenClaw configuration files and check for the presence of several API keys without declaring those env vars. Before installing, consider: - Are you comfortable with a plugin enumerating installed skills/plugins and reading openclaw.json (which may contain gateway/channel configuration)? - The shell scripts use hardcoded /root paths; if the agent runs under another user the behavior may differ. Review and, if needed, edit scripts to point to the correct OPENCLAW_HOME for your environment. - The plugin does not transmit collected data externally, but it writes temporary files under /tmp during checks. If you are concerned about exposure of local secrets, run this plugin in an isolated environment or inspect openclaw.json and other files first. - If you want stricter transparency, ask the author to declare the environment variables the plugin reads (or add a config schema) and to remove hardcoded /root paths so behavior is consistent.

Verification

{
  "hasProvenance": false,
  "scanStatus": "pending",
  "scope": "artifact-only",
  "sourceCommit": "f7e9e6a9e07401cf094c6ff1fbf18227e1fa2c82",
  "sourceRepo": "marxbiotech/moltbot-app",
  "sourceTag": "f7e9e6a9e07401cf094c6ff1fbf18227e1fa2c82",
  "summary": "Validated package structure and linked the release to source metadata.",
  "tier": "source-linked"
}

moltbot-utils

OpenClaw plugin for system diagnostics and environment health checks.

Commands

Command	Description
`/ws_check`	Workspace health — directory structure, config validity, R2 sync, API keys, gateway, skills
`/sys_info`	System info — hostname, kernel, uptime, memory, disk usage
`/net_check`	Network connectivity — tests GitHub SSH, Anthropic, OpenAI, Google API endpoints