Code PluginExecutes codesource-linked

Moltbot Utilities

moltbot-utils

Community code plugin. Review compatibility and verification before install.

marxbiotech-moltbot-utils · runtime id marxbiotech-moltbot-utils

Install

openclaw plugins install clawhub:marxbiotech-moltbot-utils

Latest Release

Version 1.0.0

Download zip

Compatibility

{
  "builtWithOpenClawVersion": "1.0.0",
  "pluginApiRange": ">=1.0.0"
}

Capabilities

{
  "bundledSkills": [],
  "capabilityTags": [
    "executes-code"
  ],
  "channels": [],
  "commandNames": [],
  "configSchema": true,
  "configUiHints": false,
  "executesCode": true,
  "hooks": [],
  "httpRouteCount": 0,
  "materializesDependencies": false,
  "providers": [],
  "runtimeId": "marxbiotech-moltbot-utils",
  "serviceNames": [],
  "setupEntry": false,
  "toolNames": []
}

Security Scan

VirusTotal

Pending

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

Name/description (system diagnostics, health checks) matches the code: it inspects filesystem layout, openclaw.json, gateway process, disk/memory, network endpoints, and presence of API key environment variables. However the skill inspects environment variables and specific file paths (e.g., openclaw.json, /tmp/.last-sync, gateway.pid) even though the package metadata declares no required env/config — that omission is surprising and worth noting.

Instruction Scope

The runtime code (both bash scripts and TypeScript) reads local files (openclaw.json, /tmp/.last-sync, /tmp/r2-sync.log, gateway.pid), enumerates directories under the OpenClaw home, checks processes (pgrep/process.kill check), and inspects environment variables for API keys. The SKILL.md describes these checks, but the scripts access environment variables and hardcoded paths (the bash script uses /root/.openclaw paths while the Node code uses OPENCLAW_HOME or ~/.openclaw) — that mismatch and the unannounced environment reads are scope creep relative to the declared requirements.

✓

Install Mechanism

There is no install spec (no network downloads or package installs). Code is shipped in the skill bundle (scripts and TypeScript). No external installers or downloads are performed by the skill itself.

Credentials

The code checks for multiple API key environment variables (ANTHROPIC_API_KEY, OPENAI_API_KEY, GOOGLE_API_KEY, CLOUDFLARE_AI_GATEWAY_API_KEY) and reports which are present, but the registry metadata lists no required env vars or primary credential. The skill does not request secrets explicitly, but it reads environment state that you may consider sensitive. The lack of declared env requirements is an inconsistency.

✓

Persistence & Privilege

The skill does not request permanent presence (always:false) and does not modify other skills or system-wide settings. It performs read-only checks (file reads, process existence, network TCP connect checks) and does not attempt to persist credentials or change system config.

What to consider before installing

This plugin is a diagnostics tool that reads local OpenClaw configuration (openclaw.json), lists directories and installed skills/plugins, checks for gateway process and a gateway.pid, tails sync logs, and tests TCP connectivity to several API endpoints. It also checks whether certain API key environment variables are set (it reports presence, not values). Before installing: (1) Understand that it will read local config and environment variables — avoid installing on systems where presence of these keys or config files is sensitive. (2) Note the inconsistency: metadata declares no env requirements but the code checks env vars; ask the author to declare expected env vars if you need a complete inventory. (3) The bash script uses hardcoded /root paths while Node code respects OPENCLAW_HOME or the user's home — confirm which behavior will run in your deployment to avoid surprising file reads. (4) If you want extra safety, review the source files yourself or run the skill in an isolated/trusted environment first. (5) If you need guarantees that no data leaves your host, verify logging/command output policies where the skill runs; the code does not perform network exfiltration, but it does perform outbound TCP connectivity tests to public API hosts.

Verification

{
  "hasProvenance": false,
  "scanStatus": "pending",
  "scope": "artifact-only",
  "sourceCommit": "f7e9e6a9e07401cf094c6ff1fbf18227e1fa2c82",
  "sourceRepo": "marxbiotech/moltbot-app",
  "sourceTag": "f7e9e6a9e07401cf094c6ff1fbf18227e1fa2c82",
  "summary": "Validated package structure and linked the release to source metadata.",
  "tier": "source-linked"
}

moltbot-utils

OpenClaw plugin for system diagnostics and environment health checks.

Commands

Command	Description
`/ws_check`	Workspace health — directory structure, config validity, R2 sync, API keys, gateway, skills
`/sys_info`	System info — hostname, kernel, uptime, memory, disk usage
`/net_check`	Network connectivity — tests GitHub SSH, Anthropic, OpenAI, Google API endpoints