Pluginv1.0.3

ClawScan security

MO§ES™ Constitutional Governance · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 2, 2026, 7:20 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The bundle's code and instructions generally match a governance/audit toolset, but there are several mismatches and opt‑in remote hooks (and a sensitive operator secret) that warrant review before installing.
Guidance: This bundle appears to implement the governance/audit features it claims, but there are points you should confirm before installing: - Runtime Python required: package.json and SKILL.md indicate Python (python3) is used, but top-level metadata said "Required binaries: none" — ensure your environment has python3 and that the platform will make it available to the skill. - Sensitive secret: MOSES_OPERATOR_SECRET is sensitive and used for local HMAC/attestation. The authors state it is "never transmitted" but you should review sign_transaction.py / handshake.py / witness.py (or search the repo) to confirm the secret is only used locally and not sent to remote endpoints before supplying it. - Opt‑in network endpoints: MOLTBOOK_API_KEY and REFEREE_URL/REFEREE_KEY enable outbound posts. These are off by default, but if you set them the skill will call external services (including an arbitrary URL you provide). Only set those env vars when you trust the destination and understand what data will be posted. - Local state & ledger: the skill will write to ~/.openclaw/governance and ~/.openclaw/audits/moses. If you need ephemeral operation, run it in an isolated account or container and inspect the files it creates. - Review signing/forwarding code: because the bundle implements signing/attestation, run a quick code review of the modules that reference MOSES_OPERATOR_SECRET, REFEREE_*, or MOLTBOOK_* to ensure no unexpected transmission or credential exfiltration occurs. If you want to be cautious: install and exercise the tools in an isolated environment (separate user, container, or VM) with no network access, then enable individual opt‑in env vars only after manual code review and validation.

Review Dimensions

Purpose & Capability: noteThe name/description (constitutional governance, audit/lineage/verification tools) aligns with the included scripts (commitment extraction, model-swap tests, lineage anchor, audit ledger). However there is a metadata mismatch: the top-level Requirements block in the provided manifest claims "Required binaries: none" while package.json and the SKILL.md metadata list python3 as a required bin. That is an incoherence the operator should resolve (the bundle expects to run Python scripts).
Instruction Scope: noteSKILL.md and README explicitly state state is written to ~/.openclaw/governance and ~/.openclaw/audits/moses and that outbound network calls are opt‑in. The scripts shown perform local file I/O (ledger read/write), spawn local subprocesses (model_swap_test runs commitment_verify.py), and compute hashes/signatures. No unconditional exfiltration was seen in the truncated files, but several modules (witnessing/referee/signing/handshake) are present in the bundle and could send data if opt‑in env vars are set. The runtime instructions allow the operator to configure arbitrary REFEREE_URL/REFEREE_KEY targets — those are operator-supplied endpoints that will be contacted if REFEREE_ENABLED is enabled.
Install Mechanism: okNo remote download/install spec is present; this is an instruction‑only bundle containing local Python scripts. That reduces supply‑chain download risk. The bundle will place or use local state under ~/.openclaw when run; there is no external installer that fetches arbitrary code at install time.
Credentials: concernAll env vars are declared optional, which matches SKILL.md. However one declared sensitive var, MOSES_OPERATOR_SECRET, is intended for local HMAC attestation/signing and is described as "Never transmitted" — you should verify this in the signing/handshake code before supplying it. The REFEREE_URL/REFEREE_KEY and MOLTBOOK_API_KEY are explicit opt‑in network credentials: if set they will enable outbound posts to operator-specified endpoints and to moltbook.com respectively. Allowing arbitrary REFEREE_URL means an operator could inadvertently (or intentionally) configure the skill to send potentially sensitive audit/ghost reports to an external host. The number and type of optional envs is proportionate to the described functionality but they control outbound behavior and use of a signing secret — review code that uses these variables before enabling them.
Persistence & Privilege: okThe bundle requests normal, limited persistence: stateDirs under the user's home (~/.openclaw/...). always:false and no special platform privileges are requested. The scripts create and read local files and save test results under ~/.openclaw; that is expected for audit/governance tooling and is proportional to purpose. There is no evidence the skill modifies other skills' configuration or requests global agent settings.