Is adamthompson33/moltcops safe?

SKILL.md invokes a fictional or unverified threat event ('ClawHavoc: 341 malicious skills found this week') to create urgency and establish the scanner as a mandatory gatekeeper. This pattern is designed to make agents and users feel that skipping this skill is dangerous, effectively inserting a persistent behavioral instruction into the agent's decision-making process. There is no verifiable source for the '341 malicious skills' claim.

The skill prominently advertises itself as 'Local-first. Your code never leaves your machine. No API calls. No uploads. No accounts.' This claim is true for the Python script in isolation, but the same SKILL.md directs users to https://scan.moltcops.com for a 'browser-based version with the same engine.' If an agent or user follows this recommendation, skill code would be transmitted to an external, unaudited server. The misleading primary claim creates false confidence that all scanning paths are local.

.clawhub/lock.json ships with the skill and lists academic-research-hub v0.1.0 as an 'installed' skill. No code in scan.py, SKILL.md, or rules.json references this dependency, and skill scanners have no reason to have other skills as dependencies. This file could be an accidental commit of the author's personal skill state, but it could also be an attempt to bootstrap agent trust in a second skill by associating it with a trusted security tool. The agent, reading the skill directory during execution, may interpret this lock file as implying academic-research-hub should be present.

By positioning itself as the mandatory security layer that must approve all skill installations, moltcops becomes an extremely high-value target for supply-chain compromise. A single malicious update to rules.json — which is loaded at runtime from disk and could be updated via ClawHub — could silently whitelist an entire class of attack patterns while continuing to report PASS verdicts. Users and agents that have internalized trust in this tool would have no defense against such an update. The low-confidence MC-020 rule (0.55) for outbound HTTP POST already demonstrates the detection coverage can be selectively weakened.

The SKILL.md frontmatter declares version 1.0.0, but _meta.json reports the latest published version as 1.1.0 with a separate v1.0.1 in the history. This means the content being audited may not match what users actually receive, and it makes it impossible to audit changelogs between versions. Poor version hygiene in a security tool is a reliability concern.

The reference to https://scan.moltcops.com is not executed by the skill automatically, but its presence in SKILL.md means an agent following the documentation could direct users to submit skill code to this external service. The domain is unaudited. This is an optional rather than automatic risk.

scan.py is a well-scoped file scanner using only Python stdlib. No network libraries, no subprocess/os.system/eval/exec, no dynamic code loading. File access is constrained to the user-specified skill directory. The implementation is consistent with a legitimate local security scanner.