mot

github.com/parcadei/continuous-claude-v3
Verdict: Do not install
5 critical0 high1 medium
F
SCORE 0 / 100
$skillox install motSoon
Sign in to followFollowing emails you when a re-scan drops the grade. Opt-out is per-creator on /account/billing.

Why grade F?

score · 0 / 100

The current grade reflects 5 critical findings (any 2+ CRITs → F).

5 CRIT0 HIGH1 MED0 LOW
To reach a higher grade
  • D
    Reach Dtarget score 30

    Resolve 4 of your 5 CRIT findings — any single CRIT still keeps you at D.

  • C
    Reach Ctarget score 55

    Resolve all 5 CRIT findings.

  • B
    Reach Btarget score 75

    Resolve all 5 CRIT.

  • A
    Reach Atarget score 95

    Resolve all 5 CRIT.

Thresholds are documented at /docs/grading. Source-of-truth is the grade() function in @skillox/scanner.

Latest scan findings

Scan crawl-fwjz8ksxcjcjtcc1mombizxj · Thu, 28 May 2026 17:40:49 GMT · 1ms

crit
Skill references secret env var $DATABASE_URL
The skill instructions reference `$DATABASE_URL`, which contains a credential. If an attacker can lure the agent into including this in an outbound URL or message, the credential leaks.
rule: env-var-harvestingline: 143CWE-200
141
142# Check DATABASE_URL
143if [ -z "$DATABASE_URL" ]; thenreferences $DATABASE_URL — potential credential leak
144 echo "FAIL: DATABASE_URL not set"
145else
crit
Skill references secret env var $DATABASE_URL
The skill instructions reference `$DATABASE_URL`, which contains a credential. If an attacker can lure the agent into including this in an outbound URL or message, the credential leaks.
rule: env-var-harvestingline: 149CWE-200
147
148 # Test connection
149 if psql "$DATABASE_URL" -c "SELECT 1" > /dev/null 2>&1; thenreferences $DATABASE_URL — potential credential leak
150 echo "PASS: PostgreSQL reachable"
151
crit
Skill references secret env var $DATABASE_URL
The skill instructions reference `$DATABASE_URL`, which contains a credential. If an attacker can lure the agent into including this in an outbound URL or message, the credential leaks.
rule: env-var-harvestingline: 153CWE-200
151
152 # Check pgvector
153 if psql "$DATABASE_URL" -c "SELECT extname FROM pg_extension WHERE extname='vector'" 2>/dev/null | grep -q vector; thenreferences $DATABASE_URL — potential credential leak
154 echo "PASS: pgvector extension installed"
155 else
crit
Skill references secret env var $DATABASE_URL
The skill instructions reference `$DATABASE_URL`, which contains a credential. If an attacker can lure the agent into including this in an outbound URL or message, the credential leaks.
rule: env-var-harvestingline: 160CWE-200
158
159 # Check table exists
160 if psql "$DATABASE_URL" -c "\d archival_memory" > /dev/null 2>&1; thenreferences $DATABASE_URL — potential credential leak
161 echo "PASS: archival_memory table exists"
162
crit
Skill references secret env var $DATABASE_URL
The skill instructions reference `$DATABASE_URL`, which contains a credential. If an attacker can lure the agent into including this in an outbound URL or message, the credential leaks.
rule: env-var-harvestingline: 164CWE-200
162
163 # Count learnings
164 COUNT=$(psql "$DATABASE_URL" -t -c "SELECT COUNT(*) FROM archival_memory" 2>/dev/null | xargs)references $DATABASE_URL — potential credential leak
165 echo "INFO: $COUNT learnings stored"
166 else
med
No capability manifest declared
The skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.
rule: no-manifest
View latest scan →
skillox.io/c/mot