mot

https://raw.githubusercontent.com/parcadei/continuous-claude-v3/main/.claude/skills/mot/SKILL.md

github.com/parcadei/continuous-claude-v3

Scanned Thu, 28 May 2026 17:40:49 GMT

Scan ID crawl-fwjz8ksxcjcjtcc1mombizxj · 1ms

SCORE 0 / 100

Verdict: Do not install

5 critical findings.

This skill exfiltrates environment secrets ($DATABASE_URL) plus 5 other issues listed below.

5 critical0 high1 medium6 rules passed

Why grade F?

score · 0 / 100

The current grade reflects 5 critical findings (any 2+ CRITs → F).

5 CRIT0 HIGH1 MED0 LOW

To reach a higher grade

D
Reach Dtarget score 30
Resolve 4 of your 5 CRIT findings — any single CRIT still keeps you at D.
C
Reach Ctarget score 55
Resolve all 5 CRIT findings.
B
Reach Btarget score 75
Resolve all 5 CRIT.
A
Reach Atarget score 95
Resolve all 5 CRIT.

Thresholds are documented at /docs/grading. Source-of-truth is the grade() function in @skillox/scanner.

Findings · ordered by severity

crit

Skill references secret env var $DATABASE_URL

The skill instructions reference `$DATABASE_URL`, which contains a credential. If an attacker can lure the agent into including this in an outbound URL or message, the credential leaks.

rule: env-var-harvestingline: 143CWE-200

▾

141

142# Check DATABASE_URL

143if [ -z "$DATABASE_URL" ]; then← references $DATABASE_URL — potential credential leak

144 echo "FAIL: DATABASE_URL not set"

145else

crit

Skill references secret env var $DATABASE_URL

The skill instructions reference `$DATABASE_URL`, which contains a credential. If an attacker can lure the agent into including this in an outbound URL or message, the credential leaks.

rule: env-var-harvestingline: 149CWE-200

▾

147

148 # Test connection

149 if psql "$DATABASE_URL" -c "SELECT 1" > /dev/null 2>&1; then← references $DATABASE_URL — potential credential leak

150 echo "PASS: PostgreSQL reachable"

151

crit

Skill references secret env var $DATABASE_URL

The skill instructions reference `$DATABASE_URL`, which contains a credential. If an attacker can lure the agent into including this in an outbound URL or message, the credential leaks.

rule: env-var-harvestingline: 153CWE-200

▾

151

152 # Check pgvector

153 if psql "$DATABASE_URL" -c "SELECT extname FROM pg_extension WHERE extname='vector'" 2>/dev/null | grep -q vector; then← references $DATABASE_URL — potential credential leak

154 echo "PASS: pgvector extension installed"

155 else

crit

Skill references secret env var $DATABASE_URL

The skill instructions reference `$DATABASE_URL`, which contains a credential. If an attacker can lure the agent into including this in an outbound URL or message, the credential leaks.

rule: env-var-harvestingline: 160CWE-200

▾

158

159 # Check table exists

160 if psql "$DATABASE_URL" -c "\d archival_memory" > /dev/null 2>&1; then← references $DATABASE_URL — potential credential leak

161 echo "PASS: archival_memory table exists"

162

crit

Skill references secret env var $DATABASE_URL

The skill instructions reference `$DATABASE_URL`, which contains a credential. If an attacker can lure the agent into including this in an outbound URL or message, the credential leaks.

rule: env-var-harvestingline: 164CWE-200

▾

162

163 # Count learnings

164 COUNT=$(psql "$DATABASE_URL" -t -c "SELECT COUNT(*) FROM archival_memory" 2>/dev/null | xargs)← references $DATABASE_URL — potential credential leak

165 echo "INFO: $COUNT learnings stored"

166 else

med

No capability manifest declared

The skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.

rule: no-manifest

▾

Scan another →Share

skillox.io/r/crawl-fwjz8ksxcjcjtcc1mombizxj