ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Graphql Builder

v3.0.0

Build and validate GraphQL queries, mutations, and schemas. Use when working with GraphQL APIs.

0· 310·1 current·1 all-time
byBytesAgain2@ckchzh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included script and commands. The script implements query/mutation/validate/format/introspect/schema operations and stores data under ~/.local/share/graphql-builder as declared in SKILL.md. No unrelated credentials, binaries, or platform components are requested.
Instruction Scope
SKILL.md only runs the included script and documents the same commands. The script does read user-supplied files and sends a POST to a user-supplied URL for introspection (expected for this purpose). However, the script has several implementation issues (uses $2/$3 inside functions rather than the local variables, prints literal '$2' placeholders instead of expanded values, and uses unquoted expansions), which are correctness/security concerns (see user guidance).
Install Mechanism
There is no install spec; this is an instruction-only skill with a bundled shell script. Nothing is downloaded from external URLs or installed automatically.
Credentials
The skill declares no required environment variables, credentials, or config paths. The script only uses HOME to create its own data directory (~/.local/share/graphql-builder), which matches the SKILL.md.
Persistence & Privilege
always is false and the skill does not request elevated or persistent system privileges. It creates/uses only its own data directory and does not modify other skills or global agent settings.
Assessment
This skill appears coherent with its purpose, but the included shell script is low-quality and has potential safety/correctness issues you should consider before use: - The script uses unquoted variable expansions (e.g., cat $2, grep $2). Passing file paths or URLs with spaces or shell metacharacters could cause unexpected behavior or command injection. Do not run it on untrusted input. - Some functions print literal '$2' and '$3' rather than expanding arguments, so the output may not be useful as-is. - The introspect command issues a curl POST to whichever URL you pass. Only use endpoints you trust and avoid passing URLs that include embedded credentials or tokens. - The script creates a data directory at ~/.local/share/graphql-builder; check its contents if you care about local storage. Recommendations: review and/or fix the script (add proper quoting, use the local variables, and ensure safe handling of input) or run the skill in an isolated environment. If you accept these caveats and trust the author, the skill's footprint is proportionate to its stated functionality.

Like a lobster shell, security has layers — review code before you run it.

latestvk976kd4gc8k47qjhecw6en4ny5837zjeproductivityvk977798d61kxvc6g3q3pqbzy6582sah3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments