ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Web Star Studio's Flow CRM

v1.0.1

Interact with FlowDeck CRM API (clients, deals, proposals, receivables, expenses, contacts). Use for all CRM operations via the FlowDeck REST API through Sup...

0· 59·0 current·0 all-time
byDouglas Araújo@araujodgdev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description align with the included Python CLI (crm operations against a FlowDeck REST gateway). However the registry metadata claims no required env vars or binaries while the SKILL.md and script clearly require an API key (FLOWDECK_API_KEY / --api-key), an optional FLOWDECK_BASE_URL, and the 'uv' runner; this mismatch is unexpected and reduces trust.
!
Instruction Scope
Instructions direct the agent/user to collect many client data fields (appropriate for CRM) and to run the shipped script from the user's current working directory. The script will send collected data to the configured base URL (or to a default hard-coded Supabase URL). There are no instructions that explicitly read local secrets or arbitrary files, but the default external endpoint means data (and any API key you provide) could be transmitted to a third-party service if you don't set a base URL you control.
Install Mechanism
There is no install spec (instruction-only), which minimizes install-time risk. But the package includes an executable Python script that depends on httpx and the 'uv' runner; those dependencies are not declared in registry metadata. Running the script will execute network operations.
!
Credentials
The script and SKILL.md require an API key (FLOWDECK_API_KEY) and optionally a base URL, which are proportionate to a CRM integration — but the registry incorrectly lists no required env vars. Additionally, a default FLOWDECK_BASE_URL is hard-coded to a specific Supabase instance (mycivgjuujlnyoycuwrz.supabase.co). If users rely on defaults, their data and API key could be sent to that external endpoint unexpectedly.
Persistence & Privilege
The skill does not request always:true and does not attempt to modify other skills or system-wide agent settings. It runs only when invoked.
What to consider before installing
This skill contains a runnable Python CLI that will send data to a FlowDeck/Supabase endpoint and expects an API key. Before installing or running it: (1) do not paste sensitive API keys unless you control or trust the target endpoint; verify FLOWDECK_BASE_URL — the default points to an unknown Supabase project and could exfiltrate data if left unchanged; (2) ensure you have the 'uv' runner and python/httpx dependencies installed in a controlled environment (or inspect and run the script in an isolated sandbox); (3) ask the publisher for source/homepage and confirmation of the default base URL and ownership; (4) prefer to configure FLOWDECK_BASE_URL to your own FlowDeck instance or the official API endpoint and only provide API keys scoped with minimal permissions. The registry metadata mismatch (no declared env vars/binaries vs. actual requirements) is the main red flag.

Like a lobster shell, security has layers — review code before you run it.

latestvk973sqwgmcftgy3myp7psqa7zx84q5yr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments