ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Bigml

v1.0.2

BigML integration. Manage data, records, and automate workflows. Use when the user wants to interact with BigML data.

0· 143·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes a BigML integration implemented via the Membrane CLI/proxy, which logically matches the skill name and description. However, the skill metadata lists no required binaries or install steps even though the instructions require npm and the membrane CLI; that discrepancy is unexpected.
Instruction Scope
Instructions are focused on interacting with BigML through Membrane (login, create/connect connectors, run actions, proxy requests). They do not instruct reading arbitrary system files or exfiltrating unrelated data. They do, however, instruct interactive authentication (browser flow) and manual global npm package installation.
Install Mechanism
There is no formal install spec in the registry (instruction-only), but SKILL.md tells the user to run `npm install -g @membranehq/cli`. Installing a global npm package is a real install step (public registry) and carries the normal risks of executing third-party code, but nothing in the file indicates an untrusted download URL or direct executable payload beyond public npm.
Credentials
The skill requests no environment variables or credentials in the metadata and relies on Membrane to manage auth. That is proportionate to its stated purpose, although using Membrane means you will grant that CLI/account access to BigML credentials via the connector flow.
Persistence & Privilege
The skill is not marked always:true and will not be force-included. It is instruction-only and does not request to modify other skills or global agent settings. Autonomous invocation is enabled by default (normal) but does not by itself create new concerns here.
What to consider before installing
This skill looks like a straightforward BigML integration that uses the Membrane CLI, but note two practical concerns: (1) the skill metadata does not declare required binaries, yet the documentation instructs you to install and run the Membrane CLI via `npm install -g @membranehq/cli` and `membrane login`; confirm you have a trusted Node/npm environment before installing global packages, and verify the CLI package origin (official @membranehq). (2) The connector flow will grant Membrane/its connector access to your BigML account — make sure you trust the Membrane account and the connector before authenticating. If you want to proceed, prefer installing software from official sources, review the Membrane project's repo/homepage, and avoid running commands or pasting auth codes from unknown sources. If you need higher assurance, ask the skill author to declare required binaries and provide an install spec or signed release references.

Like a lobster shell, security has layers — review code before you run it.

latestvk9708fz5ma5dwdfs0kmrbw3e51843mf6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments