ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Blackfire

v1.0.2

Blackfire integration. Manage data, records, and automate workflows. Use when the user wants to interact with Blackfire data.

0· 116·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill claims to integrate Blackfire and the SKILL.md consistently instructs using the Membrane CLI and a Membrane account to connect to Blackfire. No unrelated services, credentials, or binaries are requested.
Instruction Scope
Runtime instructions are limited to installing/using the Membrane CLI, logging in (browser-based oauth flow), listing/creating connections, running actions, and proxying requests via Membrane. The instructions do not request access to arbitrary local files, unrelated environment variables, or external endpoints beyond Membrane/Blackfire.
Install Mechanism
This is an instruction-only skill (no install spec); it recommends installing @membranehq/cli via npm -g or using npx. Installing a third-party npm package is a normal, expected step but does execute third-party code on the host — consider using npx or reviewing the package before global install.
Credentials
The skill declares no required env vars or local credentials, which is proportional. However, the integration delegates credential storage/refresh to Membrane (a third-party service), meaning Blackfire access tokens and proxied requests will be visible/handled by Membrane — users should trust that service for sensitive data.
Persistence & Privilege
The skill does not request always:true and makes no claims about modifying other skills or system-wide config. It is user-invocable and can be called autonomously by the agent (platform default), which is expected for integrations.
Assessment
This skill appears to do what it says: it uses the Membrane CLI to broker Blackfire access. Before installing/using it, verify you trust the Membrane service and the @membranehq/cli package (review npm page and repository), prefer using npx (avoids global installs), and be aware that Membrane will handle and see your Blackfire credentials and proxied API calls. If Blackfire data is sensitive, consider using least-privileged accounts and test in an isolated environment first. Also confirm you are comfortable allowing the agent to run membrane CLI commands when the skill is invoked.

Like a lobster shell, security has layers — review code before you run it.

latestvk974tc0tep6bwa20npte2svbmx843wn8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments