ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Bluecart Api

v1.0.2

BlueCart API integration. Manage data, records, and automate workflows. Use when the user wants to interact with BlueCart API data.

0· 96·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description state a BlueCart API integration and the SKILL.md references BlueCart docs and entities, so the high-level purpose is consistent. However the SKILL.md contains an extremely large, indiscriminate list of entities and compliance items unrelated to a focused BlueCart integration, which looks like scope creep or copy-paste noise.
!
Instruction Scope
The instructions are instruction-only (no install or code) and do not appear to include explicit commands that access system files or run code, which is lower risk. However the SKILL.md header says it 'Requires network access and a valid Membrane account' but the body does not specify how to authenticate to BlueCart (no example auth flow, no mention of API keys, tokens, or OAuth). That ambiguity gives the agent broad discretion at runtime and is a missing, important detail.
Install Mechanism
No install spec and no code files — instruction-only — so nothing will be written to disk or downloaded during install. This is the lowest install risk.
!
Credentials
The skill declares no required environment variables or primary credential, yet states a Membrane account is required and presumably needs BlueCart authentication to call the API. The absence of declared credentials (API key/OAuth) is an inconsistency: it's unclear whether the skill expects the user to paste credentials at runtime, use a Membrane-managed secret, or will request unspecified secrets. This mismatch increases risk because the agent may prompt for or attempt to access credentials without clear boundaries.
Persistence & Privilege
always is false and there is no install step that persists files or modifies other skills/config. The skill does not request elevated or persistent placement — normal autonomy applies.
What to consider before installing
This skill looks like a documentation/integration helper for BlueCart but is vague about authentication and contains a lot of unrelated content. Before installing or enabling it, ask the publisher: (1) how does it authenticate to BlueCart (API key, OAuth, or via Membrane)? (2) where are credentials stored or sent? (3) can you provide the exact runtime steps the agent will take (example API calls)? Because the source is 'unknown' and the SKILL.md lacks declared env vars, avoid providing global or production credentials — test in a sandbox account, use least-privilege API keys, and only enable network access after you understand the auth flow. If the publisher cannot clearly explain these points, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk9791dnajfch9r57ct181f248h84271x

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments