ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Fibery

v1.0.2

Fibery integration. Manage Workspaces. Use when the user wants to interact with Fibery data.

0· 58·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description match a Fibery integration (expected). However the SKILL.md explicitly states "Requires network access and a valid Membrane account" and references Fibery API, yet the registry metadata shows no required environment variables or primary credential (no Fibery API key, OAuth client, or Membrane token declared). That is an incoherence: a connector to Fibery normally needs credentials.
Instruction Scope
This is an instruction-only skill whose runtime document references network calls and account usage. The visible parts do not instruct reading local files or unrelated system credentials, but the SKILL.md is vague about how auth is provided (no declared env vars and no clear instruction to use platform-provided credentials). Vague or missing auth flow grants the agent broad discretion about where to obtain credentials at runtime.
Install Mechanism
No install spec and no code files — lowest-risk delivery mechanism. Nothing will be written to disk by an installer because the skill is instruction-only.
!
Credentials
The skill claims it needs a Membrane account and to talk to Fibery, which implies tokens or OAuth credentials, yet requires.env and primary credential are empty. That mismatch means it's unclear what secrets are needed or where they would be read from (user prompt, platform secrets, pasted into chat, etc.). This lack of declared credential requirements is disproportionate to the stated purpose and reduces transparency about secret handling.
Persistence & Privilege
always is false (not force-installed), and there is no install step that would persist files or modify other skills. The skill does not request elevated or permanent platform presence.
What to consider before installing
This skill appears to be an instruction-only Fibery connector but does not declare how credentials are provided. Before installing: 1) Check the full SKILL.md for an explicit auth section that says how to supply Fibery/Membrane credentials (env vars, OAuth redirect, or interactive prompt). 2) If the skill asks you to paste API tokens into chat or prompts, avoid doing so — prefer OAuth or short-lived tokens. 3) Ask the publisher (repository/homepage) for an explicit credential flow and confirm where tokens are stored and whether they are transmitted to external endpoints. 4) If you test it, use an isolated Fibery/Membrane account and revoke any tokens afterward. 5) If the platform supports per-skill secret binding, prefer that over typing secrets into conversational prompts. Providing those answers (or seeing declared env vars/explicit auth instructions) would likely move this assessment to benign.

Like a lobster shell, security has layers — review code before you run it.

latestvk9713wndkn1a9dtqnfdry27xg9842nht

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments