ClawHub

Graphhopper

v1.0.2

GraphHopper integration. Manage Maps. Use when the user wants to interact with GraphHopper data.

0· 113·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (GraphHopper integration) matches the runtime instructions: all guidance is about using the Membrane CLI to connect to GraphHopper and run actions or proxy requests. No unrelated environment variables, binaries, or config paths are required.
Instruction Scope
SKILL.md instructs the agent (and user) to install and use the Membrane CLI, run browser-based login, create connections, list actions, run actions, or proxy arbitrary API paths through Membrane. These steps are within the stated purpose, but the proxy capability lets the agent forward arbitrary requests to external endpoints using the connected account — so any data passed to the proxy will be sent to GraphHopper (via Membrane) and should be considered exfiltration-prone if it contains sensitive data.
Install Mechanism
The skill is instruction-only (no install spec), but SKILL.md directs users to run `npm install -g @membranehq/cli`. Installing a global npm package is a reasonable way to get the CLI, but the package comes from the public npm registry and should be vetted (review the package, publisher, and repository) before global installation.
Credentials
The manifest declares no required environment variables, and the instructions explicitly avoid asking for API keys (relying on Membrane-managed connections). No unrelated credentials or high-privilege env paths are requested.
Persistence & Privilege
always is false and the skill is user-invocable; autonomous invocation (disable-model-invocation: false) is the platform default. There is no request to modify system-wide configs or other skills. Note: autonomous invocation plus an active Membrane connection increases blast radius if a malicious agent action were possible, but that is not a problem unique to this skill.
Assessment
This skill appears to do what it claims — it delegates GraphHopper work to Membrane. Before installing or using it: (1) verify the @membranehq/cli package (publisher, GitHub repo, recent release/activity) before running npm -g; (2) when creating a Membrane connection, review what permissions and data the connection will allow (it can proxy arbitrary API calls); (3) avoid sending sensitive data through the proxy or into actions you don't understand; (4) prefer installing the CLI in a controlled or containerized environment if you have security concerns; (5) monitor your Membrane account activity/audit logs and revoke connections you no longer trust.

Like a lobster shell, security has layers — review code before you run it.

latestvk972pg2v4dwwkcb5vk0nrhcb85843h3h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments