ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Metriql Docs

v1.0.2

Metriql Docs integration. Manage data, records, and automate workflows. Use when the user wants to interact with Metriql Docs data.

0· 68·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name and description (Metriql Docs integration) align with the instructions: it uses the Membrane CLI to discover connectors, create connections, list actions, run actions, and proxy requests to the Metriql Docs API. Required capabilities (network and a Membrane account) are appropriate.
Instruction Scope
The SKILL.md limits runtime actions to installing/using the Membrane CLI and running commands (login, connect, action list/run, request). It does not instruct reading local secrets or unrelated files. However, the skill routes arbitrary API requests and proxied calls through Membrane, so using it means giving Membrane access to the requested Metriql data—this is expected but requires trust in the third party.
Install Mechanism
No install spec is included in the skill bundle (instruction-only). The README recommends installing @membranehq/cli via npm (global install) or using npx; installing a global npm CLI is a normal approach but carries the usual supply-chain/trust considerations for third-party packages.
Credentials
The skill declares no required environment variables, credentials, or config paths. All authentication is delegated to Membrane (browser-based login/session), which is proportionate to the described purpose.
Persistence & Privilege
The skill is not always-enabled and does not request unusual privileges or persistent system changes. It is instruction-only and will only act when the agent invokes the recommended Membrane CLI commands.
Assessment
This skill is internally consistent but depends on the third-party Membrane service and CLI. Before installing or using it: (1) verify the @membranehq/cli npm package publisher and check the project's GitHub repo/homepage; (2) prefer using npx (ephemeral) if you do not want a global install; (3) understand that Membrane will proxy API calls and therefore have access to any Metriql data you request—review Membrane's privacy/security docs and trust posture; (4) run initial installs in an isolated/dev environment if you are cautious; (5) do not provide unrelated credentials—follow the skill's guidance to authenticate via Membrane's browser flow.

Like a lobster shell, security has layers — review code before you run it.

latestvk9790rvyvve0kr620rjw2h20r98430bj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments