Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Pixiebrix
v1.0.2PixieBrix integration. Manage Persons, Organizations, Deals, Leads, Projects, Activities and more. Use when the user wants to interact with PixieBrix data.
⭐ 0· 152·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (PixieBrix integration) aligns with instructions that use Membrane to manage connections and proxy API calls to PixieBrix. However, SKILL.md requires installing the @membranehq/cli via npm and a Membrane account, yet the skill metadata declares no required binaries or primary credentials — an inconsistency between declared requirements and runtime steps.
Instruction Scope
SKILL.md instructs only to install and run the Membrane CLI, create connections via browser-based OAuth, list actions, run actions, and optionally proxy arbitrary PixieBrix API calls through Membrane. It does not direct reading arbitrary local files or unrelated environment variables. The ability to proxy arbitrary endpoints is within the stated purpose but does enable broad API access via the Membrane layer.
Install Mechanism
There is no install spec in the registry metadata, yet SKILL.md asks the operator to run `npm install -g @membranehq/cli` (a global npm install). This is a moderate-risk action because it pulls code from the npm registry into the environment and requires node/npm to be present — neither declared in the metadata. Instruction-only skills that require external installable tooling should declare that dependency to avoid surprise downloads.
Credentials
The skill does not request environment variables or secret tokens in metadata and explicitly advises against asking users for API keys (it relies on Membrane-managed connections). That is proportional to the stated purpose. Note: the CLI and Membrane server-side may store credentials locally or server-side as part of login flows; this is normal but worth being aware of.
Persistence & Privilege
always is false and the skill is user-invocable; autonomous invocation is allowed (platform default). The skill does not request elevated or always-on privileges in its metadata, nor does it instruct modifying other skills or system-wide agent settings.
What to consider before installing
This skill appears to do what it says (use Membrane to talk to PixieBrix) but it has a notable metadata/instruction mismatch: SKILL.md tells you to install a global npm package (@membranehq/cli) and to log in via browser, yet the registry entry doesn't declare npm/node or any install step. Before installing or running this skill: 1) Verify you trust the @membranehq/cli package and its publisher on npm and prefer an explicit version (avoid unpinned 'latest'). 2) Understand that a global npm install will add code to the machine the agent runs on and the CLI will open browser-based auth and may persist tokens (or use Membrane server-side storage). 3) If you run agents in restricted environments, confirm whether global installs are allowed or whether the platform should provide a vetted, preinstalled Membrane CLI. 4) Ask the publisher to update metadata to declare required binaries (node/npm) and to provide an install spec or signed release to reduce surprise downloads.Like a lobster shell, security has layers — review code before you run it.
latestvk9776bwgxf6dsqctr0gn7ae6j9843tn7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.