ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Polygon

v1.0.2

Polygon integration. Manage Organizations. Use when the user wants to interact with Polygon data.

0· 83·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md and command examples clearly target Polygon market-data (polygon.io) actions (tickers, market status, aggregates), but the header description describes the Polygon blockchain (Ethereum-compatible networks). The name/description vs actual actions are inconsistent; a user wanting blockchain/network management would get market-data functionality instead.
Instruction Scope
Instructions are limited to running the Membrane CLI (login, connect, action list/run, request proxy). They do not ask the agent to read local files or arbitrary environment variables. However, proxying requests via Membrane means user data and API paths will be sent to Membrane's service — users must trust Membrane with any request payloads and responses.
Install Mechanism
No built-in install spec; the doc recommends globally installing @membranehq/cli via npm. That's a common route but global npm packages execute code at install and runtime; verify the npm package and its publisher before installing on sensitive systems.
Credentials
The skill requests no environment variables (Membrane handles auth server-side). This is proportionate, but it shifts trust/credential custody to Membrane — the user will authenticate via a browser flow and Membrane will manage tokens. That delegation is expected but important to understand.
Persistence & Privilege
The skill does not request always:true and is not forced into every agent run. There is no indication it modifies other skills or system-wide settings.
What to consider before installing
This skill appears to be an instruction-only wrapper around the Membrane CLI for accessing polygon.io market-data, but its top description mistakenly references the Polygon blockchain — clarify with the author before installing. If you intended blockchain network management, do not install; this skill likely won't provide those capabilities. If you proceed: (1) verify the source repo and npm package @membranehq/cli are legitimate; (2) be aware that requests and any request payloads will be proxied through Membrane (you are delegating credentials and data to their service); (3) avoid installing global npm packages on sensitive hosts without auditing the package; and (4) ask the maintainer to fix the README to remove the Polygon/blockchain ambiguity so the purpose is clear.

Like a lobster shell, security has layers — review code before you run it.

latestvk979w3kbdjaa59wjfh5tzjjw118423zt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments