ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Snyk

v1.0.2

Snyk integration. Manage Projects, Organizations. Use when the user wants to interact with Snyk data.

0· 97·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Snyk integration) match the instructions: the skill instructs the agent to use the Membrane CLI to connect to Snyk and run/query actions. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md is limited to installing/using the Membrane CLI, creating/listing connections, discovering and running actions, and proxying requests through Membrane. It does not instruct the agent to read unrelated local files, harvest environment secrets, or exfiltrate data to unexpected endpoints. It explicitly advises not to ask users for API keys.
Install Mechanism
This is an instruction-only skill (no install spec), but it recommends installing the Membrane CLI via npm (npm install -g @membranehq/cli). Installing a global npm package is common but has moderate risk (supply-chain/trust considerations). The skill does not reference arbitrary download URLs or extract archives.
Credentials
No environment variables or secrets are required by the skill. The instructions rely on Membrane to manage Snyk credentials server-side, which is proportionate to the purpose. There are no extraneous credential requests.
Persistence & Privilege
Skill is not always-on and is user-invocable; it does not request system-wide persistent privileges or modify other skills' configuration. Normal autonomous invocation is allowed but not excessive here.
Assessment
This skill is coherent: it uses Membrane as a proxy to talk to Snyk and does not ask for unrelated credentials. Before installing, verify you trust the Membrane CLI (@membranehq/cli) because the CLI and Membrane service will handle and see your Snyk access; installing global npm packages has supply-chain risk, so prefer installing from a trusted source and check the package's homepage/repo and version. If you need to run in a locked or offline environment, note the interactive login/browser flow and headless login steps. Finally, confirm your organizational policy about sending Snyk project data through a third-party service (Membrane) since that service will have access to the proxied data.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d6zk43kgsmnqn2h84m98b718429mn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments