ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Sourcegraph

v1.0.0

Sourcegraph integration. Manage data, records, and automate workflows. Use when the user wants to interact with Sourcegraph data.

0· 54·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill claims to integrate with Sourcegraph and all runtime instructions direct the agent to use the Membrane CLI and Membrane connections to talk to Sourcegraph. Requesting a Membrane account and network access is coherent with this design. There are no unrelated credentials, binaries, or config paths requested.
Instruction Scope
SKILL.md limits actions to installing/using the Membrane CLI, creating connections, listing actions, running actions, and proxying HTTP requests to Sourcegraph via Membrane. It does not instruct reading arbitrary local files or accessing unrelated environment variables. Browser-based auth and headless login flows are described and expected for this integration.
Install Mechanism
There is no registry install spec (the skill is instruction-only), but the doc tells the user to run `npm install -g @membranehq/cli` or use `npx`. Installing a global npm package is a normal but non-trivial step; it relies on the public npm package @membranehq/cli. This is a moderate-risk action only because it pulls third-party code from the npm registry — the registry metadata itself does not perform the install automatically.
Credentials
The skill requests no environment variables or local secrets. However, operationally it delegates credential handling to Membrane (a third-party service) and instructs the user to authenticate via browser flows. That delegation is coherent but significant: the user's Sourcegraph credentials/access will be managed by Membrane rather than stored locally.
Persistence & Privilege
Skill flags are default (not always-enabled, user-invocable, agent may call it autonomously). The skill does not request persistent system-wide privileges or modify other skills. No elevated persistence is requested.
Assessment
This skill is coherent but relies on the Membrane service as a proxy/auth broker. Before installing or running the CLI commands: 1) Verify you trust getmembrane.com and the @membranehq/cli package on npm (check publisher, README, and code if possible). 2) Understand that Membrane will manage your Sourcegraph authentication—you are delegating access to a third-party service. 3) Prefer using npx or a local install if you don't want a global npm package; inspect the package version and release source. 4) If you require stricter control over credentials, consider connecting to Sourcegraph directly instead of using a proxying service.

Like a lobster shell, security has layers — review code before you run it.

latestvk9701ksrc3gfcnzt00zcfa1w19845yz9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments