ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Webiny

v1.0.0

Webiny integration. Manage data, records, and automate workflows. Use when the user wants to interact with Webiny data.

0· 27·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchasesRequires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name and description (Webiny integration) match the instructions: it uses the Membrane CLI to discover actions, create a connection, run actions, and proxy requests to Webiny. Requiring a Membrane account (not listed as an env var) is explained in the SKILL.md and is appropriate for this integration.
Instruction Scope
All runtime instructions are limited to installing and using the @membranehq/cli to authenticate and call Webiny via Membrane. The doc explicitly advises creating a connection (browser-based auth) rather than asking for API keys. One thing to note: the 'membrane request' command can proxy arbitrary paths and bodies to the Webiny API via Membrane, which means request payloads and any sensitive data included in them will be transmitted to the Membrane service — this is intended behavior for a proxy but important for users to understand.
Install Mechanism
The skill has no install spec (instruction-only). It tells users to run `npm install -g @membranehq/cli` which downloads a public npm package; this is a normal and expected mechanism for a CLI integration but does install a global binary on the host. Verify the package provenance on npm and your org policy about global npm installs if relevant.
Credentials
The skill declares no required environment variables or credentials and the instructions rely on an interactive Membrane connection flow (browser login / headless completion). That aligns with the stated approach of letting Membrane manage credentials server-side and avoids asking for local secrets.
Persistence & Privilege
The skill does not request always:true and does not attempt to modify other skills or system-wide settings. It is user-invocable and allows normal autonomous invocation by the agent (the platform default). There is no persistent install performed by the skill metadata itself.
Assessment
This skill is an instruction-only integration that requires you to install the Membrane CLI and create a Membrane account/connection. Before using it: (1) confirm you trust the Membrane service (requests are proxied through their servers and could include any data you send), (2) verify the @membranehq/cli package on npm (publisher and version) if installing globally, (3) understand that 'membrane request' can send arbitrary payloads to Webiny via Membrane — avoid sending secrets unless you trust the destination, and (4) if you operate in locked-down or audited environments, check policy on global npm installs and third-party proxies.

Like a lobster shell, security has layers — review code before you run it.

latestvk978ek7eg5e642wc5sbh386nxx84635j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments