Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Facebook Messenger
v1.0.0Facebook Messenger integration. Manage Users, Contacts, Stories, Reactions. Use when the user wants to interact with Facebook Messenger data.
⭐ 0· 51·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md clearly intends to integrate with Facebook Messenger via the Membrane CLI. That purpose aligns with the required actions (connect, run actions, proxy requests) and does not request unrelated services or secrets. However, the skill text relies on Node/npm 'npx' to run @membranehq/cli but the skill metadata does not declare any required binaries (npx/node), which is an inconsistency.
Instruction Scope
The runtime instructions tell the agent to run npx commands that will open a browser for auth and store credentials in ~/.membrane/credentials.json. Those filesystem writes/readbacks are outside the declared manifest (no config paths were listed). The instructions also allow sending arbitrary proxied requests (including full URLs) via Membrane, which could be used to interact with endpoints beyond Facebook Messenger if misused.
Install Mechanism
This is instruction-only with no install spec, but it depends on running npx @membranehq/cli@latest. Using npx downloads and executes a package from the npm registry at runtime (especially @latest), which is a supply-chain risk and higher friction than a declared, reviewed install. The skill should have declared the dependency on npx/node and suggested a pinned version to reduce risk.
Credentials
The manifest lists no required environment variables and no config paths, yet the instructions state that credentials will be stored at ~/.membrane/credentials.json and reused. That implicit storage of credentials is a form of persistent secret material not declared in requires.env or required config paths. The requested access to a Membrane account is proportionate to the integration, but the omission of the config path and the absence of a requirement for npx are notable mismatches.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It does, however, instruct the user to create a persistent credential file (~/.membrane/credentials.json) which the CLI will reuse — this is normal for a CLI but is persistent storage on the host and should be understood by the user. Autonomous invocation is allowed by platform defaults (not flagged alone).
What to consider before installing
This skill appears to be a legitimate Messenger integration that uses Membrane's CLI, but it has three practical issues to consider before installing: (1) it relies on npx to fetch and execute @membranehq/cli@latest at runtime — running remote npm packages can be a supply-chain risk, so prefer a pinned version or install the CLI from a trusted source first; (2) the CLI will create and reuse credentials at ~/.membrane/credentials.json (the skill did not declare this config path), so inspect and control that file and its permissions and prefer a test / limited-permission Membrane account for initial use; (3) the proxy command accepts full URLs, which means it can forward arbitrary requests — be careful what inputs you or an agent send through this interface. Additional checks that would raise my confidence: a declared required-binaries entry for node/npx, a recommended pinned version for @membranehq/cli, and explicit mention of the credentials file in the manifest or docs. If you don't trust the Membrane package or cannot audit it, run commands in an isolated environment (container or VM) or avoid running npx @membranehq/cli@latest directly.Like a lobster shell, security has layers — review code before you run it.
latestvk97461wmtvbkzsp1c0gyzn6frd84hhsh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.