ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Graphy

v1.0.2

Graphy integration. Manage Organizations. Use when the user wants to interact with Graphy data.

0· 102·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to integrate with Graphy and instructs use of the Membrane CLI to manage connections and proxy requests — this is a coherent approach. However, the descriptive text is inconsistent (first it describes Graphy as a social media tool, while the action examples reference orders/enrollments/courses), and the SKILL.md does not declare that the 'membrane' binary is required even though the runtime instructions rely on it.
Instruction Scope
Instructions focus on installing and using the Membrane CLI, logging in (browser-redirect or headless flow), creating connections, running actions, and proxying API requests. They do not ask the agent to read unrelated files or environment variables. The scope is mostly appropriate, but the doc assumes the agent or user will install and run global npm commands and open authentication flows in a browser.
Install Mechanism
There is no formal install spec (instruction-only). The SKILL.md tells users to run 'npm install -g @membranehq/cli' — a normal but privileged operation (global npm install) that downloads code from the npm registry. This is expected for using the Membrane CLI but should be considered moderate risk because it installs code on the host.
Credentials
The skill asks for no environment variables or secrets and explicitly instructs to avoid asking users for API keys (use Membrane-managed connections). It does require a Membrane account and network access, which is reasonable for the stated functionality but is not declared in requires.env.
Persistence & Privilege
The skill is instruction-only, does not request always:true, and does not attempt to modify other skills or system-wide agent settings. It has normal, non-persistent privileges.
What to consider before installing
This skill appears to be a Membrane-backed Graphy integration and will ask you to install and run the Membrane CLI (npm install -g @membranehq/cli) and to authenticate via a browser flow. Before installing or using it: 1) Confirm you trust the Membrane project and the npm package source; global npm installs modify your system and may require elevation. 2) Verify the Graphy product you use matches the examples here (the doc mixes social-media wording with orders/enrollments/courses — this looks like copy-paste). 3) Expect browser-based auth (or a headless URL/code flow) and network calls to Membrane/Graphy; no local secrets are requested by the SKILL.md. 4) Ask the skill author to declare the 'membrane' binary in requirements and to fix the inconsistent description if you want higher confidence. If you cannot verify the package origin or the mismatch in descriptions, proceed cautiously.

Like a lobster shell, security has layers — review code before you run it.

latestvk972v567dcssd8tc9a7r89fq4d843g6z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments