ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Gtmetrix

v1.0.2

GTmetrix integration. Manage Accounts. Use when the user wants to interact with GTmetrix data.

0· 153·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill claims to integrate with GTmetrix and all runtime instructions use the Membrane CLI and Membrane connectors to call GTmetrix — that is coherent. Minor inconsistency: the registry metadata lists no required binaries, but SKILL.md explicitly instructs installing `@membranehq/cli` (global npm install). The skill also requires a Membrane account (not declared in metadata).
Instruction Scope
SKILL.md stays on‑topic: it only instructs installing and using the Membrane CLI, creating connections, listing actions, running actions, and proxying requests to the GTmetrix API via Membrane. It does not instruct reading unrelated local files or requesting unrelated environment variables. It does, however, direct traffic through Membrane (proxying) which is expected but important to note.
Install Mechanism
There is no install spec in the registry, but the instructions recommend `npm install -g @membranehq/cli` (a public npm package). Using npm is a common install path (moderate risk). The registry should have declared the CLI as a required binary; its absence is a metadata omission but not inherently malicious.
Credentials
The skill requests no local environment variables or secrets. Authentication is handled via Membrane (browser OAuth/login), so GTmetrix credentials are managed server‑side by Membrane. This is proportionate for the described purpose but has privacy/third‑party trust implications — you will be delegating credential storage and proxied API access to Membrane.
Persistence & Privilege
The skill does not request always: true, does not modify other skills, and is user‑invocable only. It uses normal agent invocation settings and does not request elevated system presence.
Assessment
What to consider before installing: - This skill expects you to install the Membrane CLI (`npm install -g @membranehq/cli`) and to sign in to a Membrane account. The registry metadata omits that dependency — verify the CLI package on npm and the publisher before installing. - Using the skill means delegating GTmetrix authentication and API traffic to Membrane (they will proxy requests and manage credentials). If you have strict data/credential policies, review Membrane's privacy/security practices and confirm you trust that third party. - Global npm installs modify your system PATH and can run arbitrary code; prefer to inspect the package (or use a scoped/local install) if you have concerns. - The skill otherwise stays on‑topic and does not ask for unrelated secrets or local file access. If you want extra assurance, check the @membranehq/cli repository and the Membrane homepage/repository referenced in SKILL.md before proceeding.

Like a lobster shell, security has layers — review code before you run it.

latestvk971d145s432bsaw7pw05s51vs8429rn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments