ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Piggy

v1.0.2

Piggy integration. Manage Accounts, Budgets, Goals. Use when the user wants to interact with Piggy data.

0· 152·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md clearly requires the @membranehq/cli, network access, and a Membrane account to operate, but the skill manifest lists no required binaries, env vars, or credentials. This mismatch is a mapping/metadata problem and reduces transparency for reviewers and automated gating.
Instruction Scope
Instructions stay on-topic for a Piggy/Membrane integration (create connections, list actions, run actions, proxy requests to Piggy). However, the 'proxy requests' capability allows arbitrary API calls to the Piggy API via Membrane — expected for this integration but it grants broad access to user Piggy data once a connection is authorized.
!
Install Mechanism
There is no formal install spec in the registry entry, but SKILL.md instructs installing a global npm package (npm install -g @membranehq/cli). Installing a global CLI is a legitimate step, but in-package metadata should declare this requirement; global npm installs modify the host environment and warrant user review.
Credentials
The skill does not request environment variables or other unrelated credentials. Authentication is delegated to Membrane's browser-based flow, which is consistent with the stated approach of avoiding local API keys.
Persistence & Privilege
always is false and the skill does not request elevated persistence or modify other skills. Autonomous invocation is allowed (platform default), which combined with the ability to run Membrane actions means the agent could act if given a connection, but that's expected for integrations.
What to consider before installing
Before installing or using this skill: (1) be aware the SKILL.md requires you to install a global npm CLI (@membranehq/cli) and to log into a Membrane account — the manifest should have declared these requirements but didn't; (2) review the Membrane project (homepage and GitHub repo) to ensure you trust the vendor and the CLI you will install; (3) when authorizing a Piggy connection, check exactly which scopes/permissions are granted (proxy access can read/write data in your Piggy account); (4) consider running the CLI in a sandbox or isolated environment if you don't want a global npm install; and (5) if you want stronger guarantees, ask the skill author/maintainer to update the registry metadata to list required binaries, network access, and the authentication flow so the manifest and runtime instructions match. If you cannot verify the Membrane CLI/source or are uncomfortable granting broad API proxying, do not install or use the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk976mehpqc9t41n2j6nqy79xqx842frn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments