ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Wb

v1.0.0

W&B integration. Manage data, records, and automate workflows. Use when the user wants to interact with W&B data.

0· 21·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill claims to integrate with W&B via Membrane and all runtime instructions revolve around the @membranehq/cli, which is coherent with the stated purpose. However, the skill metadata lists no required binaries while the SKILL.md assumes the presence (or installation) of npm/node and the membrane CLI; that mismatch is likely an oversight but worth noting.
Instruction Scope
SKILL.md confines actions to using the Membrane CLI to create connections, list actions, run actions, and proxy requests to the W&B API. This stays within the stated purpose. Two operational caveats: (1) proxy requests can forward arbitrary API paths through Membrane — avoid sending sensitive secrets in request bodies unless you trust the Membrane service; (2) headless login steps and browser-based authentication are described, which is normal but require user attention.
Install Mechanism
There is no install spec in the registry metadata, but the instructions explicitly recommend installing @membranehq/cli via npm -g (or using npx). Installing a public npm package globally is a moderate-risk operation compared to an instruction-only skill — it's expected for this integration but the registry should have declared the dependency or required binaries (npm, node, membrane) to avoid confusion.
Credentials
The skill requests no environment variables or credentials and explicitly instructs not to ask users for API keys, relying on Membrane to manage auth. This is proportionate to the described functionality. Users should still be aware that Membrane will hold the connection credentials server-side.
Persistence & Privilege
The skill does not request always:true, has no install-time configuration in the registry, and is user-invocable. It does not request elevated or persistent platform privileges beyond normal CLI usage.
Assessment
This skill appears to be what it says: a W&B integration that uses Membrane's CLI. Before using it: (1) ensure you have node/npm if you plan to install the CLI (or prefer npx to avoid a global install); the registry metadata should have declared those binaries but does not — note that mismatch. (2) Verify you trust Membrane (getmembrane.com / @membranehq/cli on npm and their GitHub repo) because the service will hold W&B credentials and will proxy arbitrary API requests on your behalf. (3) Prefer using connection-based auth (as described) rather than pasting API keys into prompts. (4) Consider using npx (or inspecting the npm package source) instead of a global npm install if you want lower risk. If you need higher assurance, ask the publisher for a declared install spec, the exact npm package version to use, and links to the published package and repository commit used for this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e4hggqckj06rrzhdpwnksdd847stw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments