ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ffcli

v1.0.1

Query Fireflies.ai meeting data. Use when searching meetings, viewing transcripts, reading AI summaries, extracting action items, or looking up what was disc...

2· 763·2 current·2 all-time
by@ruigomeseu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (query Fireflies meeting data) match the declared requirements: the skill needs the ffcli binary and FIREFLIES_API_KEY. No unrelated binaries, env vars, or config paths are requested.
Instruction Scope
SKILL.md instructs the agent to run ffcli commands (list, show, me) and to authenticate via the CLI or FIREFLIES_API_KEY. It references a local config path (~/.config/ffcli/) only for stored credentials and suggests placing the key in OpenClaw config. It does not instruct reading unrelated files or exfiltrating data to unexpected endpoints.
Install Mechanism
Installers are a Homebrew tap (ruigomeseu/tap/ffcli) and an npm package (@ruigomeseu/ffcli). These are standard distribution channels but are third‑party (personal tap/package). Users should verify the package/repo before installing because installers will install a binary that runs arbitrary code on the system.
Credentials
Only FIREFLIES_API_KEY is required (declared as primary credential). That is appropriate for accessing Fireflies data. Note: this key grants access to meeting data and should be protected; SKILL.md documents both CLI-stored config and environment variable usage.
Persistence & Privilege
The skill is not always-enabled and does not request system-wide privileges or modify other skills. It recommends storing credentials in the CLI config or OpenClaw config, which is normal but worth being mindful of secret storage location.
Assessment
This skill appears to do what it says, but it installs and runs a third‑party CLI that will have the same access as the Fireflies API key you provide. Before installing: (1) review the npm package and Homebrew tap source code and commit history to ensure you trust the maintainer; (2) prefer providing the FIREFLIES_API_KEY via your agent's secret store or environment variable rather than a world‑readable file; (3) inspect ~/.config/ffcli/ after auth to confirm how the key is stored; and (4) be prepared to revoke the API key from your Fireflies account if you see unexpected behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk97egv5vara1q4vpza5s30d8q1819r3f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsffcli
EnvFIREFLIES_API_KEY
Primary envFIREFLIES_API_KEY

Install

Install ffcli (Homebrew tap)
Bins: ffcli
brew install ruigomeseu/tap/ffcli
Install ffcli (npm)
Bins: ffcli
npm i -g @ruigomeseu/ffcli

Comments