ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Strapi CMS

Manage Strapi CMS content through the official @strapi/client SDK. CRUD on collection types, single types, and media files. Upload files to media library. In...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 485 · 1 current installs · 1 all-time installs
byIlya R.@ilya-ryzhov
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the code and handlers. Required env vars (STRAPI_API_TOKEN, STRAPI_BASE_URL) and the node runtime are appropriate and necessary for using @strapi/client. Declared permissions (network) and the documented capabilities (CRUD, media upload, schema introspection, i18n) align with the implementation.
Instruction Scope
SKILL.md and instructions.md direct the agent to run the local CLI wrapper (npx tsx src/index.ts) and to use only the declared environment variables. The instructions do not ask the agent to read unrelated system files or exfiltrate data to third-party endpoints. Raw fetch functionality is limited to Strapi endpoints (via the client).
Install Mechanism
The package is a normal Node skill (package.json depends on @strapi/client). No arbitrary external download URLs are used. However, the install spec in metadata is unusual: it lists an install item with kind 'node' and package '.' that declares it 'creates' a 'node' binary — that mapping is incoherent (you wouldn't install the Node runtime from the skill package). Also runtime usage expects 'tsx' (a devDependency) invoked via npx, which may cause npx to fetch packages at runtime. These are implementation/packaging oddities rather than indicators of malicious behavior, but worth confirming.
Credentials
Only two environment values are required: STRAPI_API_TOKEN (primary credential) and STRAPI_BASE_URL. Both are necessary and proportionate for accessing a Strapi API. There are no unrelated secrets requested.
Persistence & Privilege
Skill does not request always:true and does not declare any system-wide config changes. Its manifest and instructions operate within the skill's own directory and runtime; autonomous invocation is permitted (platform default) but not combined with elevated privileges.
Assessment
This skill appears coherent and implements a Strapi client CLI as claimed. Before installing: 1) Confirm the skill source/author (homepage is missing and owner ID is unknown). 2) Use a Strapi API token with the minimum permissions you need (prefer a read-only token if you only need inspection). 3) Be aware the skill runs local Node commands (npx tsx ...) and may cause npx to fetch dev tooling at runtime — run in an isolated environment or review package-lock.json first. 4) Schema-write and layout-write operations are destructive and should only be used on development/local instances (the docs already warn about this). 5) Ask the publisher to clarify the install metadata that claims to 'create' a node binary — it looks like a packaging/manifest inconsistency but not an indicator of malicious behavior.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
1.0.0vk97aw2b1za3ccqswt02wd72y4h81c07jlatestvk97aw2b1za3ccqswt02wd72y4h81c07j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔵 Clawdis
Binsnode
EnvSTRAPI_API_TOKEN, STRAPI_BASE_URL
Primary envSTRAPI_API_TOKEN

Install

Install Strapi skill dependencies
Bins: node
npm i -g .

SKILL.md

Strapi CMS Skill

Manage content in a Strapi headless CMS instance via the official @strapi/client SDK.

Setup

During installation, enter your Strapi API Token in the API Key field. Then add STRAPI_BASE_URL to the env section:

{
  skills: {
    entries: {
      strapi: {
        enabled: true,
        apiKey: "your-strapi-api-token",     // → STRAPI_API_TOKEN
        env: {
          STRAPI_BASE_URL: "http://localhost:1337/api"
        }
      }
    }
  }
}

Capabilities

  • Collection types: find, findOne, create, update, delete entries
  • Single types: find, update, delete the document
  • Content introspection: discover types, schemas, components, relations, inspect real data
  • Schema management: create/update/delete content types, components, fields (destructive)
  • Form layout: configure edit form field order, sizes, labels, descriptions (local/dev only)
  • Draft & publish: list drafts, publish, unpublish, create as draft or published
  • Files: list, get, upload (local path or URL), update metadata, delete media files
  • Users & Permissions: list, create, update, delete end users; view roles; login, register, password reset
  • Locales (i18n): list, create, delete locales
  • Localized content: CRUD per locale, translation status, fetch all locales at once
  • Raw fetch: direct HTTP to any Strapi endpoint

Usage

See instructions.md for full agent instructions. See examples/usage.md for conversation examples.

Files

20 total
Select a file
Select a file to preview.

Comments

Loading comments…