Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
zion-baas-skill
v1.0.3Instructions and authentication code for building headless BaaS applications with Zion.app (functorz.com). Use when integrating Zion backend features like Gr...
⭐ 0· 89·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description, GraphQL endpoints, Meta API endpoints, and the bundled scripts (auth, fetch-token, gql, subscribe, meta) all align with a headless BaaS integration for Zion.app. Required capabilities (OAuth, email login, fetching runtime admin token) match the stated functionality; there are no unrelated cloud credentials or extraneous services requested.
Instruction Scope
SKILL.md and README instruct the agent/user to obtain developer/admin JWTs, run the included Node/TS scripts, and persist credentials in a .zion/credentials.yaml file. This scope is expected for a BaaS helper. Caveat: the docs sometimes tell you to cd into the skill directory (e.g., ~/.openclaw/skills/zion_baas/scripts) while elsewhere implying .zion should live in the user's project root; the scripts use process.cwd() to determine where to read/write .zion, so where you run them determines where tokens are saved. The skill also asks for username/password (for email login) — expected, but sensitive.
Install Mechanism
There is no automated install spec (instruction-only skill), so nothing will be silently downloaded/executed by the platform. The bundle includes Node scripts and a package.json that depends on common npm libraries (graphql-request, js-yaml, open, ws), which is proportionate to the functionality. No external ad-hoc download URLs or archive extraction are present.
Credentials
The skill requests no platform environment variables, but it does require you to provide developer/admin JWTs and (optionally) user credentials; these are necessary for the stated tasks. Those tokens (developer_token and project.admin_token) grant administrative access to a Zion project at runtime — appropriate for the skill but high privilege in practice. Storing email/password and admin tokens locally is sensitive and should be done intentionally.
Persistence & Privilege
The skill does not request 'always: true' or any elevated platform privileges. Its persistence is local: it writes/reads .zion/credentials.yaml in the current working directory (or wherever the user runs the scripts). It does not modify other skills or global agent settings.
Assessment
This skill appears to do what it says (connect to Zion.app and manage tokens), but the tokens it stores are powerful. Before installing or running scripts: 1) Inspect the scripts yourself (they are included) and confirm the endpoints (auth.functorz.com, zionbackend.functorz.com, zion-app.functorz.com) are expected. 2) Be explicit about where you run the scripts — they write .zion/credentials.yaml under the current working directory; if you follow the README and run from the skill directory, credentials will be saved there (not your separate project). 3) Prefer using a limited-scope or test Zion account when authenticating; avoid entering primary/production credentials unless you trust the code and destination. 4) Run in an isolated environment (container or dedicated machine) if you’re unsure. 5) Rotate or revoke tokens when no longer needed and remove credential files. If you want to be extra cautious, run only the read-only commands (search-projects, fetch-schema) and avoid saving admin tokens on disk unless necessary.scripts/fetchRuntimeToken.ts:100
File read combined with network send (possible exfiltration).
scripts/gql.ts:33
File read combined with network send (possible exfiltration).
scripts/meta.ts:67
File read combined with network send (possible exfiltration).
scripts/subscribe.ts:34
File read combined with network send (possible exfiltration).
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
latestvk9759ajx562r84szg9282bygtx84v0ef
License
MIT-0
Free to use, modify, and redistribute. No attribution required.