ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Erxes

v1.0.4

Manage contacts, companies, products, tags, documents, brands, automations, team members, and organization data on an erxes instance. Use when the user wants...

0· 59·0 current·0 all-time
by@wlkr123
Security Scan
Capability signals
Requires OAuth tokenRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (manage erxes data) aligns with the included GraphQL reference and the login helper script. However the registry metadata lists no required environment variables while SKILL.md and the login script clearly require ERXES_BASE_URL (and optionally ERXES_CLIENT_ID). This metadata mismatch is an incoherence that could lead to improper installation or unexpected failures.
!
Instruction Scope
SKILL.md confines runtime activity to authenticating via Device Flow and making GraphQL calls to the provided ERXES_BASE_URL; the GraphQL docs enumerate only erxes operations. But the login script prints the full session JSON (including accessToken/refreshToken) to stdout even though SKILL.md instructs to 'keep this payload in memory' and 'do not store tokens in project files'. Printing tokens to stdout increases the chance of accidental logging or exfiltration (agent logs, CI logs, terminal history). There are no instructions to send data to any endpoint other than the provided ERXES_BASE_URL.
Install Mechanism
Instruction-only skill with a small helper script; no install spec, no downloads, and no packages installed. Low install-time risk.
Credentials
The runtime actually requires ERXES_BASE_URL and optionally ERXES_CLIENT_ID (used by the script). The registry metadata claims no required env vars — that mismatch is confusing. There are no other credentials, unrelated secrets, or config paths requested.
Persistence & Privilege
always is false and the skill does not request persistent system-wide privileges or modify other skills. Autonomous invocation is allowed (default) but is not combined with any broad credential access or always:true, so no exceptional persistence concerns.
What to consider before installing
This skill appears to do what it says (authenticate to an erxes gateway and make GraphQL calls), but check two things before installing: (1) The skill requires ERXES_BASE_URL (and optionally ERXES_CLIENT_ID) even though the registry metadata doesn't list them — set ERXES_BASE_URL correctly. (2) The login helper prints the full token JSON to stdout; that can expose tokens in logs. If you will run this in environments where stdout is logged or accessible, prefer using a safer method (capture only the access token into memory) or confirm your agent environment does not persist logs. Also confirm you trust the erxes instance URL you provide. If you want stronger assurances, ask the skill author to fix the metadata to declare ERXES_BASE_URL and to avoid printing refresh/access tokens to stdout.

Like a lobster shell, security has layers — review code before you run it.

latestvk97akwttavnea1k9pv9vvyhs4d859cpv
59downloads
0stars
5versions
Updated 54m ago
v1.0.4
MIT-0
@wlkr123
latest
Download

erxes– Чадварууд

Login

Use scripts/login.sh for authentication.

ERXES_BASE_URL=<url> ERXES_CLIENT_ID=${ERXES_CLIENT_ID:-erxes-local} bash scripts/login.sh
  • ERXES_BASE_URL is required.
  • ERXES_CLIENT_ID is optional. Default to erxes-local.
  • Accept the URL in whatever form the user gives and normalize it to ERXES_BASE_URL=<url>.
  • Do not explain OAuth internals unless the user asks.
  • Do not ask the user to copy tokens manually.
  • Do not store tokens in project files.
  • The script opens the browser, waits for approval, and prints a session JSON payload to stdout.

Read erxes-app-token-auth.md only when you need the quick login reference.

API calls

After login, use the returned session payload directly.

  • Read accessToken from the login JSON response.
  • Send Authorization: Bearer <accessToken> and erxes-subdomain: <subdomain> headers on GraphQL calls.
  • If the access token expires during the current task, use the in-memory refreshToken to get a new access token.
  • Do not write tokens to .auth.json or any other project file.
  • Read erxes-graphql-api.md only when you need query or mutation examples.

Харилцагч

  • Бүх харилцагчийн жагсаалт харах
  • Нэр, имэйл, утсаар хайх
  • Харилцагчийн дэлгэрэнгүй мэдээлэл харах
  • Төрлөөр нь бүлэглэх (үйлчлүүлэгч / боломжит / зочин)
  • Шинэ харилцагч нэмэх
  • Харилцагчийн мэдээлэл засах
  • Харилцагч устгах
  • Давхардсан харилцагчийг нэгтгэх

Бүтээгдэхүүн

  • Бүтээгдэхүүний жагсаалт харах
  • Нэг бүтээгдэхүүний дэлгэрэнгүй харах
  • Шинэ бүтээгдэхүүн нэмэх
  • Бүтээгдэхүүн засах, устгах, нэгтгэх
  • Ангилал болон хэмжих нэгж удирдах

Шошго

  • Бүх шошго харах
  • Шошго нэмэх, засах, устгах
  • Харилцагч эсвэл бүтээгдэхүүнд шошго хавсаргах

Баримт бичиг

  • Баримт бичгийн жагсаалт харах
  • Баримт бичиг нэмэх, засах, устгах

Брэнд

  • Брэндийн жагсаалт харах
  • Брэнд нэмэх, засах, устгах

Автоматжуулалт

  • Бүх автоматжуулалтын жагсаалт харах
  • Автоматжуулалт нэмэх, засах, идэвхжүүлэх, устгах

Байгууллагын бүтэц

  • Хэлтэс, салбар, нэгж, албан тушаалын бүтэц харах
  • Хэлтэс, салбар, нэгж, тушаал нэмэх, засах, устгах

Багийн гишүүд

  • Гишүүдийн жагсаалт харах
  • Шинэ гишүүн урих
  • Гишүүний мэдээлэл засах
  • Гишүүнийг идэвхгүй болгох

References

  • scripts/login.sh — Browser login helper
  • erxes-app-token-auth.md — Quick login reference
  • erxes-graphql-api.md — Үйлдлүүдийн техникийн лавлах

Comments

Loading comments...