ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Abstract Ip Geolocation Api

v1.0.0

Abstract - Email Verification API integration. Manage data, records, and automate workflows. Use when the user wants to interact with Abstract - Email Verifi...

0· 12·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The package name/metadata (Abstract Ip Geolocation Api) conflicts with the SKILL.md content (Abstract - Email Verification API). This mismatch could be accidental or misleading; it reduces trust because a user expecting IP geolocation functionality would get an email-verification integration instead.
Instruction Scope
SKILL.md stays within the described integration purpose (calls to Abstract Email Verification via Membrane). It instructs installing and using the Membrane CLI, connecting via browser auth, listing/running actions, and proxying raw requests. One notable scope issue: proxying requests through Membrane means request payloads (email addresses, query params, etc.) and possibly responses will transit Membrane servers — an important privacy/attack-surface consideration but consistent with the stated use of Membrane.
Install Mechanism
There is no automated install spec in the registry (instruction-only). SKILL.md tells the user to run 'npm install -g @membranehq/cli' which is expected for using Membrane, but it is a global npm install (requires npm/node on the host). No obscure downloads or extract operations are recommended.
Credentials
The skill declares no required environment variables or local credentials and explicitly advises letting Membrane manage credentials. That is proportionate for a Membrane-based connector.
Persistence & Privilege
Skill flags are default (not always:true). No install-time modifications, no config paths requested, and no claims of persistent/privileged system access.
What to consider before installing
Key things to consider before installing or using this skill: - Name mismatch: The skill is labeled 'Abstract Ip Geolocation Api' but the instructions implement Abstract's Email Verification API via Membrane. Confirm with the publisher which API the skill actually targets before trusting it for a different purpose. - Third-party proxy: All requests are routed through Membrane's service (you must create a Membrane connection and authenticate via browser). That means request/response data (including personal data such as email addresses) will transit Membrane servers. Verify Membrane's privacy, retention, and compliance policies if you handle sensitive data. - Install step: The guide asks you to globally install @membranehq/cli via npm. That is a normal step but requires you to trust that package. Consider installing in a controlled environment or reviewing the package source (repo is listed) before global install. - No local secrets requested: The skill advises not to provide API keys directly and declares no env vars — good. Still confirm the connection and permissions created in Membrane are limited to what you expect. - Autonomous invocation: The skill can be invoked by the agent (default). If you permit autonomous agents, be aware they may call the connector and send data to Membrane without interactive confirmation. If you want stronger assurance, ask the publisher to correct the name/description mismatch, provide a direct link to the specific connector documentation or GitHub source, and verify the Membrane connector ID and scope in a test account before using with production data.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fs4drbcqcnpssmhbj6t0reh84cf2j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments