ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Actian

v1.0.0

Actian integration. Manage data, records, and automate workflows. Use when the user wants to interact with Actian data.

0· 48·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill's name/description (Actian integration) matches the actual instructions: it directs the agent to use the Membrane CLI to create connections, list actions, run actions, and proxy requests to Actian. Requiring a Membrane account and network access is coherent with the stated purpose.
Instruction Scope
The SKILL.md stays within integration scope (discover actions, run actions, proxy API calls). It does instruct installing and using the Membrane CLI and logging in via browser. It does not ask the agent to read local files or unrelated env vars. Important caveat: using 'membrane request' will transmit Actian data through Membrane's servers — this is expected but is a behavioral consideration (third-party data flow).
Install Mechanism
There is no automated install spec in the registry; the doc tells the user to run 'npm install -g @membranehq/cli'. That's a public npm package install (moderate risk compared to no install). The package source appears to be Membrane (@membranehq) and a homepage/repo are provided; you should verify the npm package and repository (publisher, version, recent activity) before installing globally.
Credentials
The skill declares no required env vars or credentials and explicitly recommends using Membrane connections (not local API keys). That is proportionate to the stated functionality. Note: credentials will be managed server-side by Membrane, so sensitive data and tokens will be stored/handled by that service — confirm you trust the provider and their security/privacy practices.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide config, and has no install-time persistence described in the manifest. The only persistent action is installing the Membrane CLI if the user chooses to do so.
Assessment
This skill is internally coherent: it tells you to install and use the Membrane CLI to interact with Actian. Before installing or using it, verify the @membranehq/cli npm package and GitHub repository (publisher identity, recent commits, issues, and npm download/maintainer info). Remember that using the proxy will send your Actian data through Membrane's servers — if that is sensitive, confirm Membrane's privacy/security posture or test with non-sensitive data first. Installing a global npm package writes binaries to your system; prefer installing in a controlled environment or review the package contents if you are unsure.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b183qefzcgya90dgqsr8zz584e6q0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments