ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Adalo

v1.0.2

Adalo integration. Manage data, records, and automate workflows. Use when the user wants to interact with Adalo data.

0· 123·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description (Adalo integration) align with the instructions: all runtime steps describe installing/using the Membrane CLI to connect to Adalo, discover actions, run actions, or proxy API requests. Nothing requested or described appears unrelated to managing Adalo data.
Instruction Scope
SKILL.md only instructs installing and using the Membrane CLI, logging in, creating/using connections, listing and running actions, and proxying requests to Adalo. It does not instruct reading arbitrary local files, exporting unrelated environment variables, or exfiltrating data to unexpected endpoints. It does include headless login guidance and commands that can perform destructive operations (e.g., delete-collection-record), which is expected for a data-management integration.
Install Mechanism
This is an instruction-only skill but tells users to run `npm install -g @membranehq/cli`. That is a reasonable way to obtain the referenced CLI, but installing a global npm package is a user action with moderate risk; the skill itself does not include an automated install spec. Verify the npm package name, publisher, and package integrity before installing.
Credentials
The skill declares no required environment variables or config paths. It relies on Membrane to manage credentials and instructs users to create connections via the CLI/browser flow. There are no excessive or unrelated credential requests in the instructions.
Persistence & Privilege
The skill is not always-on and does not request persistent system privileges. It is instruction-only and does not modify other skills or system-wide settings. Autonomous invocation is allowed by default (platform behavior) but not combined with other privilege escalations here.
Assessment
This skill appears to do what it says: it delegates Adalo access to the Membrane CLI. Before installing or using it: 1) Verify the npm package (@membranehq/cli) and the publisher on the npm registry and consider installing in a controlled environment rather than globally if you prefer; 2) When you run `membrane login` and create a connection, review the OAuth/permission screens in your browser to ensure you are granting only the expected permissions; 3) Be aware that action commands can modify or delete data (e.g., delete-collection-record) — confirm intent before running destructive commands; 4) If you have an enterprise policy, confirm that sending requests through Membrane (a third-party service) is acceptable for your data; 5) If you want stronger assurance, inspect the upstream repository/homepage (getmembrane.com and the GitHub repo) and the CLI source before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk979zj7fwn1yxgbev7t9qea2qn842d7p

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments