ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Airtable

v1.0.2

Airtable integration. Manage project management data, records, and workflows. Use when the user wants to interact with Airtable data.

0· 303·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (Airtable integration) matches the SKILL.md instructions: it tells the agent/user to use the Membrane CLI to connect to Airtable, list bases/records, run actions, or proxy raw Airtable API calls. Requiring a network connection and a Membrane account is coherent with this purpose.
Instruction Scope
The instructions are limited to installing and using the Membrane CLI, authenticating via browser, creating/listing connections, running actions, and proxying Airtable API requests. They do not instruct reading unrelated local files, scanning system config, or exfiltrating data to unexpected endpoints beyond Membrane/Airtable. They do permit proxying arbitrary Airtable API requests via Membrane (expected for this integration).
Install Mechanism
There is no built-in install spec in the registry; SKILL.md tells users to run `npm install -g @membranehq/cli`. Installing a global npm package is a reasonable instruction for using a CLI, but global npm installs execute code from the public npm registry — verify the package identity, version, and source (e.g., GitHub repo) before installing. Because the skill is instruction-only and does not auto-download or execute code on installation, risk is moderate but expected for this type of integration.
Credentials
The skill declares no required environment variables or local config paths. It explicitly advises letting Membrane handle credentials and not asking users for API keys, which is proportionate for a connector-based integration.
Persistence & Privilege
The skill does not request always:true or any special platform-wide privileges. It is user-invocable and can be called autonomously by the agent (platform default), which is normal. There is no instruction to modify other skills or system-wide agent settings.
Assessment
This skill is internally consistent with an Airtable connector that uses the Membrane CLI. Before installing or following its instructions: 1) Verify the @membranehq/cli package and repository (confirm maintainer, version, and integrity) before running a global npm install. 2) Understand that Membrane acts as a proxy and will hold the Airtable credentials/server-side — review Membrane's privacy/security docs and the scopes requested during connector setup. 3) Be cautious with destructive actions (delete/update) — inspect action inputs and returned records before running destructive commands. 4) In sensitive environments prefer to pin CLI versions, audit the CLI code or installation source, and avoid installing global packages from unknown maintainers.

Like a lobster shell, security has layers — review code before you run it.

latestvk9705mnna52b8grctv96fb23m9842ekg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments