ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Aloha Pos

v1.0.0

Aloha POS integration. Manage data, records, and automate workflows. Use when the user wants to interact with Aloha POS data.

0· 23·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to integrate with Aloha POS and all runtime guidance uses the Membrane CLI and Membrane-managed connections, which is coherent with the stated purpose. However the SKILL metadata did not declare required binaries even though the instructions tell the user to install the Node/npm-based @membranehq/cli and use npx; that omission is an inconsistency.
Instruction Scope
SKILL.md stays focused on Aloha POS workflows and using Membrane actions/requests. It does instruct arbitrary proxy requests via 'membrane request CONNECTION_ID /path/to/endpoint', which is expected for a proxy feature but means the agent (when allowed to run actions) can call arbitrary Aloha endpoints — review and approve actions that access sensitive POS data.
!
Install Mechanism
There is no registry install spec, but the instructions ask the user to run 'npm install -g @membranehq/cli' and to use npx. Installing a global npm package is a real install step but wasn't declared in the skill metadata. Installing third-party CLI tools carries moderate risk; verify the package source (npm package and upstream repo) before installing.
Credentials
The skill declares no required environment variables or credentials and explicitly advises not to ask users for API keys, relying on Membrane for auth. That is proportionate. Note that using Membrane means your Aloha POS credentials and any proxied data will be handled by Membrane's service.
Persistence & Privilege
always:false and standard model invocation are set. The skill does not request persistent system-wide privileges or config paths. Be aware that the agent can invoke the Membrane CLI and perform network actions when allowed; consider restricting autonomous invocation if you want manual oversight.
What to consider before installing
Before installing: (1) Verify the @membranehq/cli package and its upstream repository (review the npm page and GitHub source) because SKILL.md instructs a global npm install that wasn't declared in metadata. (2) Understand that Membrane acts as a cloud proxy: your Aloha POS credentials and any proxied data will be handled by Membrane — ensure you trust that vendor and their privacy/security posture. (3) Because the skill allows arbitrary proxy requests, avoid letting the agent run autonomously on sensitive tasks unless you have controls and approvals in place. (4) Ensure you have npm/node available where you plan to run commands, and prefer installing CLI tools in a controlled environment (container or VM) if you have any doubt. (5) If you want higher assurance, ask the publisher for a declared install spec and for the package repo/commit used by the CLI so you can audit it; absence of those details increases risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk976btqrn8h3b91n62vpzqa339848b88

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments