ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Assertible

v1.0.0

Assertible integration. Manage data, records, and automate workflows. Use when the user wants to interact with Assertible data.

0· 50·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The skill aims to integrate with Assertible and all described actions (listing actions, running actions, proxying requests) map to that purpose. It uses Membrane as a proxy layer to talk to Assertible which is a plausible design choice.
!
Instruction Scope
SKILL.md instructs the agent/operator to install and use the Membrane CLI, run commands that open a browser for login, create connections, list and run actions, and proxy requests. The instructions themselves do not ask for unrelated files or secrets, but they assume availability of npm/node and a browser, and they direct the operator to perform authentication flows — these platform assumptions are not declared in the registry metadata.
!
Install Mechanism
There is no install spec in the registry, yet SKILL.md explicitly tells users to run `npm install -g @membranehq/cli` (and suggests using npx in places). That implies writing binaries to disk (global npm install) and requires npm/node. The absence of a declared install step in the registry is an inconsistency and raises risk because the skill effectively requires a global package install without making that explicit to the platform.
Credentials
The skill requests no environment variables or secrets in registry metadata and the instructions explicitly advise not asking users for API keys (Membrane manages auth). Using Membrane means the operator must authenticate via a browser flow; no direct credential environment access is requested by the skill itself.
Persistence & Privilege
The skill is not forced always-on, has no special OS restrictions, and does not request writing to or modifying other skills' configs. Autonomous invocation is allowed (platform default) but is not combined with always:true or broad credential requests.
What to consider before installing
This skill appears to be a valid Assertible integration that uses Membrane as a proxy, but there are important mismatches to note before installing: (1) SKILL.md expects you to install the Membrane CLI globally (npm install -g), but the registry lists no install requirements — installing global npm packages modifies your system and should be inspected first. (2) The workflow requires a browser-based login (or headless completion codes) and grants Membrane access to Assertible on your behalf; verify you trust getmembrane.com/@membranehq and the referenced repository before proceeding. If you want tighter control, ask the skill author to declare the install spec, or only run it in an environment where you can review the @membranehq CLI code first (or use npx to avoid a global install). Finally, confirm you are comfortable with Membrane handling your Assertible credentials rather than the skill asking for API keys directly.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bv1hsmc1kvx36yf9v9jryyn8452xq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments