Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Authlete
v1.0.0Authlete integration. Manage data, records, and automate workflows. Use when the user wants to interact with Authlete data.
⭐ 0· 49·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's purpose (Authlete integration) aligns with instructions that use a connector (Membrane CLI) to manage Authlete resources. However, metadata declares no required binaries or credentials while the SKILL.md explicitly instructs installing the Membrane CLI via npm and performing an interactive login — a discrepancy between declared requirements and runtime instructions.
Instruction Scope
The SKILL.md limits runtime actions to installing/using the Membrane CLI, searching for an Authlete connector, and running connector commands. It does not instruct reading unrelated system files or env vars, but it does rely on the user/CLI to perform authentication flows and will operate with whatever account credentials are obtained via membrane login.
Install Mechanism
There is no formal install spec in the registry, but the instructions ask the user to run a global npm install (@membranehq/cli). Global npm installs execute code from the npm registry — a moderate-risk install mechanism that is expected for a CLI but should be validated (package origin, maintainers) before running.
Credentials
The skill declares no environment variables or primary credential, yet it requires the user to authenticate via the Membrane CLI. That CLI will manage and store credentials for the user's Membrane account and any connected services (including Authlete). Because the skill relies on that login, the effective credential access is broader than the metadata indicates and users should understand what account/permissions the CLI will receive.
Persistence & Privilege
The skill does not request 'always' presence or other elevated platform privileges. The only persistent change would be installing the Membrane CLI (if performed) and the CLI storing its own auth state — expected for a CLI-based integration.
What to consider before installing
This skill appears to be an instruction-only integration that relies on the Membrane CLI to talk to Authlete. Before installing or using it:
- Be aware the SKILL.md asks you to run `npm install -g @membranehq/cli` and to authenticate via `membrane login`. A global npm install runs code from the npm registry — verify the package (@membranehq/cli), its repository, and maintainers first.
- The registry metadata lists no required binaries or credentials, but the runtime instructions require npm and a Membrane account; treat that metadata discrepancy as a red flag.
- The Membrane CLI will handle and store authentication tokens for your account and will have access to whatever connectors you enable; only connect accounts/services you trust and prefer to do this in an isolated environment if you are cautious.
- Verify the homepage/repository, review the Membrane CLI docs, and confirm what permissions the connector will request from Authlete before proceeding.
If you want, I can: (1) fetch the Membrane CLI package page and repository so you can review its source/maintainers, or (2) extract and summarize the rest of the SKILL.md (it was truncated) to look for additional instructions.Like a lobster shell, security has layers — review code before you run it.
latestvk97983cka7hbagcgb2cy87k2ks84aqa9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.