Avochato
v1.0.2Avochato integration. Manage data, records, and automate workflows. Use when the user wants to interact with Avochato data.
⭐ 0· 102·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (Avochato integration) match the instructions: the skill uses Membrane to connect to Avochato, discover actions, run them, and proxy raw API requests. There are no unrelated env vars, binaries, or install demands in the registry metadata.
Instruction Scope
SKILL.md instructs the agent/operator to install and run the Membrane CLI, create connections, list/run actions, and proxy requests to the Avochato API. It does not instruct reading unrelated files or accessing unrelated credentials. Important privacy note: proxying API calls via Membrane means request/response data (including any PII) will traverse Membrane's service; the doc explicitly relies on Membrane for auth and credential storage.
Install Mechanism
This is an instruction-only skill (no install spec), but the README tells users to run `npm install -g @membranehq/cli`. Installing a global npm package is a normal choice but has moderate risk (npm packages can include postinstall scripts). The skill itself does not auto-install anything via the registry.
Credentials
No environment variables, credentials, or config paths are requested by the skill — consistent with trusting Membrane to manage auth. The SKILL.md explicitly advises not to ask users for API keys/tokens.
Persistence & Privilege
always is false and there are no requests to modify other skills or system-wide configuration. The skill requires no persistent privileges beyond the user installing/using the Membrane CLI and creating connections in their Membrane account.
Assessment
This skill appears coherent, but consider the following before installing or using it:
- You will be asked (manually) to install the @membranehq/cli npm package; verify the package and publisher before running a global npm install and avoid running installs as root. Inspect the package (or its repository) if you have concerns about postinstall scripts.
- The integration routes API calls through Membrane: Membrane will see request and response data and will hold credentials for your Avochato connection. Review Membrane's privacy/security policies and confirm you are comfortable with that data flow (especially for PII).
- The skill does not request or store local API keys; authentication is done via browser-based login to Membrane. In headless environments you will need to complete the printed-auth workflow.
- If you need stronger assurance, verify the referenced GitHub repository (https://github.com/membranedev/application-skills) and the @membranehq/cli package contents before use.
Overall, the skill is consistent with its stated purpose; the main operational risks are standard: installing an npm CLI and routing data through a third-party service (Membrane).Like a lobster shell, security has layers — review code before you run it.
latestvk971pat6apzj3fhvx8v6s9myps843ea5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.