ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Backendless

v1.0.0

Backendless integration. Manage data, records, and automate workflows. Use when the user wants to interact with Backendless data.

0· 52·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (Backendless integration) matches the runtime instructions (use Membrane to talk to Backendless). However, the skill metadata declares no required binaries or credentials while SKILL.md depends on the @membranehq/cli being available (and on a Membrane account). This is an omission in the manifest and reduces transparency.
!
Instruction Scope
Runtime instructions instruct the user/agent to install and run the Membrane CLI, create connections, run actions, and (importantly) use membrane's proxy to send arbitrary requests to Backendless. That means request bodies, responses, and authentication will be routed via Membrane's servers. The SKILL.md does not explicitly call out that request payloads or credentials are transmitted to Membrane's backend or how they are stored/retained. It also recommends running global npm installs and npx which execute third‑party code.
!
Install Mechanism
The skill is instruction‑only (no install spec recorded), yet it tells users/agents to run `npm install -g @membranehq/cli` or `npx @membranehq/cli@latest`. Installing global npm packages or running npx can execute arbitrary code from the npm registry. The manifest should have declared the CLI as a required binary or provided an official install spec; its absence reduces transparency and increases install‑time risk.
Credentials
The skill requests no environment variables or local credentials in its manifest, which is proportionate. However, because authentication is delegated to Membrane, sensitive credentials and request payloads will be handled by Membrane's service. The manifest does not declare that a Membrane account is required (SKILL.md mentions it), nor does it explain what data is transmitted/stored by Membrane—this is an important privacy/security consideration.
Persistence & Privilege
The skill does not request always: true and does not install code into the agent (instruction‑only). There is no manifest claim of persistent privileges or modifications to other skills/config. Runtime behavior relies on an external CLI and service but the skill itself does not demand elevated or persistent platform privileges.
What to consider before installing
Before installing or using this skill: 1) Understand that it routes Backendless API calls (and thus any data or auth tokens involved) through Membrane's service — verify you trust Membrane's provider and review their privacy/security docs. 2) The manifest did not declare the CLI dependency even though SKILL.md requires installing @membranehq/cli; treat that as a transparency gap. 3) Installing global npm packages or running npx executes third‑party code — avoid doing this on sensitive or production machines. 4) If you must use it, prefer a dedicated/test Backendless account, avoid sending highly sensitive data through the proxy, and verify connector IDs and actions returned by Membrane before running requests. 5) If you need higher assurance, ask the publisher for a manifest update that declares the CLI requirement and for explicit documentation on what Membrane logs/retains and where requests are proxied.

Like a lobster shell, security has layers — review code before you run it.

latestvk9771eek2ft1jkvzfc92qrayc584bfx7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments