ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Bamboohr

v1.0.2

BambooHR integration. Manage hris data, records, and workflows. Use when the user wants to interact with BambooHR data.

0· 279·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (BambooHR integration) match the instructions: the SKILL.md explains how to use the Membrane CLI to create a BambooHR connection, run actions, and proxy requests. No unrelated env vars or binaries are requested.
Instruction Scope
Instructions are focused on installing and using the Membrane CLI (login, connect, action run, proxy). They do not instruct reading arbitrary system files, scanning unrelated credentials, or exfiltrating data to unknown endpoints. The only external endpoint implied is the Membrane service (used as a broker) and BambooHR API.
Install Mechanism
This is an instruction-only skill (no automated install). It recommends installing @membranehq/cli via npm -g. Installing a global npm CLI is a reasonable step for this integration but carries the usual risk of installing code from a package registry; the skill itself does not perform any downloads or write files.
Credentials
The skill requests no environment variables or credentials itself. However it relies on a Membrane account and OAuth-style browser authentication that will give the Membrane service access to BambooHR data. Granting that broker access is the main privilege implication and should be judged by the user.
Persistence & Privilege
Skill is not always-enabled and does not request persistent system-wide changes or access to other skills' configs. It does not declare elevated privileges or force-autoinclusion.
Assessment
This skill appears internally consistent, but before installing or using it: 1) Verify the @membranehq/cli package and the Membrane service (homepage, npm package, and repository) are trustworthy and official. 2) Understand that you will grant Membrane access to your BambooHR account — review what scopes/permissions are requested and the broker's privacy/security policy. 3) Prefer manual installation of the CLI and perform login interactively (avoid pasting tokens into chat). 4) If you are concerned about an agent running this skill autonomously, restrict autonomous skill invocation or require explicit user confirmation before the agent makes network requests or runs CLI commands that access HR data.

Like a lobster shell, security has layers — review code before you run it.

latestvk970g58k289n8xhw7neqfp1p95842f7j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments