ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Basiq

v1.0.0

Basiq integration. Manage data, records, and automate workflows. Use when the user wants to interact with Basiq data.

0· 24·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (Basiq integration) aligns with the instructions: all operations are performed via the Membrane CLI (search/connect/action/request) which is the expected tool for proxying to Basiq. No unrelated services, credentials, or binaries are requested.
Instruction Scope
SKILL.md confines runtime behavior to installing/using the Membrane CLI, logging in, creating/using a Basiq connection, listing and running connector actions, and proxying requests to Basiq via Membrane. It does not instruct reading local files, harvesting unrelated environment variables, or sending data to unexpected endpoints.
Install Mechanism
There is no formal install spec (instruction-only), but the doc asks the user to run an npm global install (npm install -g @membranehq/cli) or npx commands. Installing an npm package globally is a normal requirement for a CLI but carries the usual supply-chain risk (npm packages run code on install). This is expected for a CLI-driven skill but users should verify the package and publisher.
Credentials
The skill declares no required environment variables or credentials and explicitly advises letting Membrane manage credentials. That is proportionate to the stated purpose (Basiq access via Membrane).
Persistence & Privilege
The skill is not force-included (always: false) and is user-invocable. Autonomous invocation is allowed (platform default) but there is no evidence here that the skill requests elevated persistence or edits other skills' config.
Assessment
This skill is an instruction-only adapter that relies on the Membrane CLI to access Basiq, which is coherent with its description. Before installing or running it: (1) verify the Membrane CLI package and its publisher (npm/@membranehq) and prefer using npx or a pinned version if you are cautious about global installs; (2) review Membrane's privacy and permissions since connections grant access to financial data — prefer testing with a throwaway/test account; (3) be aware that installing an npm CLI runs code on your machine (supply-chain risk); and (4) if you want the agent to act autonomously, consider limiting scope or approving actions interactively. The scanner had no code to analyze (instruction-only), so manual review of the Membrane CLI/package is the primary security step.

Like a lobster shell, security has layers — review code before you run it.

latestvk977b12899kb1g577afdpfj86n847wck

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments