ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Boostai

v1.0.2

Boost.ai integration. Manage data, records, and automate workflows. Use when the user wants to interact with Boost.ai data.

0· 71·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose (Boost.ai integration) matches the runtime instructions (use Membrane CLI to connect and proxy requests to Boost.ai). However the package metadata claims no required binaries or installs, while SKILL.md explicitly instructs installing the '@membranehq/cli' npm CLI. That mismatch between declared requirements and actual instructions is unexpected.
Instruction Scope
Instructions stay within the Boost.ai integration scope (discover actions, run actions, or proxy requests). Important runtime behavior: proxy requests are sent through Membrane, which will receive request paths, headers, and bodies — potentially including sensitive user data. The SKILL.md does not enumerate what data may be transmitted to Membrane or provide an explicit privacy/consent warning.
!
Install Mechanism
There is no install spec in the registry metadata, yet the instructions tell users to run a global npm install ('npm install -g @membranehq/cli'). Global npm installs modify the system environment and fetch code from the public npm registry; the registry package origin, publisher, and integrity are not verified in the SKILL.md. This is a moderate-risk install step that should be declared in metadata and accompanied by publisher/repo verification and guidance.
Credentials
The skill declares no required environment variables or credentials and the SKILL.md explicitly advises not to collect user API keys, instead using Membrane-managed connections. That is proportionate. Note: a Membrane account (and browser-based authentication) is required, which grants Membrane access to connected services on your behalf.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and is user-invocable only. The only persistent effect described is installing the Membrane CLI if a user follows the instructions — this is normal but should be considered a system-wide change (global npm install).
What to consider before installing
This skill looks like a straightforward wrapper that uses the Membrane CLI to manage Boost.ai, but before installing you should: (1) verify the @membranehq/cli package on npm and the linked GitHub repository to ensure the publisher is legitimate and the code is expected; (2) be aware that using 'membrane request' proxies your API calls (headers, paths, and bodies) through Membrane's servers — don't send sensitive secrets or PII until you trust their data handling; (3) prefer installing tools in an isolated environment (container or VM) rather than doing a global 'npm install -g'; (4) ask the skill author/maintainer to add an install spec and declare the 'membrane' binary as required in the registry metadata and to document exactly what data is transmitted to Membrane. If you want higher confidence, provide the npm package link or repository commit hash so the installer and package contents can be reviewed.

Like a lobster shell, security has layers — review code before you run it.

latestvk974scd5x3rq9e26rjyk1yakv5842f6x

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments