ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Brainshop

v1.0.2

BrainShop integration. Manage data, records, and automate workflows. Use when the user wants to interact with BrainShop data.

0· 118·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The SKILL.md describes a BrainShop integration and all runtime steps use the Membrane CLI to discover connections, run actions, and proxy API requests — this aligns with the declared purpose. The README points to BrainShop docs and Membrane as the intermediary, which is consistent.
Instruction Scope
Instructions are explicit about installing and using the Membrane CLI, performing login via browser, creating connections, listing actions, running actions, and proxying requests. They do not instruct reading unrelated files or exporting unrelated environment variables. A notable behavior: requests and authentication are routed through Membrane (the instructions say Membrane injects auth headers and refreshes credentials), so user data and credentials will transit/ be managed by that service.
Install Mechanism
There is no automatic install spec in the registry; the doc tells the user to run `npm install -g @membranehq/cli`. This is a normal, user-initiated install from the public npm registry, but it requires elevated permissions for a global install and installs third-party code — verify the package and publisher before installing.
Credentials
The skill requests no environment variables or local credentials and explicitly instructs not to ask users for API keys. However, it requires a Membrane account and routes auth through Membrane, so the proportionality is reasonable but depends on whether you trust Membrane to hold/manage your BrainShop credentials.
Persistence & Privilege
The skill is instruction-only, has no install step in the registry, and does not request being always-enabled. It does not request elevated persistent privileges or modify other skills/configs.
Assessment
This skill delegates all work to the Membrane CLI — before installing: 1) Confirm you trust Membrane (getmembrane.com / @membranehq) since API requests and credentials will be handled by their service; 2) Verify the npm package name and publisher (avoid typosquatting) before running a global install; 3) Prefer using a test BrainShop account or limited-permission credentials when first trying this integration; 4) If your security policy forbids routing production data through third‑party proxies, do not use this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk975d7htcwfq30tgb5m1sdazr18428np

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments