ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Breathe

v1.0.0

Breathe integration. Manage data, records, and automate workflows. Use when the user wants to interact with Breathe data.

0· 50·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill claims to be a Breathe (HR) integration and its instructions consistently rely on the Membrane CLI to discover and run connector actions against Breathe, which is coherent. Minor inconsistency: the 'Official docs' link points to Apple WatchOS 'Breathe' docs (unrelated), which looks like a copy/paste error but does not change the core behavior.
Instruction Scope
SKILL.md only instructs the agent to install/run the Membrane CLI, authenticate via browser, list connections/actions, run actions, and proxy API requests through Membrane. It does not instruct reading unrelated local files or environment variables. The proxy feature allows arbitrary paths against the target API (intended), so verify you trust Membrane to handle the requests.
Install Mechanism
This is an instruction-only skill (no install spec), but it tells users to run 'npm install -g @membranehq/cli' (or npx). Global npm installs are common but have system-wide effects; the package is from the @membranehq scope (public npm) which is moderate-risk compared with a vetted OS package—verify package provenance before installing.
Credentials
The skill declares no required environment variables or credentials and explicitly advises letting Membrane manage auth. The lack of requested secrets is proportionate to the stated behavior.
Persistence & Privilege
The skill does not request permanent/always-on presence and has default invocation settings. Note: autonomous invocation is allowed by platform default, which is normal; combine with other red flags only if they appear.
Assessment
Before installing: 1) Confirm you trust Membrane and the @membranehq/cli npm package (check the package page, repository, and the getmembrane.com homepage). 2) Be aware the CLI requires network access and will open a browser for authentication (or use headless flow). 3) If you prefer not to install globally, use 'npx @membranehq/cli' or run inside an isolated environment/container. 4) Understand that Membrane will proxy requests to the Breathe API and hold auth server-side—so review their privacy/security policy if the data is sensitive. 5) Note the SKILL.md contains an unrelated Apple 'Breathe' docs link (likely a doc error); that alone is not malicious but you may want to confirm the repository/package provenance if you have security concerns.

Like a lobster shell, security has layers — review code before you run it.

latestvk971b57h1xc16zz2ycjmz8bc7984b855

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments