ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Cartql

v1.0.0

CartQL integration. Manage data, records, and automate workflows. Use when the user wants to interact with CartQL data.

0· 53·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (CartQL integration) match the instructions: all runtime steps use the Membrane CLI to discover connectors, create connections, run actions, and proxy requests to CartQL. No unrelated services, credentials, or binaries are requested.
Instruction Scope
SKILL.md confines itself to installing/using @membranehq/cli, running membrane login, connecting to CartQL, listing actions, running actions, and proxying requests. It does not instruct reading arbitrary files, harvesting environment variables, or sending data to unexpected endpoints outside Membrane/CartQL.
Install Mechanism
There is no registry install spec (skill is instruction-only). The README recommends a global npm install of @membranehq/cli or using npx. That is expected for this integration but carries the usual moderate risk of executing code from the public npm registry—verify the package provenance before installing globally.
Credentials
The skill requests no environment variables or local credentials. It relies on Membrane's browser-based login flow and server-side credential handling, which is proportionate to its purpose.
Persistence & Privilege
The skill is not always-enabled, requests no persistent system modifications, and relies on the standard autonomous invocation setting (disable-model-invocation: false) which is normal for skills.
Assessment
This skill appears coherent and limited to using the Membrane CLI to talk to CartQL. Before installing/using it: (1) verify the @membranehq/cli package on npm and its GitHub repo to ensure you trust the publisher; (2) prefer using npx or a local install if you want to avoid a global npm install; (3) understand that authentication uses a browser flow and that Membrane will hold and refresh the CartQL credentials server-side—do not paste or store unrelated secret keys into CLI flags; (4) if you have security concerns, test the CLI in a sandbox environment or review its source code before granting account access. Overall this skill's instructions and requirements match its stated purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk976faysc1emepy91n8rc4c1kx8458gr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments