ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Checkvist

v1.0.2

Checkvist integration. Manage Lists, Tags, Users, Teams. Use when the user wants to interact with Checkvist data.

0· 246·1 current·1 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description say "Checkvist integration" and the SKILL.md exclusively instructs using the Membrane CLI to connect to Checkvist. No unrelated credentials, binaries, or paths are requested.
Instruction Scope
Instructions are limited to installing/running the Membrane CLI, creating a connection, listing actions, running actions, and proxying requests to Checkvist via Membrane. They do not request arbitrary file reads, unrelated environment variables, or external endpoints beyond Membrane/Checkvist.
Install Mechanism
The install step recommends npm install -g @membranehq/cli (a public npm package). This is a standard approach but does write a global binary and has the usual npm trust implications; it's proportionate to the skill's functionality.
Credentials
The skill declares no required env vars or credentials and relies on Membrane for auth. That matches the stated guidance to create a connection rather than storing API keys locally.
Persistence & Privilege
always is false and the skill is user-invocable. There is no indication it modifies other skills or requires permanent platform-wide presence.
Assessment
This skill is instruction-only and delegates auth and API access to the Membrane service. Before installing/using it: 1) confirm you trust @membranehq/cli on npm and the Membrane service (they will be able to proxy requests to your Checkvist account and thus access your data); 2) if you prefer not to install a global npm package, use npx or a local install; 3) review permissions requested during the browser login for the Checkvist connector; and 4) consider using an isolated environment (container/VM) if you are cautious about adding global binaries.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fanqf029fd68yfwmwygt9q5843bjg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments