Clickhelp
v1.0.2ClickHelp integration. Manage data, records, and automate workflows. Use when the user wants to interact with ClickHelp data.
⭐ 0· 121·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description promise ClickHelp integration and the SKILL.md consistently instructs the agent to use the Membrane CLI to access ClickHelp resources and actions. No unrelated environment variables, binaries, or config paths are requested.
Instruction Scope
Instructions tell the agent to install and run the @membranehq/cli, log in, create/connect to a ClickHelp connector, list and run actions, and proxy arbitrary ClickHelp API endpoints. This is coherent with managing ClickHelp data, but the documented actions include destructive operations (delete-topic, create-user, publish-project). The skill does not instruct reading local files or unrelated secrets.
Install Mechanism
There is no formal install spec in the registry; the README instructs users to run `npm install -g @membranehq/cli`. Pulling a global npm package is a common pattern but does install code to the host and gives that package runtime privileges. The package comes from the public npm registry (moderate risk) — verify package provenance if you plan to install.
Credentials
The skill requests no environment variables or direct credentials; instead it relies on Membrane to handle authentication via browser login. That is proportionate to its purpose, but it centralizes ClickHelp credentials in a third‑party service (Membrane) — you must trust Membrane with stored credentials and token refresh.
Persistence & Privilege
always:false (not force-enabled). disable-model-invocation is false (default) which allows autonomous invocation; this is platform standard. Be aware autonomous agent runs could perform API actions (including destructive ones) via the Membrane connector if granted access.
Assessment
This skill appears to do what it says: it uses the Membrane CLI as a proxy to ClickHelp. Before installing or using it: (1) confirm you trust Membrane (getmembrane.com) because browser login will delegate ClickHelp credentials to that service; (2) review the npm package (@membranehq/cli) provenance before running a global install; (3) avoid using in production accounts until you've tested in a safe environment — the skill can run destructive actions (delete-topic, create-user, publish) once authorized; (4) prefer granting least privilege on the ClickHelp side and monitor connector activity. If you need higher assurance, request the package source, audit the Membrane privacy/security docs, or run operations through a restricted test ClickHelp account.Like a lobster shell, security has layers — review code before you run it.
latestvk972pjm7kgaxhqb7vr9kz21fmd843k7r
License
MIT-0
Free to use, modify, and redistribute. No attribution required.