Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Cloudinary
v1.0.2Cloudinary integration. Manage data, records, and automate workflows. Use when the user wants to interact with Cloudinary data.
⭐ 0· 89·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md clearly implements a Cloudinary integration by instructing the agent to use the Membrane CLI to connect, run actions, and proxy API requests — that matches the declared purpose. However, the registry metadata lists no required binaries or dependencies while the runtime instructions require installing Node/npm global package @membranehq/cli and a Membrane account. The omission of these declared requirements is inconsistent.
Instruction Scope
Instructions are scoped to installing the Membrane CLI, logging in, creating a Cloudinary connection, running actions (including destructive ones like destroy-asset/delete-folder), and proxying API requests. The instructions do not ask the agent to read unrelated files or exfiltrate data. They do instruct the user/agent to perform operations that can modify or delete Cloudinary assets — which is expected for this skill but worth noting.
Install Mechanism
There is no formal install spec in the registry, but the SKILL.md tells the user to run `npm install -g @membranehq/cli` (a public npm package). Relying on the user/agent to run a global npm install is moderate risk and should have been declared as a dependency/binary requirement in the metadata. The install source (npm) is a known registry (not a random URL), so not high-risk, but the missing declaration reduces clarity and safety.
Credentials
The skill does not request any environment variables or secrets in metadata, and the instructions explicitly advise not to ask users for Cloudinary API keys (Membrane is used to manage credentials). This is proportionate: the skill relies on the Membrane-managed connection model rather than requiring raw user credentials.
Persistence & Privilege
The skill does not request permanent presence (always:false) and does not instruct modifying other skills or system-wide settings. Autonomous invocation is allowed by default (disable-model-invocation:false), which is normal — no additional persistence privileges are requested.
What to consider before installing
This skill appears to do what it says (Cloudinary via Membrane) but the package metadata is missing key runtime requirements. Before installing or running it: 1) ensure you or the agent have Node/npm available and understand that SKILL.md expects you to run `npm install -g @membranehq/cli`; 2) confirm you're willing to grant the Membrane CLI browser-based access to your accounts (it manages Cloudinary credentials server-side); 3) be aware actions can modify or delete assets (e.g., destroy-asset, delete-folder) — test with a non-production account first; 4) since there is no formal install spec, prefer to install the Membrane CLI yourself from the official npm package and review its documentation; and 5) if you want the skill metadata to be accurate, ask the publisher to declare required binaries/dependencies and an install spec so the surface is clearer.Like a lobster shell, security has layers — review code before you run it.
latestvk97fsxr6m9q29jjbrf0smw7xk1843qpc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.