ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Codemagic

v1.0.2

Codemagic integration. Manage data, records, and automate workflows. Use when the user wants to interact with Codemagic data.

0· 87·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The SKILL.md clearly documents a Codemagic integration implemented via the Membrane CLI and Membrane-managed connections; this matches the name/description. However, the skill metadata lists no required binaries or accounts while the instructions explicitly require network access and installing/running the 'membrane' CLI and creating a Membrane account/connection. The missing declaration of the required 'membrane' CLI and network/account requirement is an inconsistency.
Instruction Scope
Instructions are narrowly scoped to using the Membrane CLI: install it, login, create/list connections, list/run actions, and optionally proxy API requests through Membrane. They do not instruct reading unrelated files, grabbing arbitrary local secrets, or transmitting local data outside of Membrane/Codemagic flows. The proxy capability lets you call arbitrary Codemagic endpoints via Membrane, which is expected for an integration.
Install Mechanism
There is no formal install spec in the registry, but SKILL.md instructs users to run 'npm install -g @membranehq/cli'. Installing a global npm package is a moderate-risk action (downloads third-party code); the package is from the public npm ecosystem which is traceable, but the skill metadata should have listed the dependency. The absence of a packaged install spec means no automated vetting by the registry.
Credentials
The skill declares no required env vars or primary credential and the instructions explicitly emphasize using Membrane connections instead of local API keys. Requesting a Membrane account and network access is proportional to the stated purpose. No unrelated credentials or broad environment access are requested.
Persistence & Privilege
The skill does not request always:true and is user-invocable only; it does not declare any special persistence or modifications to other skills or system configuration. Autonomous invocation is allowed (platform default) and is not by itself a problem here.
What to consider before installing
This skill appears to do what it says (manage Codemagic via Membrane), but note two practical cautions: (1) SKILL.md requires installing the Membrane CLI ('npm install -g @membranehq/cli') and creating a Membrane account/connection — the registry metadata did not declare the CLI as a required binary, so verify you are comfortable installing and trusting that npm package before proceeding. (2) The Membrane proxy can send arbitrary requests to the Codemagic API once connected; avoid providing unrelated local secrets or exposing sensitive data. Suggested steps before installing: verify the npm package and homepage (getmembrane.com/@membranehq) are legitimate, review the package's npm/github repo and recent releases, prefer installing in a controlled environment (container or dedicated VM) if you want to limit risk, and confirm you do not need to supply any non-Membrane credentials locally.

Like a lobster shell, security has layers — review code before you run it.

latestvk971b9q5gmb6htd6rjy50y79j1842v3m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments