Companycam
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: companycam-integration Version: 1.0.4 The skill bundle contains a highly irregular and nonsensical 'CompanyCam Overview' section in SKILL.md, consisting of hundreds of irrelevant terms ranging from Greek mythology and philosophy to exoplanets and international law. This suggests either a severely broken automated generation process or an attempt at context stuffing to manipulate the AI agent's behavior. Additionally, the _meta.json file contains a future-dated timestamp (May 2026), which is a common indicator of fabricated or low-quality metadata. While the instructions for using the 'membrane' CLI (getmembrane.com) appear functionally correct, the presence of such massive amounts of unrelated data makes the bundle untrustworthy.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If enabled with broad authority, an agent could potentially initiate high-impact financial actions without the user realizing that capability is in scope.
The provided capability signal indicates possible purchase or financial-action authority, but the visible instructions do not define allowed operations, approval gates, spending limits, or confirmation requirements.
- can-make-purchases
Only use this skill with explicit per-action confirmation for any purchase, payment, invoice, or financial mutation, and prefer read-only or least-privilege access where possible.
The skill may need access to a real account with organization data, but users are not clearly told what credentials or permissions are required.
Credentialed access is expected for a CompanyCam integration, but the registry requirements declare no primary credential or env vars and the SKILL.md only generally mentions a valid Membrane account, leaving credential source, scope, and delegated authority unclear.
- requires-oauth-token - requires-sensitive-credentials
Verify the exact OAuth scopes and account permissions before installing, and use a dedicated least-privilege account or token when possible.
A user may think they are enabling a narrow CompanyCam integration while the skill text suggests a much broader operational scope.
The skill presents itself as a CompanyCam photo/documentation integration, but the visible overview expands into a very broad list of unrelated accounting, security, legal, and compliance objects, creating unclear expectations about what the agent may treat as in scope.
CompanyCam is a photo-based documentation ... - **Invoice** ... - **Payment** ... - **Journal Entry** ... - **Firewall** ... - **Penetration Test** ... - **Legal Hold** ...
Treat the skill as broad until the provider clarifies its exact supported resources and limits; avoid using it for unrelated financial, legal, or security workflows unless explicitly confirmed.