ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Complianceai

v1.0.2

Compliance.ai integration. Manage data, records, and automate workflows. Use when the user wants to interact with Compliance.ai data.

0· 69·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description align with using Membrane to talk to Compliance.ai. However the registry metadata declares no requirements while SKILL.md explicitly requires network access, a Membrane account, and installation/use of the @membranehq/cli — a mismatch between declared requirements and actual instructions.
Instruction Scope
Instructions stay within the stated purpose (discover actions, run actions, proxy API calls via Membrane). But the 'membrane request' proxy can be used to send arbitrary requests through the user's Membrane connection, which is more powerful than simple read-only queries and could be misused to exfiltrate or modify data if the connection has broad permissions.
Install Mechanism
This is an instruction-only skill (no install spec), but it tells the user to run 'npm install -g @membranehq/cli'. Installing a global npm package is a moderate-risk action (code is fetched and executed locally). The CLI package referenced appears to be the expected provider, but the registry metadata does not list this dependency.
Credentials
The skill requests no environment variables or local credentials and explicitly advises against asking users for API keys, relying instead on Membrane-managed connections. That is proportionate — but it shifts trust to the user's Membrane account and the CLI package.
Persistence & Privilege
always is false and there is no indication the skill requests permanent platform-level privileges or modifies other skills. Autonomous invocation is allowed by default but is not combined with other high-risk privileges here.
What to consider before installing
Before installing or using this skill: (1) verify you trust Membrane and the @membranehq/cli package (review the npm package and the repository linked in SKILL.md). (2) Be aware the SKILL.md requires network access, a Membrane account, and installing a global npm CLI — the registry metadata did not declare these requirements. (3) Understand that 'membrane request' will proxy arbitrary HTTP requests through your Membrane connection; ensure that the connection has only the permissions you intend and avoid using this skill with an account that has broad write/delete privileges. (4) If you want tighter controls, ask the skill author to update metadata to declare required binaries and network, and limit agent autonomy or review each generated command before execution.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ap73zts792bynanqj1mka0184363g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments