ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Concord

v1.0.2

Concord integration. Manage data, records, and automate workflows. Use when the user wants to interact with Concord data.

0· 87·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name and description (Concord integration) match the instructions, which exclusively describe using the Membrane CLI to manage Concord connections, actions, and proxy requests. There are no unrelated environment variables, binaries, or config paths requested.
Instruction Scope
SKILL.md limits runtime actions to installing/using the Membrane CLI, performing login flows, creating connections, listing/running actions, and proxying API requests to Concord via Membrane. It does not instruct reading arbitrary local files or requesting unrelated credentials. It does rely on network access and a browser-based auth flow.
Install Mechanism
The doc recommends installing @membranehq/cli via npm -g. That is a normal approach but requires network access, npm permissions (global install), and trust in the @membranehq package published to the npm registry. The registry metadata contains no automated install spec—installation is an external step the user must run.
Credentials
The skill declares no required env vars or secrets and explicitly advises against asking users for API keys. It does require a Membrane account and browser-based authentication to create a Concord connection, which places trust in the external Membrane service to manage credentials.
Persistence & Privilege
The skill is not always-enabled, is user-invocable, and allows normal autonomous invocation (platform default). It does not request system-wide config modifications or access to other skills' credentials.
Assessment
This skill is coherent: it simply documents using the Membrane CLI to connect to Concord. Before proceeding, confirm you trust the Membrane service and the npm package @membranehq/cli (check the npm/org and GitHub links). Installing the CLI globally requires npm permissions and network access. The login flow opens a browser or prints a code for headless setups—be aware the auth will create connections managed by Membrane (server-side storage of tokens). If you permit an autonomous agent to run these commands, it could perform login/connect/run actions on your behalf, so only enable autonomous invocation for trusted agents and accounts.

Like a lobster shell, security has layers — review code before you run it.

latestvk979xr04gsyrr2f4rb8xj6hteh843aya

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments