ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Control D

v1.0.2

Control D integration. Manage data, records, and automate workflows. Use when the user wants to interact with Control D data.

0· 60·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description align with using Membrane to access Control D. However, the registry metadata claims no required binaries while the SKILL.md assumes npm and the Membrane CLI are available (or will be installed). That mismatch is minor but worth noting.
Instruction Scope
Runtime instructions are focused on discovering connections and running proxied Control D API actions via Membrane. The instructions do not ask the agent to read unrelated files or exfiltrate arbitrary data, and they explicitly advise against collecting user API keys.
Install Mechanism
No automated install spec is included; instead SKILL.md asks the user to run `npm install -g @membranehq/cli` and/or use `npx`. Installing a global npm package executes third-party code on the host and has moderate risk — verify the package and repository before installing and prefer running in an isolated or controlled environment.
Credentials
The skill declares no required environment variables or credentials. The SKILL.md relies on browser-based Membrane authentication and server-side credential handling, which is proportionate to the stated functionality.
Persistence & Privilege
The skill is not always-enabled and is user-invocable; autonomous invocation is allowed by default on the platform but is not combined here with other broad privileges or credential access.
What to consider before installing
This skill appears to do what it says (use Membrane to talk to Control D), but pause before installing/running anything: - Verify the Membrane CLI package (@membranehq/cli) and the upstream project (getmembrane.com and the GitHub repo referenced) are legitimate and untampered. Check package maintainers and release history. - Installing a global npm package runs third-party code with your user privileges. If you proceed, consider using npx (temporary execution), a contained environment (container/VM), or at least inspect the package source first. - The skill expects you to authenticate via browser; it does not ask for API keys or secrets. Do not paste secrets into chat or local prompts unless you trust the tool. - Note the minor metadata inconsistency: the skill did not declare required binaries (npm/membrane) even though the instructions use them. If you need higher assurance, ask the publisher for an explicit install spec or a packaged release you can audit.

Like a lobster shell, security has layers — review code before you run it.

latestvk975ge8pr3c9btm2n7k50vyv9s842c6y

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments