Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Conveyor
v1.0.2Conveyor integration. Manage Organizations, Projects, Pipelines, Users, Goals, Filters. Use when the user wants to interact with Conveyor data.
⭐ 0· 67·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill declares itself as a Conveyor integration and correctly directs use of the Membrane CLI to call Conveyor via a connector, which is coherent. However, the SKILL.md contains inconsistent items: the 'Official docs' link points to developer.conveyal.com (Conveyal, a different product), and the 'Popular actions' list includes many entries referencing a 'Trust Center', 'Knowledge Base', and other concepts that don't match a Conveyor packaging/distribution product. These inconsistencies suggest the doc was partly copied from other integrations and undermines trust that the skill's described capabilities match its actual intent.
Instruction Scope
The runtime instructions are narrowly scoped to installing and using the Membrane CLI, performing browser-based login, listing/creating connections and actions, and proxying requests to the Conveyor API via Membrane. The instructions do not ask for arbitrary file reads or extra environment variables. However, proxying requests means data will be sent to external endpoints (Conveyor API) and the CLI will manage credentials — users should understand that network auth and data flows are part of normal operation.
Install Mechanism
This is an instruction-only skill (no install spec). It tells users to install @membranehq/cli globally via npm (a public npm package). That is a reasonable, low-to-moderate-risk install path, but installing a global npm package runs third-party code on the host — users should verify the package and its source before installing.
Credentials
The skill declares no required env vars or credentials. Authentication is performed interactively via 'membrane login' in a browser, which is proportional to a connector-based integration. There are no hidden env-var requests in the instructions. Note: the CLI will hold credentials and perform proxied API calls on the user's behalf.
Persistence & Privilege
Flags show no forced persistence (always: false) and the skill is user-invocable. The SKILL.md does not instruct modifying other skills or global agent settings. Autonomous invocation is permitted by platform default but is not combined with other red flags here.
What to consider before installing
This skill mostly tells the agent to use the Membrane CLI to talk to Conveyor, which is expected for a connector-style integration. However, the documentation contains clear inconsistencies (wrong official docs link to 'conveyal' and action names referencing a 'Trust Center' and other unrelated items). Before installing or using this skill: 1) Verify the publisher and source — confirm the Membrane CLI package (@membranehq/cli) is legitimate on npm and inspect its repository; 2) Ask the skill author to clarify the mismatches (correct Conveyor API docs, and a coherent action list); 3) If you install the CLI, do so on a machine/account where you trust the package, since npm global installs execute third-party code; 4) Be aware that using the skill requires logging into Membrane in a browser and will allow Membrane to proxy requests to Conveyor (so any data you send via proxy will go to external endpoints). If you need high assurance, request a corrected SKILL.md or prefer an officially verified Conveyor integration.Like a lobster shell, security has layers — review code before you run it.
latestvk972ebt6qb8f85qxfdtd58p5q984325k
License
MIT-0
Free to use, modify, and redistribute. No attribution required.