ClawHub

Coupa Pay

v1.0.2

Coupa Pay integration. Manage data, records, and automate workflows. Use when the user wants to interact with Coupa Pay data.

0· 47·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name and description match the instructions: it teaches use of the Membrane CLI to interact with Coupa Pay. No unrelated credentials, binaries, or paths are requested.
Instruction Scope
The SKILL.md tells the agent to install and use the Membrane CLI, create connections, list/run actions, and proxy API requests via Membrane. These actions are within scope, but they will transmit Coupa Pay requests and data through Membrane's service (explicitly stated), so the runtime will involve networked data flow to a third party.
Install Mechanism
There is no install spec in the package metadata (skill is instruction-only). The guide recommends installing @membranehq/cli via npm (a public registry package). This is a normal approach but does require installing a global npm package which has the usual trust/privilege implications.
Credentials
The skill declares no required env vars or config paths and explicitly instructs not to request API keys from users, relying on Membrane to manage credentials server-side. The requested access (a Membrane account and network) is proportionate to the stated functionality.
Persistence & Privilege
The skill does not request permanent/always-on inclusion and does not try to modify other skill or system configurations. It is user-invocable and can be used autonomously per platform defaults, which is expected.
Assessment
This skill is coherent: it uses the Membrane CLI as a proxy to talk to Coupa Pay and does not ask for your Coupa credentials directly. Before installing or using it: (1) confirm you trust Membrane (https://getmembrane.com) because your Coupa Pay requests and data will flow through their service; check their privacy, security, and compliance posture for your organization; (2) verify the npm package publisher and version before running npm -g; (3) install the CLI in an account/environment where you are comfortable granting network access and where installing global npm packages is allowed; (4) avoid pasting secrets into prompts unless you understand where they are stored; and (5) if you need higher assurance, ask for an audit or request that the organization host its own connector/service rather than using a third-party SaaS proxy.

Like a lobster shell, security has layers — review code before you run it.

latestvk9721wywwh4q1w0szna7sq03t9843313

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments