Crobox
v1.0.0Crobox integration. Manage data, records, and automate workflows. Use when the user wants to interact with Crobox data.
⭐ 0· 51·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (Crobox integration) align with the instructions: all commands target Membrane (a proxy/connector) to interact with Crobox. Required capabilities (network access and a Membrane account) are proportional to the task.
Instruction Scope
SKILL.md instructs installing/running the Membrane CLI, creating connections, listing actions, running actions, and proxying requests. It does not instruct reading unrelated files, environment variables, or sending data to endpoints outside Membrane/Crobox.
Install Mechanism
No formal install spec in the registry (instruction-only), but the doc asks the user to npm install -g @membranehq/cli (or use npx). Installing a global npm CLI is expected for this workflow but carries the usual risks of running third‑party code; this is expected given the described design.
Credentials
The skill declares no required env vars or credentials and explicitly defers auth to Membrane. No unrelated secrets or config paths are requested.
Persistence & Privilege
always is false and there are no instructions to modify other skills or system-wide configs. Autonomous invocation is allowed by default and is not excessive here.
Assessment
This skill is coherent and appears to do what it says: it instructs you to use the Membrane CLI to talk to Crobox. The primary trust boundary is the Membrane service and the @membranehq/cli npm package you will install. Before installing/using it: (1) verify the npm package and its publisher (review the package on npm and the GitHub repo linked in the SKILL.md); (2) prefer running via npx or in an isolated environment/container if you do not want a global install; (3) be aware a global npm install executes third‑party code with your user privileges—avoid on sensitive hosts; (4) confirm the browser-based auth prompts are legitimate when creating connections; and (5) if you need higher assurance, review the CLI source or run it in a restricted environment. The registry entry's source is listed as unknown—if you rely on this in production, further verification of the repository/owner is recommended.Like a lobster shell, security has layers — review code before you run it.
latestvk979vrs05yc7fwmskc3rh46q9n84fhm7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.